topic RE: QoS ACL To Re-Mark DSCP in Network Architecture & Design

QoS ACL To Re-Mark DSCP

Stephen_Elliot1 — Mon, 08 Jun 2015 19:38:00 GMT

Hi all

I want to re-mark to DSCP zero any traffic coming in which is outside of a particular UDP & TCP port range.

I'll need to use an ACL but would I have to list every single port in the range - I don't think I can use < > symbols in a policy can I?

I realise this is the wrong syntax, but in essence the policy below describes what I'm trying to achieve.

Does anyone have a better way to do this?

++++++++++++++++++++++++++++++++

Entry allow_udp_range {

If {protocol udp; destination-port > nnnn AND destination-port < nnnn} possibly 60 ports

then

{permit;}}

Entry allow_tcp_range {

If {protocol tcp; destination-port > nnnn AND destination-port < nnnn} possibly 100 or so ports

then

{permit;}}

Entry re-mark_everything_else {

If {any}

then

{Qosprofile qp1;

Replace-dscp;}}

++++++++++++++++++++++++++++++++++

RE: QoS ACL To Re-Mark DSCP

BrandonC — Mon, 08 Jun 2015 20:09:00 GMT

Hi Stephen,

You can specify a port range for a match condition. For example, to match on TCP ports 120-150, you could do the following:

entry allow_tcp_range { if { protocol tcp; destination-port 120-150; } then { permit; } }

You can also use '<', '>', '<=', and '>=' in policy files as well. For example,

entry deny_udp_>1024 { if { protocol udp; destination-port > 1024; } then { deny; } }

-Brandon

RE: QoS ACL To Re-Mark DSCP

Stephen_Elliot1 — Mon, 08 Jun 2015 20:12:00 GMT

Excellent! thanks for your reply, Brandon.
I'll give it a go.

RE: QoS ACL To Re-Mark DSCP

BrandonC — Mon, 08 Jun 2015 20:12:00 GMT

I created a KB article for this as well. You can find it here.