Summit ACL based QoS remarking issue

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Dear Experts,

I found if I define the remarking command first and then define a new ACL, then the new defined ACL will follow that remarking action and use the newly defined remarking value for outgoing traffic;
Yet, once I changed the remarking command, the previous defined ACL will not follow the new remarking value but still use the previous one.

The point is of the sequence of inputting commands.

Working one:
1- Define remarking command first prior to defining any ACL. Like:
configure diffserv replacement priority 6 code-point 40
2- Define ACL afterwards

Not working case:
No matter we define remarking command first or ACL first, as long as I want to change the remarking command to use a new value, only the upcoming ACL will follow the new value, those previously defined ACL will not even traffic is hitting the ACL.

The question is if above "Not working case" is normal as expected?
or it is a bug?
Photo of Leo Gu

Leo Gu

  • 260 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Leo,

If you are using the ACL policy and not a dynamic ACL, what happens if you refresh the policy used after making the dscp-code-point change? 

Looking forward to your response. 
Photo of Leo Gu

Leo Gu

  • 260 Points 250 badge 2x thumb
Hi Prashanth,

Im using the dynamic ACL not policy file.

Thanks.
BR//Leo Gu
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,486 Points 10k badge 2x thumb
Hi Leo,

Can you give us an example of the ACL that you are using, as well as how it is applied?

-Brandon
Photo of Leo Gu

Leo Gu

  • 260 Points 250 badge 2x thumb
Hi Bradon,

Many thanks for your reply. I attached some capture files and config.
http://pan.baidu.com/s/1pJKPEEf

Please also be noted that not all config is related with this case. The useful ones are as listed below:

1. Port 25(ingress traffic), port 51(egress traffic), port 9(port mirroring).

2. ACL: “test”, “test1”, “test2”, “test3”, “test4”

3. QoSprofile/dscp remarking related config

 

Steps used:

With acl “test”,  “test1” to “test4”, I performed this dscp remarking several times. Take acl “test2” and “test4” for instance.

Step 1- Testbed dscp remarking config:

 

configure diffserv replacement priority 6 code-point 40

create access-list test2 " protocol tcp ; destination-port 3456 ;" " qosprofile qp7 ; count test2 ; replace-dscp  ;" application "Cli"

configure access-list add test2 last priority 0 zone SYSTEM ports 25 ingress

 

Send traffic matching acl “test2”. Capture the traffic traversing port 25 and port 51 to port 9.

Step 2- Change the dscp remarking config:

 configure diffserv replacement priority 6 code-point 48

Send traffic matching acl “test2”. Capture the traffic traversing port 25 and port 51 to port 9.

DSCP in Outgoing traffic was not changed.

 

Step 3- Define a new acl “test4”, now the config is as follows:

configure diffserv replacement priority 6 code-point 48

create access-list test4 " protocol tcp ; destination-port 5678 ;" " qosprofile qp7 ; count test4 ; replace-dscp  ;" application "Cli"

configure access-list add test4 last priority 0 zone SYSTEM ports 25 ingress

 

Send traffic matching acl “test4”. Capture the traffic traversing port 25 and port 51 to port 9.

 

 

As per above, it seems that existing acl will not follow the dscp remarking value if the dscp remarking value is changed, only those acl defined AFTER dscp remarking value changed will follow the action modifier to do the remark using the new value.

(Edited)
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,546 Points 10k badge 2x thumb
Hi,

- What version of EXOS are you running, btw?

- Can you check what is the result of "sh diffserv replacement" in each case?

- Is the behavior the same if you change the code-point associated to the QoS Profile?

config diffserv replacement qp7 code-point 48
Photo of Leo Gu

Leo Gu

  • 260 Points 250 badge 2x thumb
Hi Grosjean,

-Version is ExtremeXOS version 15.6.3.1 v1563b1-patch1-3.
-I checked the "show diff replacement" for each case, the value in output is the same as defined in "config diffserv replacement qp7 code-point xx"
-Yes. The behavior is the same.
Photo of Ram

Ram, Employee

  • 1,450 Points 1k badge 2x thumb

Hello Leo,

During my lab test, I have found by using the following policy, instead of the Dynamic ACL the traffic is modified as expected.

Entry test {

If {

Protocol tcp;

Destination-port 3456;

}

Then {

Qosprofile Qp7;

Replace-dscp;

Count counter;

}

- While using Dynamic ACL with replace-DSCP action modification in the code-point does not affect the ACL.

-  We need to delete and re-add the access-list to make the Diffserv code-point value changes to take effect.

- I have reported the issue to our engineering team for their analysis.



Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,362 Points 10k badge 2x thumb
Hi Ram,

did you open a case for it?
Photo of Ram

Ram, Employee

  • 1,450 Points 1k badge 2x thumb
Hello Stephane,

Yes, Leo have opened a GTAC case and I am working on it.
Photo of Ram

Ram, Employee

  • 1,450 Points 1k badge 2x thumb

Hello Leo,

We have found when updating the DSCP value, it is not getting updated in hardware. Hence, packets are forwarded with old DSCP value.

This is a software bug and we have created CR# xos0063082 for tracking this issue.

CR Abstract:-Updating DSCP value is not getting refreshed for Dynamic ACL”.

You can refer this CR, if you would like to seek any additional information from Extreme Networks.