11.2.5.2. Priority setting (Marking DSCP values)

Operation Confirmed Version:
 vSRX Version15.1X49-D105.1

This section describes the settings for marking DSCP values to be used for traffic control with the bandwidth control function.

Setting for marking DSCP values to packets which have specific source IP addresses

Presumed case for sample setting

  • To set to traffic which is output from interface (ge-0/0/2)

  • To perform marking traffic coming from virtual server (192.168.2.12) with DSCP value EF

  • To perform marking traffic coming from virtual server (192.168.2.202) with DSCP value AF12

Setting flow in a presumed case

1.Create filter FC-change on the Firewall.
2.For FC-change, set Forwarding class to expedited-forwarding in the case where the source IP address is virtual server (192.168.2.12/32).
3.For FC-change, set Loss priority to low (for forwarding) in the case where the source IP address is virtual server (192.168.2.12/32).
4.For FC-change, set Forwarding class to assured-forwarding in the case where the source IP address is virtual server (192.168.2.202/32).
5.For FC-change, set Loss priority to high (for forwarding) in the case where the source IP address is virtual server (192.168.2.202/32).
6.Apply FC-change to interface (ge-0/0/1).
7.Make a setting for marking a DSCP value to interface (ge-0/0/2).

Note

There exists the default rule dscp-default in which the DSCP values for marking have been preset in the case where a specific Forwarding class has been set. In this tutorial, the dscp-default rule is used for DSCP value marking settings.

Forwarding class and the default dscp-default rule for DSCP value allocation are as follows.

user01@vSRX-02> show class-of-service rewrite-rule
Rewrite rule: dscp-default, Code point type: dscp, Index: 31
  Forwarding class                    Loss priority       Code point
  best-effort                         low                 000000
  best-effort                         high                000000
  expedited-forwarding                low                 101110
  expedited-forwarding                high                101110       <----- EFに該当します
  assured-forwarding                  low                 001010
  assured-forwarding                  high                001100       <----- AF12に該当します
  network-control                     low                 110000
  network-control                     high                111000

  (以下省略)

Command to be entered with CLI

user01@vSRX-02# set firewall filter FC-change term 1 from source-address 192.168.2.12/32
user01@vSRX-02# set firewall filter FC-change term 1 then forwarding-class expedited-forwarding
user01@vSRX-02# set firewall filter FC-change term 1 then loss-priority low
user01@vSRX-02# set firewall filter FC-change term 1 then accept
user01@vSRX-02# set firewall filter FC-change term 2 from source-address 192.168.2.202/32
user01@vSRX-02# set firewall filter FC-change term 2 then forwarding-class assured-forwarding
user01@vSRX-02# set firewall filter FC-change term 2 then loss-priority high
user01@vSRX-02# set firewall filter FC-change term 2 then accept
user01@vSRX-02# set interfaces ge-0/0/1 unit 0 family inet filter input FC-change
user01@vSRX-02# set class-of-service interfaces ge-0/0/2 unit 0 rewrite-rules dscp default

The configuration after completion of appropriate settings is as follows.

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                filter {
                    input FC-change;
                }
                address 192.168.2.102/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.3.102/24;
            }
        }
    }
}
class-of-service {
    interfaces {
        ge-0/0/2 {
            unit 0 {
                rewrite-rules {
                    dscp default;
                }
            }
        }
    }
}
firewall {
    filter FC-change {
        term 1 {
            from {
                source-address {
                    192.168.2.12/32;
                }
            }
            then {
                loss-priority low;
                forwarding-class expedited-forwarding;
                accept;
            }
        }
        term 2 {
            from {
                source-address {
                    192.168.2.202/32;
                }
            }
            then {
                loss-priority high;
                forwarding-class assured-forwarding;
                accept;
            }
        }
    }
}

Operation check result

The verification result log below allowed to confirm that DSCP marking works properly because packets coming from virtual server (192.168.2.12) were marked with EF (46) and packets coming from virtual server (192.168.2.202) were marked with AF12 (12).

Result verification of marking packets coming from source virtual server (192.168.2.12)

Result verification of marking packets coming from source virtual server (192.168.2.202)