Network Architecture & Design

 View Only
  • 1.  QoS ACL To Re-Mark DSCP

    Posted 06-08-2015 12:38
    Hi all

    I want to re-mark to DSCP zero any traffic coming in which is outside of a particular UDP & TCP port range.

    I'll need to use an ACL but would I have to list every single port in the range - I don't think I can use < > symbols in a policy can I?

    I realise this is the wrong syntax, but in essence the policy below describes what I'm trying to achieve.

    Does anyone have a better way to do this?

    ++++++++++++++++++++++++++++++++

    Entry allow_udp_range {

    If {protocol udp; destination-port > nnnn AND destination-port < nnnn} possibly 60 ports

    then

    {permit;}}

    Entry allow_tcp_range {

    If {protocol tcp; destination-port > nnnn AND destination-port < nnnn} possibly 100 or so ports

    then

    {permit;}}

    Entry re-mark_everything_else {

    If {any}

    then

    {Qosprofile qp1;

    Replace-dscp;}}

    ++++++++++++++++++++++++++++++++++



  • 2.  RE: QoS ACL To Re-Mark DSCP

    Posted 06-08-2015 13:09
    Hi Stephen,

    You can specify a port range for a match condition. For example, to match on TCP ports 120-150, you could do the following:

    entry allow_tcp_range { if { protocol tcp; destination-port 120-150; } then { permit; } }[/code]

    You can also use '<', '>', '<=', and '>=' in policy files as well. For example,

    entry deny_udp_>1024 { if { protocol udp; destination-port > 1024; } then { deny; } }[/code]

    -Brandon


  • 3.  RE: QoS ACL To Re-Mark DSCP

    Posted 06-08-2015 13:12
    Excellent! thanks for your reply, Brandon.
    I'll give it a go.


  • 4.  RE: QoS ACL To Re-Mark DSCP

    Posted 06-08-2015 13:12
    I created a KB article for this as well. You can find it here.