I did it two ways, and the first way was more effecient but it didn't mark traffic. The second way I thought would also mark traffic but it does not. The second way is less effecient but I think it stratifies traffic flows better.
So I do it three ways.
First I match and classify on DSCP inbound from the LAN. I then mark connection with a new connection inbound from LAN and outbound to the ISP interfaces. Third I packet mark the established return traffic from those ISP interfaces. Fourth I match on the traffic outbound to the LAN by packet mark and then change DSCP. For some reason though on the switch that is connected in the LAN, it doesn't see the incoming packet DSCP changes.
Here's the code...
DSCP classification from the LAN:
Code: Select all
/ip firewall mangle
add action=mark-packet chain=prerouting comment="DSCP BE Classification - Incoming from BUILT IN ETHERNET" dscp=0 in-interface="BUILT IN ETHERNET" new-packet-mark="DSCP BE"
add action=mark-packet chain=prerouting comment="DSCP CS1 Classification - Incoming from BUILT IN ETHERNET" dscp=8 in-interface="BUILT IN ETHERNET" new-packet-mark="DSCP CS1"
add action=mark-packet chain=prerouting comment="DSCP CS2 Classification - Incoming from BUILT IN ETHERNET" dscp=16 in-interface="BUILT IN ETHERNET" new-packet-mark="DSCP CS2"
add action=mark-packet chain=prerouting comment="DSCP CS3 Classification - Incoming from BUILT IN ETHERNET" dscp=24 in-interface="BUILT IN ETHERNET" new-packet-mark="DSCP CS3"
add action=mark-packet chain=prerouting comment="DSCP CS4 Classification - Incoming from BUILT IN ETHERNET" dscp=32 in-interface="BUILT IN ETHERNET" new-packet-mark="DSCP CS4"
add action=mark-packet chain=prerouting comment="DSCP CS5 Classification - Incoming from BUILT IN ETHERNET" dscp=40 in-interface="BUILT IN ETHERNET" new-packet-mark="DSCP CS5"
add action=mark-packet chain=prerouting comment="DSCP CS6 Classification - Incoming from BUILT IN ETHERNET" dscp=48 in-interface="BUILT IN ETHERNET" new-packet-mark="DSCP CS6"
add action=mark-packet chain=prerouting comment="DSCP CS7 Classification - Incoming from BUILT IN ETHERNET" dscp=56 in-interface="BUILT IN ETHERNET" new-packet-mark="DSCP CS7"
Connection marking on traffic ingressing the LAN and outbound to ISP interfaces:
Code: Select all
add action=mark-connection chain=forward comment="DSCP BE Connection Marking - Outgoing to Comcast" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="BE Traffic Connection Outbound" out-interface=\
"INTEL QUAD MIDDLE TOP PORT" packet-mark="DSCP BE"
add action=mark-connection chain=forward comment="DSCP BE Connection Marking - Outgoing to Centurylink" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="BE Traffic Connection Outbound" out-interface=\
CENTURYLINK packet-mark="DSCP BE"
add action=mark-connection chain=forward comment="DSCP CS1 Connection Marking - Outgoing to Comcast" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS1 Traffic Connection Outbound" out-interface=\
"INTEL QUAD MIDDLE TOP PORT" packet-mark="DSCP CS1"
add action=mark-connection chain=forward comment="DSCP CS1 Connection Marking - Outgoing to Centurylink" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS1 Traffic Connection Outbound" out-interface=\
CENTURYLINK packet-mark="DSCP CS1"
add action=mark-connection chain=forward comment="DSCP CS2 Connection Marking - Outgoing to Comcast" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS2 Traffic Connection Outbound" out-interface=\
"INTEL QUAD MIDDLE TOP PORT" packet-mark="DSCP CS2"
add action=mark-connection chain=forward comment="DSCP CS2 Connection Marking - Outgoing to Centurylink" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS2 Traffic Connection Outbound" out-interface=\
CENTURYLINK packet-mark="DSCP CS2"
add action=mark-connection chain=forward comment="DSCP CS3 Connection Marking - Outgoing to Comcast" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS3 Traffic Connection Outbound" out-interface=\
"INTEL QUAD MIDDLE TOP PORT" packet-mark="DSCP CS3"
