marking DSCP not working

06.22.10   |  
‎06-22-2010 01:50 AM

Dear friends,


I have Juniper M10i running 8.5R3.4 & i am trying to mark DSCP by matching DSCP value X  and then marking it to value Y.. But i am not getting any option of dscp in 'then' of firewall options.






Documentation available on juniper website shows that dscp option is available in 'then' . Can someone suggest why my router is not showing this option???



The options i m getting are following;
router-1# set firewall filter testing term 1 then ?
Possible completions:
  accept               Accept the packet
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  count                Count the packet in the named counter
> discard              Discard the packet
  forwarding-class     Classify packet to forwarding class
  ipsec-sa             Use specified IPSec security association
  load-balance         Use specified load balancing group
  log                  Log the packet
> logical-router       Packets are directed to specified logical router
  loss-priority        Packet's loss priority
  next                 Continue to next term in a filter
  next-hop-group       Use specified next-hop group
  policer              Name of policer to use to rate-limit traffic
  port-mirror          Port-mirror the packet
  prefix-action        Police or count packets using named prefix action
> reject               Reject the packet
  routing-instance     Packets are directed to specified routing instance
  sample               Sample the packet
  syslog               System log (syslog) information about the packet
> three-color-policer  Police the packet using a three-color-policer




Re: marking DSCP not working

06.22.10   |  
‎06-22-2010 02:28 AM



"then dscp" is available in FW filters since JUNOS 10.0 for packets generated by Routing Engine







Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements


Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !

Re: marking DSCP not working

06.30.10   |  
‎06-30-2010 06:30 AM

If I'm understanding your question correctly, you are trying to change the DSCP marking for transit traffic.  This is actually a two step process.


First, you must place the packet in the forwarding class (in ingress) that has the DSCP marking you want the final packet to have.

Your then action:


then forwarding-class <blah>


Second, you need to have rewrite rules to change the DSCP value of the packets egressing the M10i.




Note:  By default, M-series do not change the DSCP/IP Prec values for transit traffic - you need rewrite rules.  Additionally, IP Prec is the default for the classifier - you need to specifiy DSCP. 


I'm attching an old dipiction of QOS operation in M-series, but it is still relevent and my favorite Smiley Happy