Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  DSCP marker Juniper MX

    This message was posted by a user wishing to remain anonymous
    Posted 11-02-2022 11:29
    This message was posted by a user wishing to remain anonymous

    Hello,

    I have a requirement to mark the traffic that my router sent to the customer with a DSCP marker (AF31).

    I am not very familiar with DSCP marking on Juniper and I need some help from someone who has experience with QoS (DSCP marking) on Juniper.

    The topology is: Server <-> Router1 <-MPLS-> Juniper MX <-eBGP-> Customer

    I read the documentation related to DSCP marking / QoS and I implemented the below config on the MX router. Unfortunately, it is not working as expected.

    set interfaces x unit y family inet filter output DSCP_IPv4

    set firewall family inet filter DSCP_marking term 1 then dscp af31
    set firewall family inet filter DSCP_marking term last then accept

    After the implementation I noticed that Juniper MX marks the traffic on both directions (inbound and outbound), even if the marking is applied only for the outbound traffic.
    Juniper MX should mark only the traffic sent to Customer. The traffic received from Customer is not marked and it should be sent to Router1 and Server without any marking.

    But, somehow the traffic received from Customer is marked by Juniper MX and sent to the internal network with AF31.

    My questions are:
    1. Is the config wrong? Have I missed anything?

    2. Can I use this family filter for IPv6 traffic, as well? Should I change anything for IPv6? From my understanding, I can use for IPv6, as well. In order to be on the safe side, I would like to double check with someone who has experience with DSCP markers on MX.

    Any help is much appreciated! Thank you!


  • 2.  RE: DSCP marker Juniper MX

    This message was posted by a user wishing to remain anonymous
    Posted 11-02-2022 12:18
    This message was posted by a user wishing to remain anonymous

    Hello,

    In the initial post I paste the wrong config. Here is the config used:
    set interfaces x unit y family inet filter output DSCP_marking


    set firewall family inet filter DSCP_marking term 1 then dscp af31
    set firewall family inet filter DSCP_marking term last then accept


  • 3.  RE: DSCP marker Juniper MX

    Posted 11-03-2022 02:27
    Hi,

    1. Is the config wrong? Have I missed anything?
    The config should work. Is it possible to share the actual configuration of both the ingress and egress interfaces?
    Also, how was it verified that the traffic from the customer side is not marked?  One way to check this would be to apply this filter on the customer-facing MX interface and verify if the af31 counter values increment. If they do, then the traffic received from the customer is already marked.

    Also, apply and check the same filter on the internal interface (egress direction), to verify if the packets leaving the MX routers are marked, even if they were received unmarked from the customer end.

    family inet {
        filter DSCP_check {
            term 1 {
                from {
                    dscp af31;
                }
                then {
                    count af31;
                    accept;
                }
            }
            term last {
                then accept;
            }
        }
    }
    
    
     show firewall filter DSCP_check 
    
    Filter: DSCP_check                                             
    Counters:
    Name                                                Bytes              Packets
    af31                                                    0                    0
    ​


    2. Can I use this family filter for IPv6 traffic, as well? Should I change anything for IPv6? From my understanding, I can use for IPv6, as well. In order to be on the safe side, I would like to double check with someone who has experience with DSCP markers on MX.
    Use family inet6 filter.

    ------------------------------
    Sheetanshu Shekhar
    ------------------------------



  • 4.  RE: DSCP marker Juniper MX

    This message was posted by a user wishing to remain anonymous
    Posted 11-03-2022 11:09
    This message was posted by a user wishing to remain anonymous

    Hello,

    Thank you for your feedback!

    On the customer side there is no qos/dscp marking. We performed tests and the traffic is sent by him without any marking.

    We performed packet captures on all the nodes: customer, Juniper MX, Router1. The conclusions are:
    - the traffic generated by the server reaches Juniper MX, where the traffic is marked properly. Customer receives the traffic from MX with AF31.
    - customer send the traffic without any marking, it reaches Juniper MX, where the traffic is marked and I don`t understand why. The traffic sent by MX is received by Router1 with AF31.



  • 5.  RE: DSCP marker Juniper MX

    Posted 11-03-2022 13:45
    Hi,

    Thanks for the confirmation.

    - Is it possible to share the interface configuration (both the interfaces)?
    - Is it possible to share the output of "show class-of-service" from the Juniper MX? There may be a rewrite rule configured.

    Regards
    Sheetanshu

    ------------------------------
    Sheetanshu Shekhar
    ------------------------------