Correction:
- on MX960, a firewall filter can set FC in ingress and then match on it
either on ingress or egress.
Thanks
Alex
----- Original Message -----
From: "Per Granath" <per.gran...@gcc.com.cy>
To: "John Neiberger" <jneiber...@gmail.com>
Cc: <juniper-nsp@puck.nether.net>
Sent: Monday, January 14, 2013 3:33 PM
Subject: Re: [j-nsp] Confusion about DSCP marking and rewrite rules
On egress the (stateless) firewall filter is processed before
rewrite/marking.
The filter can assign forwarding-class (normally on ingress), but not
match on it (on egress).
So, this is where you need to re-design your (IOS) logic.
Start with a clean sheet, and design a new filter that you can use on
egress - or block traffic on ingress.
From: John Neiberger [mailto:jneiber...@gmail.com]
Sent: Monday, January 14, 2013 5:15 PM
To: Per Granath
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Confusion about DSCP marking and rewrite rules
That makes perfect sense. I'm not sure what my mental block was with that.
lol
How does Juniper handle situations where you do need to mark a packet on
ingress so that you can match on the new marking on egress? If there is a
rewrite rule, does the rewrite happen before any egress firewall filters
are evaluated? On the Cisco 7600, we have to add a command to basically
recirculate a packet through the ingress interface logic twice to actually
re-mark the packet instead of just classifying it.
For example, an ingress packet may need to be marked as cs2 and then the
same router might have an egress filter facing some interface that only
allows cs2. If the marking happens after the egress filter is evaluated,
that traffic would be dropped. How does this work in Junos on the MX
series?
Thanks!
John
On Mon, Jan 14, 2013 at 1:55 AM, Per Granath
<per.gran...@gcc.com.cy<mailto:per.gran...@gcc.com.cy>> wrote:
Note that "marking" is not word used in Junos...
On ingress you do "classification", and on the class assigned you do
queuing, etc. The class does not change any bit in the packet header - the
class is assigned "outside" the packet header internally in the router.
On egress you may apply a rewrite rule to a class (on an interface).
Essentially, this means you cannot rewrite on ingress.
So, your IRB "marking filter", which in Junos is called "multi field
classifier", does not change any bit in the packet headers - it only
assigns the internal class - when packets ingress on the IRB.
The rewrite rules on the IRB only rewrite bits when a packet egress on the
IRB.
On some other vendor you may be used to doing rewrite/marking on
ingress...
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
