Knowledge Search


×
 

[SRX] How to remark the DSCP bits in the IP header using Rewrite rules and Multifield Classifier for traffic prioritization in CoS

  [KB26735] Show Article Properties


Summary:

When the packets entering the device do not have the required DSCP bits set, they might not be subjected to desired processing by the devices in the core network which are supposed to prioritize the traffic based upon DSCP marking.  This article outlines the minimum configuration required to set a particular DSCP value by using the rewrite rules and Multifield Classifier for the traffic traversing the device.

Symptoms:

To remark the DSCP value with af11 (Assured forwarding class 1, low drop precedence) for traffic initiated from source host 1.1.1.1/32.

Ingress interface for this traffic is ge-0/0/0 and egress interface is ge-0/0/1.

Solution:
Configuration Overview
  • Configure a firewall filter to match the desired source (or destination) with then action to apply a forwarding class
  • Apply firewall filter to the ingress interface ge-0/0/0
  • Configure COS DSCP rewrite rules
  • Apply COS profile to egress interface 

Behavior
  • Traffic from the host 1.1.1.1/32 on ingress matches the firewall filter 'test' and is applied to the forwarding class, assured-forwarding
  • DSCP values of matching traffic for assured-forwarding on egress interface ge-0/0/1.0 are rewritten to decimal value 10 representing af11 (binary value "001010")


For default code-points in use for DSCP, refer to KB19730 - Defining DSCP in use for Diffserv code points.


Configuration:


1) Configure a Firewall Filter to place the traffic in the forwarding class, assured forwarding by matching the source and the destination prefixes:

[edit firewall family inet filter test]
root@srx1# show | display set
set firewall family inet filter test term t1 from source-address 1.1.1.1/32
set firewall family inet filter test term t1 then forwarding-class assured-forwarding
set firewall family inet filter test term t1 then accept
set firewall family inet filter test term t2 then accept


2) Apply the firewall filter to the ingress interface:

[edit interfaces ge-0/0/0]
root@srx1# show | display set
set interfaces ge-0/0/0 unit 0 family inet filter input test
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24


3) Configure the DSCP rewrite rules for assured forwarding class.
      Note that the binary value for af11 is "001010".

[edit class-of-service]
root@srx1# show | display set
set class-of-service rewrite-rules dscp dscp-test forwarding-class assured-forwarding loss-priority high code-point 001010
set class-of-service rewrite-rules dscp dscp-test forwarding-class assured-forwarding loss-priority low code-point 001010
set class-of-service rewrite-rules dscp dscp-test forwarding-class assured-forwarding loss-priority medium-high code-point 001010
set class-of-service rewrite-rules dscp dscp-test forwarding-class assured-forwarding loss-priority medium-low code-point 001010


4) Apply the rewrite rules to the egress interface ge-0/0/1

root@srx1#set class-of-service interfaces ge-0/0/1 unit 0 rewrite-rules dscp dscp-test




Verification:


Verify the DSCP rewrite rule:

[edit]
root@srx1# run show class-of-service interface ge-0/0/1 | no-more
Physical interface: ge-0/0/1, Index: 135
Queues supported: 8, Queues in use: 4
Scheduler map: <default>, Index: 2
Congestion-notification: Disabled

Logical interface: ge-0/0/1.0, Index: 71
Object Name Type Index
Rewrite dscp-test dscp 64510 <<----------- Rewrite rule is being applied to interface ge-0/0/1
Classifier ipprec-compatibility ip 13



Verify that the packets are hitting the queue mapped with assured-forwarding:

[edit]
root@srx1# run show interfaces queue ge-0/0/1 | no-more
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 135, SNMP ifIndex: 508
Forwarding classes: 8 supported, 4 in use
Egress queues: 8 supported, 4 in use
.
.
.

Queue: 2, Forwarding classes: assured-forwarding
Queued:
Packets : 381590 6 pps
Bytes : 200534555 8592 bps

Transmitted:
Packets : 381552 6 pps
Bytes : 200479748 8592 bps
Tail-dropped packets : 38 0 pps
RED-dropped packets : 0 0 pps
Low : 0 0 pps
Medium-low : 0 0 pps
Medium-high : 0 0 pps
High : 0 0 pps
RED-dropped bytes : 0 0 bps
Low : 0 0 bps
Medium-low : 0 0 bps
Medium-high : 0 0 bps
High: 0 0 bps


[edit]
root@srx1# run show interfaces ge-0/0/1 detail | no-more

Statistics last cleared: Never
Traffic statistics:
Input bytes : 6273853346692      8921688 bps
Output bytes : 7026633521715   9590832 bps
Input packets: 10822495848       1672 pps
Output packets: 15688117199    1702 pps
Egress queues: 8 supported, 7 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 best- effort    1146655862               1146655862                       0
1 expedited-fo          0                                          0                                  0
2 assured-forw     381676                          381638                            38
3 network-cont       2148                                2148                                0
Queue number: Mapped forwarding classes
0 best-effort
1 expedited-forwarding
2 assured-forwarding
3 network-control



Verify the DSCP bits in the IP header via packet captur:
  • The below packet capture taken on egress interface ge-0/0/1 shows DSCP bits set to 001010 for Assured forwarding 11
Related Links: