QoS ACL To Re-Mark DSCP

  • 1
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi all

I want to re-mark to DSCP zero any traffic coming in which is outside of a particular UDP & TCP port range.

I'll need to use an ACL but would I have to list every single port in the range - I don't think I can use < > symbols in a policy can I?

I realise this is the wrong syntax, but in essence the policy below describes what I'm trying to achieve.

Does anyone have a better way to do this?

++++++++++++++++++++++++++++++++

Entry allow_udp_range {

If   {protocol udp; destination-port > nnnn AND destination-port  < nnnn}  possibly 60 ports

                then

                {permit;}}

Entry allow_tcp_range {

If   {protocol tcp; destination-port > nnnn AND destination-port < nnnn}  possibly 100 or so ports

                then

                {permit;}}

Entry re-mark_everything_else {

If    {any}

                then

                {Qosprofile qp1;

                Replace-dscp;}}

++++++++++++++++++++++++++++++++++

Photo of Stephen Elliott

Stephen Elliott

  • 1,034 Points 1k badge 2x thumb

Posted 3 years ago

  • 1
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,086 Points 10k badge 2x thumb
Official Response
Hi Stephen,

You can specify a port range for a match condition. For example, to match on TCP ports 120-150, you could do the following:

entry allow_tcp_range {
if {
protocol tcp;
destination-port 120-150;
} then {
permit;
}
}



You can also use '<', '>', '<=', and '>=' in policy files as well. For example,

entry deny_udp_>1024 {
if {
protocol udp;
destination-port > 1024;
} then {
deny;
}
}


-Brandon
(Edited)