Please consider the folowing example:
Both NTP and PIM traffic egresses fe0/0/3
Please ignore nay typo in the command as I typed these commands not copy and paste from the device.
All NTP and PIM must be marked with DSCP 38, and placed in NETWORK CONTROL CLASS on eggress fe-0/0/3.
NTP set up:
set system ntp server 184.108.40.206
set protocol pim interface fe-0/0/3.0 mode dense
set firewall family inet filter NTP term NTP from protocol udp
set firewall family inet filter NTP term NTP from port 123
set firewall family inet filter NTP term NTP then forwarding-class NETWORK
set firewall family inet filter NTP term NTP then accept
set firewall famiy inet filter NTP term ALL-ELSE then accept
set interface lo0.0 family inet filter output NTP
DSCP 111000<--> Forwarding class NETWORK
Rewrite rule TOM NETWORK CLASS--> DSCPX38
interface fe-0/0/3 .0 rewrite rule TOM
I can see NTP DSCP is modified in capture and also NTP traffic queued in right Network Class Queue on fe-0/0/3
But when I do the same thing for PIM , the default value are not changed.
set firewall family inet filter PIM term PIM from protocol pim
set firewall family inet filter PIM term NTP then forwarding-class NETWORK
set firewall family inet filter PIM term NTP then accept
set firewall famiy inet filter PIM term ALL-ELSE then accept
set interface lo0.0 family inet filter output PIM
When I look at capture, I do not see DSCP modified to x38 , it uses default x30.
I also tried Outbound filter on fe0/0/3 to send traffic PIM into NETWORK class, but it did not work.
Is there some bug associated with this? because I can not understand ntp traffic DSCP modified as desired but same can not be done for PIM.
Can you try set dscp in the firewall filter together with forwarding-class?
then dscp 38
Good Morning !!
We can not use firewall filter to SET dscp value on SRX , we can only dircet traffic to a FORWARDING CLASS and use REWRITE rule on that FORWARDING class to encode desired DSCP which I am alreday doing it.
Thanks and have a nice day!!
Did it work? I heve checked and confirmed that SRX doesn't support setting DSCP under firewall filter.I'm a bit confused because you have accepted it as a solution.