Junos
Highlighted
Junos

How to re-write Egress DSCP flag

‎01-08-2019 03:52 AM

Hello

 

I have a SRX 345 running 15.1X49-D140.2. I have some servers running VOIP behind NAT on some packets being sent to my provider the DSCP flag is being set as 0x10 and they are complaining about this, and its stopping calls working. How can I re-write the DSCP flag so that on the Egress traffic its changed from 0x10 to 0x00? I tried the below with no joy, it doesn't seem to get queued.

 

root@srx# show firewall family inet filter test
term t1 {
    from {
        source-address {
            215.17.9.43/32;
        }
    }
    then {
        forwarding-class assured-forwarding;
        accept;
    }
}
term t2 {
    then accept;
}
root@srx# show class-of-service rewrite-rules dscp dscp-test
forwarding-class assured-forwarding {
    loss-priority high code-point 000000;
    loss-priority low code-point 000000;
    loss-priority medium-high code-point 000000;
    loss-priority medium-low code-point 000000;
}
root@srx# show interfaces reth1
redundant-ether-options {
    redundancy-group 1;
}
unit 0 {
    family inet {
        filter {
            input test;
        }
        address 215.17.9.41/28; 
}
}
root@srx# run show class-of-service interface reth1.0 | no-more
  Logical interface: reth1.0, Index: 87
Object                  Name                   Type                    Index
Rewrite-Output          dscp-test              dscp                    64510
Classifier              ipprec-compatibility   ip                         13
root@srx# run show interfaces queue reth1.0
  Logical interface reth1.0 (Index 87) (SNMP ifIndex 581)
    Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :     123829603         85   61928095022       164752
        Output:       9300890          0    1536529919            0
    Adaptive Statistics:
        Adaptive Adjusts:          0
        Adaptive Scans  :          0
        Adaptive Updates:          0

Thanks

11 REPLIES 11
Junos

Re: How to re-write Egress DSCP flag

‎01-08-2019 04:22 AM

YOu need to apply the filter on the LAN interface to classify the traffic.

 

show firewall family inet filter test
term t1 {
    from {
        destination-address {  ====> Destination address as we are tryiing to rewrite traffic towards ISP.
            215.17.9.43/32;
        }
    }
    then {
        forwarding-class best-effort; ====> best-effort as thats the default queue active
        accept;
    }
}
term t2 {
    then accept;
}

Apply below classifier

show class-of-service rewrite-rules dscp dscp-test
forwarding-class best-effort {       ====> best-effort as thats the default queue active
    loss-priority high code-point 000000;
    loss-priority low code-point 000000;
    loss-priority medium-high code-point 000000;
    loss-priority medium-low code-point 000000;
}

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Junos

Re: How to re-write Egress DSCP flag

‎01-08-2019 04:55 AM

I have done this and its still not working. The destination IP is that of my VOIP server or of my providers VOIP server, I put in my server public ip there?

 

Should "run show interfaces queue reth0.0" show items being re-written?

Junos

Re: How to re-write Egress DSCP flag

‎01-08-2019 05:21 AM

As per your previous post, the firewall filter(test) and the rewrite-rule (dscp-test) is applied to same interface reth1.0

You have to apply firewall filter on the ingress interface and rewrite-rule to egress interface connected to ISP. Since you are using nat, I believe your VOIP server is having private ip. It would be helpful if you can provide a small diagram which shows connectivity and traffic flow.

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Junos

Re: How to re-write Egress DSCP flag

[ Edited ]
‎01-08-2019 05:37 AM

Hi,

 

Reth 0.0 is my local LAN

Reth1.0 is my WAN

 

My servers are 192.168.1.100 > 192.168.1.105

 

So at present server 192.168.1.100 has public IP of 215.17.9.43.

