QoS ACL To Re-Mark DSCP


Userlevel 3
Hi all

I want to re-mark to DSCP zero any traffic coming in which is outside of a particular UDP & TCP port range.

I'll need to use an ACL but would I have to list every single port in the range - I don't think I can use < > symbols in a policy can I?

I realise this is the wrong syntax, but in essence the policy below describes what I'm trying to achieve.

Does anyone have a better way to do this?

++++++++++++++++++++++++++++++++

Entry allow_udp_range {

If {protocol udp; destination-port > nnnn AND destination-port < nnnn} possibly 60 ports

then

{permit;}}

Entry allow_tcp_range {

If {protocol tcp; destination-port > nnnn AND destination-port < nnnn} possibly 100 or so ports

then

{permit;}}

Entry re-mark_everything_else {

If {any}

then

{Qosprofile qp1;

Replace-dscp;}}

++++++++++++++++++++++++++++++++++

3 replies

Userlevel 7
Hi Stephen,

You can specify a port range for a match condition. For example, to match on TCP ports 120-150, you could do the following:

entry allow_tcp_range { if { protocol tcp; destination-port 120-150; } then { permit; } }[/code]

You can also use '<', '>', '<=', and '>=' in policy files as well. For example,

entry deny_udp_>1024 { if { protocol udp; destination-port > 1024; } then { deny; } }[/code]

-Brandon
Userlevel 3
Excellent! thanks for your reply, Brandon.
I'll give it a go.
Userlevel 7
Stephen Elliott wrote:

Excellent! thanks for your reply, Brandon.
I'll give it a go.

I created a KB article for this as well. You can find it here.

Reply