Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX/T/M] Does VLAN tag rewriting (push/pop/swap) happen before or after CoS .1P processing (BA/MF classifiers, schedulers, rewrite-rules)?

0

0

Article ID: KB36205 KB Last Updated: 17 Nov 2020Version: 2.0
Summary:

VLAN tag stacking/rewriting is a powerful Junos OS feature, allowing advanced manipulations of VLAN tags within an Ethernet frame, received from or sent to an interface of a Juniper Networks device. You can configure rewrite operations to stack (push), remove (pop), or rewrite (swap) tags on single-tagged frames (IEEE 802.1q) and dual-tagged frames (IEEE 802.1ad, a.k.a. "QinQ"). If a port is not tagged, rewrite operations are not supported on any logical interface on that port, as stated within the relevant Junos OS Documentation page.

When VLAN tag manipulations are used in combination with various Class of Service components (classifiers, rewrite-rules ...), or with firewall filters checking various L2 header elements, the result may not always match the behavior required by design. For instance, the VLAN tag pop operation removes User Priority Bits (IEEE 802.1p or ".1P") along with the tag, since .1P bits are a part of the VLAN tag. Removal of 1P bits may break some firewall filtering operations (such as MF classification based on 1P bits). Therefore, it is necessary to know when VLAN tag rewrite operations happen on ingress and egress - that is, when are input-vlan-map and output-vlan-map statements processed with regards to firewall filter and CoS.

This articles throws some light on this.

 

Symptoms:

Removing VLAN tags on ingress (using pop or pop-pop operations) breaks the MF classifier based on 1P bits. On the other hand, 1P-related BA classifiers (ieee-802.1 or ieee-802.1ad) are not affected by the VLAN tag rewrite operations defined by input-vlan-map.

However, on egress, VLAN tag rewrite operations defined by output-vlan-map affect both output firewall filters and .1P-related BA rewrite rules.

 

Solution:

CoS Components Packet Flow vs VLAN Tag Rewrite

On Juniper Networks devices, you configure CoS functions using different CoS-related components, such as BA classifiers, schedulers, rewrite-rules etc. Aside of this, some CoS functions may also be configured using firewall filters (e.g. MF classification). All those components may be configured either individually or (more often) combined with each other, to define particular CoS services. When multiple CoS components are configured simultaneously on a network interface, the order in which they are executed is discussed on the Junos OS Documentation page Junos OS CoS Components Used to Manage Congestion and Control Service Levels. Not all components are supported by all Juniper Networks hardware - for instance, some products do not support policing (e.g. SRX), while some others do not have fabric (e.g. M7i/MX80).

This same topic is discussed in KB12967 - Do multifield classifiers override behavior aggregate classifiers on Juniper routers?.

On the other hand, VLAN tag stacking/rewriting operations are also a part of the packet flow. Understanding when they occur within the ingress and egress packet flow helps us design CoS accordingly. On all Juniper Networks devices based on the Trio (3D) chipset (or newer), the order of Ethernet frame processing is shown in the figure below.

Ethernet Frame - Ingress Processing

Ethernet frames entering an interface are processed in the following order:

  1. BA ingress classification - in the following order (each next classifier in the sequence overrides the forwarding-class/loss-priority classification determined by the previous one - e.g. MPLS EXP classifier overrides whatever .1P classifier had set, if used at the same time on the same interface):

    1. IEEE 802.1p or IEEE 802.1ad classifier (only one of those two may be used on the same interface)
    2. IP DSCP or IP Precedence classifier (only one of those two may be used on the same interface)
    3. MPLS EXP classifier
  2. Input policers - if applicable

  3. Input VLAN tag rewrite operations (input-vlan-map processing)

  4. Input Firewall Filter processing (including MF classification) - any forwarding-class/loss-priority setting in the filter overrides the action of BA classifiers.

  5. Forwarding policy

So, as seen above, BA classifiers based on .1P bits are not affected by any VLAN tag rewrite operation on ingress, while MF classifiers are affected because they are processed after VLAN tag rewrites.

Ethernet Frame - Egress Processing

Ethernet frames leaving the device via an egress interface are processed in the following order:

  1. Output VLAN tag rewrite operations (output-vlan-map processing)

  2. Output policers - if applicable

  3. Output Firewall Filter processing (including MF classification and policy-map assignment; policy-map  is code executed after rewrite rules)

  4. BA CoS scheduling - schedulers, shaping/policing, RED/WRED and so on

  5. BA CoS rewrite rules

  6. Execution of policy-map actions flagged by the output firewall filters

So, as seen above, output VLAN tag rewrite operations may affect both output firewall filters and rewrite rules, since they occur before them.

It is true that output-vlan-rewrite is executed before firewall but the actual packet is updated at the later stage during encap time, so when traffic hits the firewall after output-vlan-rewrite, packet was not updated and matches on the original header value.

 

Modification History:

2020-11-17: Additional information included in Solution section about packet being updated at a later stage during encap time

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search