Junos

Re: How to re-write Egress DSCP flag

[ Edited ]
‎01-08-2019 06:03 AM

sip servers.jpg

 

Below is what I'm currently setting:

set firewall family inet filter test term t1 from destination-address 215.17.9.43/32
set firewall family inet filter test term t1 then forwarding-class best-effort
set firewall family inet filter test term t1 then accept
set firewall family inet filter test term t2 then accept
set interfaces reth0 unit 0 family inet filter input test
set class-of-service rewrite-rules dscp dscp-test forwarding-class best-effort loss-priority high code-point 000000
set class-of-service rewrite-rules dscp dscp-test forwarding-class best-effort loss-priority low code-point 000000
set class-of-service rewrite-rules dscp dscp-test forwarding-class best-effort loss-priority medium-high code-point 000000
set class-of-service rewrite-rules dscp dscp-test forwarding-class best-effort loss-priority medium-low code-point 000000
set class-of-service interfaces reth1 unit 0 rewrite-rules dscp dscp-test
Junos

Re: How to re-write Egress DSCP flag

‎01-08-2019 09:50 AM

Try this config:


DSCP 0x10 (Hex) = 16(Dec) = 010000 (Binary) = cs2

1. Apply firewall filter on reth0 interface

set firewall family inet filter test-classifier term 1 from destination-address 112.1.5.29/32
set firewall family inet filter test-classifier term 1 from dscp cs2
set firewall family inet filter test-classifier term 1 then forwarding-class assured-forwarding
set firewall family inet filter test-classifier term 1 then accept
set firewall family inet filter test-classifier term 1 then count VOIP-traffic
set firewall family inet filter test-classifier term 2 then accept

set interface reth0.0 family inet filter input test-classifier

2. Apply exp re-write rules reth1.0 interface

set class-of-service rewrite-rules dscp rewrite-dscp forwarding-class assured-forwarding loss-priority low code-point 000000
set class-of-service rewrite-rules dscp rewrite-dscp forwarding-class assured-forwarding loss-priority high code-point 000000

set class-of-service interfaces reth1 unit 0 rewrite-rules dscp rewrite-dscp


3. Check the firewall filter counter to see whether SRX is getting VOIP traffic with DSCP 0x10 towards ISP server. And check assured-forwarding queue counters

show firewall

show interfaces reth1 extensive | find "Queue counters"

Note: Re-write counters cannot be checked from SRX. It should be checked upstream device / ISP

Sample filter to count the traffic from upstream:
set firewall family inet filter test2 term 1 from dscp be
set firewall family inet filter test2 term 1 from destination-address 172.27.0.24/32
set firewall family inet filter test2 term 1 then count re-written-packets
set firewall family inet filter test2 term 1 then accept
set firewall family inet filter test2 term 2 then accept

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Junos

Re: How to re-write Egress DSCP flag

‎01-09-2019 08:15 AM

setting as you described for 0x10 and checking "show interfaces reth1 extensive | find "Queue counters" does not show what we expect something in queue 2 yeah?:

 

root@srx> show interfaces reth1 extensive | find "Queue counters"
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0                                0                    0                    0
    1                                0                    0                    0
    2                                0                    0                    0
    3                                0                    0                    0
  Egress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0                          9223844              9223844                    0
    1                                0                    0                    0
    2                                0                    0                    0
    3                           143041               143041                    0
  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control
Junos

Re: How to re-write Egress DSCP flag

‎01-09-2019 08:54 AM
Are you seeing any hit firewall filter? If not, you can try by removing dscp match.
show firewall
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Junos

Re: How to re-write Egress DSCP flag

[ Edited ]
‎01-10-2019 01:55 AM
root@srx> show firewall

Filter: __default_bpdu_filter__

Filter: protect-re

Filter: test-classifier
Counters:
Name                                                Bytes              Packets
VOIP-traffic                                         1878                    2

The filter count seem to be working but its not changing the DSCP forwarding-class.

Junos

Re: How to re-write Egress DSCP flag

‎01-17-2019 12:43 AM

Any ideas?

Junos

Re: How to re-write Egress DSCP flag

‎01-18-2019 07:33 AM

Hello,

 

Is your VoIP servers directly connected to your SRX? 

Iheb Boubaker