I agree. One thing that we do fairly often is create a multifield classifier like this to just accept a couple of values to place into the appropriate forwarding-class, then for a default action reset to BE forwarding-class for all non-matching traffic. This works well in situations where you may not want to use a BA classifier as you don't trust the markings or you want them rewritten on egress.
Regards, -Jeff On Jun 20, 2010, at 6:47 AM, Addy Mathur wrote: > I personally think Dale's firewall configuration is better. The > config allows for a packet to exit fw filter evaluation once a match > condition is met, by being subjected to a single action. Derick's FW > filter forces a packet to traverse all terms regardless of a match, > and is subjected to at least two actions via two different terms > (fwd-class + next-term AND accept). And there's no real need for the > latter. > > Regards, > Addy. > > > On 6/20/10, Derick Winkworth <dwinkwo...@att.net> wrote: >> This is probably better: >> >> term BEST-EFFORT >> thenforwarding-class best-effort >> next-term >> term DSCP-EF >> fromdscp ef >> thenforwarding-class expedited-forwarding >> next-term >> term default-accept >> thenaccept >> >> >> You can insert additional terms later to modify loss-priority, sampling, >> etc... after the classification portion of the filter but before the >> default-accept. I would use a rewrite rule to modify DSCP on egress, so >> that its consistent across platforms. >> >> >> >> >> >> ________________________________ >> From: Dale Shaw <dale.shaw+j-...@gmail.com> >> To: juniper-nsp@puck.nether.net >> Sent: Sun, June 20, 2010 3:59:12 AM >> Subject: [j-nsp] Setting forwarding-class in firewall filter, non-match >> behaviour >> >> Hi all, >> >> Re: setting the forwarding-class of a packet through a firewall filter. >> >> Many (almost all) of the examples I've looked at do not include a >> catch-all term to handle packets not matched by any explicitly-defined >> terms. At the risk of exposing myself as a J-noob... >> >> Is it safe to assume that, if the desired result is that packets NOT >> matched by explicitly-defined terms are permitted, a catch-all term >> must be configured with an 'accept' (or some other non-terminating) >> action? >> >> Using this input filter example: >> (stolen from >> http://www.juniper.net/techpubs/en_US/junos10.2/topics/usage-guidelines/policy-configuring-actions-in-firewall-filter-terms.html) >> >> firewall { >> filter filter1 { >> term 1 { >> from { >> dscp 2; >> } >> then { >> dscp 0; >> forwarding-class best-effort; >> } >> } >> term 2 { >> from { >> dscp 3; >> } >> then { >> forwarding-class best-effort; >> } >> } >> } >> } >> >> I read this as: >> >> - if the packet is marked DSCP 2, set DSCP to 0 and place in >> 'best-effort' forwarding class and accept the packet. >> - if the packet is marked DSCP 3, place in 'best-effort' forwarding >> class and accept the packet. >> - discard all other packets >> >> Am I missing something? >> >> I think what I really want, to avoid dropping traffic, is something like: >> >> firewall { >> filter FILTER1 { >> term TERM1 { >> from { >> dscp ef; >> } >> then forwarding-class expedited-forwarding; >> } >> term DEFAULT { >> then forwarding-class best-effort; >> accept; >> } >> } >> } >> >> ...then rewrite DSCP bits on egress based on the forwarding-class, or >> do it all within the firewall filter (depending on platform). >> >> (I know I don't strictly need the 'accept;' command in the DEFAULT >> term, but for the sake of clarity, I think it's a good option) >> >> Cheers, >> Dale >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > -- > Sent from my mobile device > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp