QoS ACL To Re-Mark DSCP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-08-2015 12:38 PM
Hi all
I want to re-mark to DSCP zero any traffic coming in which is outside of a particular UDP & TCP port range.
I'll need to use an ACL but would I have to list every single port in the range - I don't think I can use < > symbols in a policy can I?
I realise this is the wrong syntax, but in essence the policy below describes what I'm trying to achieve.
Does anyone have a better way to do this?
++++++++++++++++++++++++++++++++
Entry allow_udp_range {
If {protocol udp; destination-port > nnnn AND destination-port < nnnn} possibly 60 ports
then
{permit;}}
Entry allow_tcp_range {
If {protocol tcp; destination-port > nnnn AND destination-port < nnnn} possibly 100 or so ports
then
{permit;}}
Entry re-mark_everything_else {
If {any}
then
{Qosprofile qp1;
Replace-dscp;}}
++++++++++++++++++++++++++++++++++
I want to re-mark to DSCP zero any traffic coming in which is outside of a particular UDP & TCP port range.
I'll need to use an ACL but would I have to list every single port in the range - I don't think I can use < > symbols in a policy can I?
I realise this is the wrong syntax, but in essence the policy below describes what I'm trying to achieve.
Does anyone have a better way to do this?
++++++++++++++++++++++++++++++++
Entry allow_udp_range {
If {protocol udp; destination-port > nnnn AND destination-port < nnnn} possibly 60 ports
then
{permit;}}
Entry allow_tcp_range {
If {protocol tcp; destination-port > nnnn AND destination-port < nnnn} possibly 100 or so ports
then
{permit;}}
Entry re-mark_everything_else {
If {any}
then
{Qosprofile qp1;
Replace-dscp;}}
++++++++++++++++++++++++++++++++++
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-08-2015 01:12 PM
Excellent! thanks for your reply, Brandon.
I'll give it a go.
I'll give it a go.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-08-2015 01:12 PM
I created a KB article for this as well. You can find it here.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-08-2015 01:09 PM
Hi Stephen,
You can specify a port range for a match condition. For example, to match on TCP ports 120-150, you could do the following:
entry allow_tcp_range { if { protocol tcp; destination-port 120-150; } then { permit; } }
You can also use '<', '>', '<=', and '>=' in policy files as well. For example,
entry deny_udp_>1024 { if { protocol udp; destination-port > 1024; } then { deny; } }
-Brandon
You can specify a port range for a match condition. For example, to match on TCP ports 120-150, you could do the following:
entry allow_tcp_range { if { protocol tcp; destination-port 120-150; } then { permit; } }
You can also use '<', '>', '<=', and '>=' in policy files as well. For example,
entry deny_udp_>1024 { if { protocol udp; destination-port > 1024; } then { deny; } }
-Brandon
