Header Only - DO NOT REMOVE - Extreme Networks

Summit ACL based QoS remarking issue


Dear Experts,

I found if I define the remarking command first and then define a new ACL, then the new defined ACL will follow that remarking action and use the newly defined remarking value for outgoing traffic;
Yet, once I changed the remarking command, the previous defined ACL will not follow the new remarking value but still use the previous one.

The point is of the sequence of inputting commands.

Working one:
1- Define remarking command first prior to defining any ACL. Like:
configure diffserv replacement priority 6 code-point 40
2- Define ACL afterwards

Not working case:
No matter we define remarking command first or ACL first, as long as I want to change the remarking command to use a new value, only the upcoming ACL will follow the new value, those previously defined ACL will not even traffic is hitting the ACL.

The question is if above "Not working case" is normal as expected?
or it is a bug?

10 replies

Userlevel 6
Hi Leo,

If you are using the ACL policy and not a dynamic ACL, what happens if you refresh the policy used after making the dscp-code-point change?

Looking forward to your response.
Prashanth KG wrote:

Hi Leo,

If you are using the ACL policy and not a dynamic ACL, what happens if you refresh the policy used after making the dscp-code-point change?

Looking forward to your response.

Hi Prashanth,

Im using the dynamic ACL not policy file.

Thanks.
BR//Leo Gu
Userlevel 7
Hi Leo,

Can you give us an example of the ACL that you are using, as well as how it is applied?

-Brandon
Brandon Clay wrote:

Hi Leo,

Can you give us an example of the ACL that you are using, as well as how it is applied?

-Brandon

Hi Bradon,

Many thanks for your reply. I attached some capture files and config.
http://pan.baidu.com/s/1pJKPEEf

Please also be noted that not all config is related with this case. The useful ones are as listed below:

1. Port 25(ingress traffic), port 51(egress traffic), port 9(port mirroring).

2. ACL: “test”, “test1”, “test2”, “test3”, “test4”

3. QoSprofile/dscp remarking related config



Steps used:

With acl “test”, “test1” to “test4”, I performed this dscp remarking several times. Take acl “test2” and “test4” for instance.

Step 1- Testbed dscp remarking config:



configure diffserv replacement priority 6 code-point 40

create access-list test2 " protocol tcp ; destination-port 3456 ;" " qosprofile qp7 ; count test2 ; replace-dscp ;" application "Cli"

configure access-list add test2 last priority 0 zone SYSTEM ports 25 ingress



Send traffic matching acl “test2”. Capture the traffic traversing port 25 and port 51 to port 9.

Step 2- Change the dscp remarking config:

configure diffserv replacement priority 6 code-point 48

Send traffic matching acl “test2”. Capture the traffic traversing port 25 and port 51 to port 9.



DSCP in Outgoing traffic was not changed.



Step 3- Define a new acl “test4”, now the config is as follows:

configure diffserv replacement priority 6 code-point 48

create access-list test4 " protocol tcp ; destination-port 5678 ;" " qosprofile qp7 ; count test4 ; replace-dscp ;" application "Cli"

configure access-list add test4 last priority 0 zone SYSTEM ports 25 ingress



Send traffic matching acl “test4”. Capture the traffic traversing port 25 and port 51 to port 9.







As per above, it seems that existing acl will not follow the dscp remarking value if the dscp remarking value is changed, only those acl defined AFTER dscp remarking value changed will follow the action modifier to do the remark using the new value.
Userlevel 7
Brandon Clay wrote:

Hi Leo,

Can you give us an example of the ACL that you are using, as well as how it is applied?

-Brandon

Hi,

- What version of EXOS are you running, btw?

- Can you check what is the result of "sh diffserv replacement" in each case?

- Is the behavior the same if you change the code-point associated to the QoS Profile?

config diffserv replacement qp7 code-point 48
Brandon Clay wrote:

Hi Leo,

Can you give us an example of the ACL that you are using, as well as how it is applied?

-Brandon

Hi Grosjean,

-Version is ExtremeXOS version 15.6.3.1 v1563b1-patch1-3.
-I checked the "show diff replacement" for each case, the value in output is the same as defined in "config diffserv replacement qp7 code-point xx"
-Yes. The behavior is the same.
Userlevel 3
Hello Leo,

During my lab test, I have found by using the following policy, instead of the Dynamic ACL the traffic is modified as expected.

Entry test {

If {

Protocol tcp;

Destination-port 3456;

}

Then {

Qosprofile Qp7;

Replace-dscp;

Count counter;

}

- While using Dynamic ACL with replace-DSCP action modification in the code-point does not affect the ACL.

- We need to delete and re-add the access-list to make the Diffserv code-point value changes to take effect.

- I have reported the issue to our engineering team for their analysis.
Userlevel 7
Ram wrote:

Hello Leo,

During my lab test, I have found by using the following policy, instead of the Dynamic ACL the traffic is modified as expected.

Entry test {

If {

Protocol tcp;

Destination-port 3456;

}

Then {

Qosprofile Qp7;

Replace-dscp;

Count counter;

}

- While using Dynamic ACL with replace-DSCP action modification in the code-point does not affect the ACL.

- We need to delete and re-add the access-list to make the Diffserv code-point value changes to take effect.

- I have reported the issue to our engineering team for their analysis.










Hi Ram,

did you open a case for it?
Userlevel 3
Ram wrote:

Hello Leo,

During my lab test, I have found by using the following policy, instead of the Dynamic ACL the traffic is modified as expected.

Entry test {

If {

Protocol tcp;

Destination-port 3456;

}

Then {

Qosprofile Qp7;

Replace-dscp;

Count counter;

}

- While using Dynamic ACL with replace-DSCP action modification in the code-point does not affect the ACL.

- We need to delete and re-add the access-list to make the Diffserv code-point value changes to take effect.

- I have reported the issue to our engineering team for their analysis.










Hello Stephane,

Yes, Leo have opened a GTAC case and I am working on it.
Userlevel 3
Hello Leo,

We have found when updating the DSCP value, it is not getting updated in hardware. Hence, packets are forwarded with old DSCP value.

This is a software bug and we have created CR# xos0063082 for tracking this issue.

CR Abstract:-Updating DSCP value is not getting refreshed for Dynamic ACL”.

You can refer this CR, if you would like to seek any additional information from Extreme Networks.

Reply