This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

QoS ACL To Re-Mark DSCP

QoS ACL To Re-Mark DSCP

Stephen_Elliot1
Contributor

‎06-08-2015 12:38 PM

Hi all

I want to re-mark to DSCP zero any traffic coming in which is outside of a particular UDP & TCP port range.

I'll need to use an ACL but would I have to list every single port in the range - I don't think I can use < > symbols in a policy can I?

I realise this is the wrong syntax, but in essence the policy below describes what I'm trying to achieve.

Does anyone have a better way to do this?

++++++++++++++++++++++++++++++++

Entry allow_udp_range {

If {protocol udp; destination-port > nnnn AND destination-port < nnnn} possibly 60 ports

then

{permit;}}

Entry allow_tcp_range {

If {protocol tcp; destination-port > nnnn AND destination-port < nnnn} possibly 100 or so ports

then

{permit;}}

Entry re-mark_everything_else {

If {any}

then

{Qosprofile qp1;

Replace-dscp;}}

++++++++++++++++++++++++++++++++++

0 Kudos
3 REPLIES 3

Stephen_Elliot1
Contributor

‎06-08-2015 01:12 PM

Excellent! thanks for your reply, Brandon.
I'll give it a go.
0 Kudos

BrandonC
Extreme Employee
In response to Stephen_Elliot1

‎06-08-2015 01:12 PM

I created a KB article for this as well. You can find it here.
0 Kudos

BrandonC
Extreme Employee

‎06-08-2015 01:09 PM

Hi Stephen,

You can specify a port range for a match condition. For example, to match on TCP ports 120-150, you could do the following:

entry allow_tcp_range { if { protocol tcp; destination-port 120-150; } then { permit; } }

You can also use '<', '>', '<=', and '>=' in policy files as well. For example,

entry deny_udp_>1024 { if { protocol udp; destination-port > 1024; } then { deny; } }

-Brandon
0 Kudos
GTM-P2G8KFN