Update, I've now managed to tag outgoing traffic with DSCP Tag according to what I've defined above.
I've done that by putting rewrite rules and my filter to my outgoing interface.
But the ieee802.1 rewrite rule doesn't seem to do something and I'm still not managing to change the 802.1p tag using this method.
Still lokking. Configuration :
set security policies from-zone EXT to-zone TRUST policy P1 match source-address any
set security policies from-zone EXT to-zone TRUST policy P1 match destination-address any
set security policies from-zone EXT to-zone TRUST policy P1 match application any
set security policies from-zone EXT to-zone TRUST policy P1 then permit
set security policies from-zone EXT to-zone TRUST policy P1 then count
set security policies from-zone TRUST to-zone EXT policy P2 match source-address any
set security policies from-zone TRUST to-zone EXT policy P2 match destination-address any
set security policies from-zone TRUST to-zone EXT policy P2 match application any
set security policies from-zone TRUST to-zone EXT policy P2 then permit
set security policies from-zone TRUST to-zone EXT policy P2 then count
set security policies from-zone TRUST to-zone TRUST policy P3 match source-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match application any
set security policies from-zone TRUST to-zone TRUST policy P3 then permit
set security policies from-zone TRUST to-zone TRUST policy P3 then count
set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ping
set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ssh
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 description LAN
set interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24
set interfaces ge-0/0/5 unit 0 description UPL
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667
set interfaces irb unit 667 description COL
set interfaces irb unit 667 family inet filter output QOS
set interfaces irb unit 667 family inet address 172.31.150.78/30
set class-of-service interfaces irb unit 667 rewrite-rules dscp QOS
set class-of-service interfaces irb unit 667 rewrite-rules ieee-802.1 default
set class-of-service rewrite-rules dscp QOS forwarding-class assured-forwarding loss-priority medium-low code-point cs4
set class-of-service rewrite-rules dscp QOS forwarding-class expedited-forwarding loss-priority low code-point ef
set firewall family inet filter QOS term VOIX from destination-address 10.10.10.10/32
set firewall family inet filter QOS term VOIX then count VOIX
set firewall family inet filter QOS term VOIX then loss-priority low
set firewall family inet filter QOS term VOIX then forwarding-class expedited-forwarding
set firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32
set firewall family inet filter QOS term PROD then count PROD
set firewall family inet filter QOS term PROD then loss-priority medium-low
set firewall family inet filter QOS term PROD then forwarding-class assured-forwarding
set firewall family inet filter QOS term INTERNET then count INTERNET
set firewall family inet filter QOS term INTERNET then loss-priority high
set firewall family inet filter QOS term INTERNET then forwarding-class best-effort
set firewall family inet filter QOS term INTERNET then accept
set vlans COL vlan-id 667
set vlans COL l3-interface irb.667
set protocols l2-learning global-mode switching
set routing-options static route 0.0.0.0/0 next-hop 172.31.150.77
------------------------------
RESEAU NSI
------------------------------
Original Message:
Sent: 06-11-2024 05:49
From: RESEAU NSI
Subject: SRX 320 QoS and CoS tagging
Hi everyone,
I'm trying to mark my traffic with 802.1p CoS tags to let my ISP know what to prioritise.
I've managed to filter traffic as I'd like an put them in the queues I wanted but I do not find how to mark the filterd traffic.
I would like to have this :
- VOICE : DSCP EF CoS 5
- PROD : DSCP CS4 CoS 4
- INTERNET : default 0
SRX 320 is in version 21.4R3.15.
Here is my conf :
set security policies from-zone EXT to-zone TRUST policy P1 match source-address anyset security policies from-zone EXT to-zone TRUST policy P1 match destination-address anyset security policies from-zone EXT to-zone TRUST policy P1 match application anyset security policies from-zone EXT to-zone TRUST policy P1 then permitset security policies from-zone EXT to-zone TRUST policy P1 then countset security policies from-zone TRUST to-zone EXT policy P2 match source-address anyset security policies from-zone TRUST to-zone EXT policy P2 match destination-address anyset security policies from-zone TRUST to-zone EXT policy P2 match application anyset security policies from-zone TRUST to-zone EXT policy P2 then permitset security policies from-zone TRUST to-zone EXT policy P2 then countset security policies from-zone TRUST to-zone TRUST policy P3 match source-address anyset security policies from-zone TRUST to-zone TRUST policy P3 match destination-address anyset security policies from-zone TRUST to-zone TRUST policy P3 match application anyset security policies from-zone TRUST to-zone TRUST policy P3 then permitset security policies from-zone TRUST to-zone TRUST policy P3 then countset security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services pingset security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services sshset security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services pingset security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services sshset interfaces ge-0/0/0 unit 0 description LANset interfaces ge-0/0/0 unit 0 family inet filter input QOSset interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24set interfaces ge-0/0/5 unit 0 description UPLset interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667set interfaces irb unit 667 description COLset interfaces irb unit 667 family inet address 172.31.150.78/30set class-of-service forwarding-classes queue 1 PRODset class-of-service forwarding-classes queue 2 VOICEset firewall family inet filter QOS term VOICE from destination-address 10.10.10.10/32set firewall family inet filter QOS term VOICE then count VOICEset firewall family inet filter QOS term VOICE then loss-priority lowset firewall family inet filter QOS term VOICE then forwarding-class VOICEset firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32set firewall family inet filter QOS term PROD then count PRODset firewall family inet filter QOS term PROD then loss-priority lowset firewall family inet filter QOS term PROD then forwarding-class PRODset firewall family inet filter QOS term INTERNET then count INTERNETset firewall family inet filter QOS term INTERNET then acceptset vlans COL vlan-id 667set vlans COL l3-interface irb.667set protocols l2-learning global-mode switchingset routing-options static route 0.0.0.0/0 next-hop 172.31.150.77
------------------------------
RESEAU NSI
------------------------------