add action=mark-connection chain=forward comment="DSCP CS3 Connection Marking - Outgoing to Centurylink" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS3 Traffic Connection Outbound" out-interface=\
CENTURYLINK packet-mark="DSCP CS3"
add action=mark-connection chain=forward comment="DSCP CS4 Connection Marking - Outgoing to Comcast" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS4 Traffic Connection Outbound" out-interface=\
"INTEL QUAD MIDDLE TOP PORT" packet-mark="DSCP CS4"
add action=mark-connection chain=forward comment="DSCP CS4 Connection Marking - Outgoing to Centurylink" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS4 Traffic Connection Outbound" out-interface=\
CENTURYLINK packet-mark="DSCP CS4"
add action=mark-connection chain=forward comment="DSCP CS5 Connection Marking - Outgoing to Comcast" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS5 Traffic Connection Outbound" out-interface=\
"INTEL QUAD MIDDLE TOP PORT" packet-mark="DSCP CS5"
add action=mark-connection chain=forward comment="DSCP CS5 Connection Marking - Outgoing to Centurylink" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS5 Traffic Connection Outbound" out-interface=\
CENTURYLINK packet-mark="DSCP CS5"
add action=mark-connection chain=forward comment="DSCP CS6 Connection Marking - Outgoing to Comcast" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS6 Traffic Connection Outbound" out-interface=\
"INTEL QUAD MIDDLE TOP PORT" packet-mark="DSCP CS6"
add action=mark-connection chain=forward comment="DSCP CS6 Connection Marking - Outgoing to Centurylink" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS6 Traffic Connection Outbound" out-interface=\
CENTURYLINK packet-mark="DSCP CS6"
add action=mark-connection chain=forward comment="DSCP CS7 Connection Marking - Outgoing to Comcast" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS7 Traffic Connection Outbound" out-interface=\
"INTEL QUAD MIDDLE TOP PORT" packet-mark="DSCP CS7"
add action=mark-connection chain=forward comment="DSCP CS7 Connection Marking - Outgoing to Centurylink" connection-state=new in-interface="BUILT IN ETHERNET" new-connection-mark="CS7 Traffic Connection Outbound" out-interface=\
CENTURYLINK packet-mark="DSCP CS7"
Return traffic coming back from the ISP interfaces as matched by the connection marks:
Code: Select all
add action=mark-packet chain=prerouting comment="DSCP BE Packet Marking - Return traffic incoming From Comcast" connection-mark="BE Traffic Connection Outbound" in-interface="INTEL QUAD MIDDLE TOP PORT" new-packet-mark=\
"BE Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP BE Packet Marking - Return traffic incoming From Centurylink" connection-mark="BE Traffic Connection Outbound" in-interface=CENTURYLINK new-packet-mark="BE Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS1 Packet Marking - Return traffic incoming From Comcast" connection-mark="CS1 Traffic Connection Outbound" in-interface="INTEL QUAD MIDDLE TOP PORT" new-packet-mark=\
"CS1 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS1 Packet Marking - Return traffic incoming From Centurylink" connection-mark="CS1 Traffic Connection Outbound" in-interface=CENTURYLINK new-packet-mark="CS1 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS2 Packet Marking - Return traffic incoming From Comcast" connection-mark="CS2 Traffic Connection Outbound" in-interface="INTEL QUAD MIDDLE TOP PORT" new-packet-mark=\
"CS2 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS2 Packet Marking - Return traffic incoming From Centurylink" connection-mark="CS2 Traffic Connection Outbound" in-interface=CENTURYLINK new-packet-mark="CS3 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS3 Packet Marking - Return traffic incoming From Comcast" connection-mark="CS3 Traffic Connection Outbound" in-interface="INTEL QUAD MIDDLE TOP PORT" new-packet-mark=\
"CS3 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS3 Packet Marking - Return traffic incoming From Centurylink" connection-mark="CS3 Traffic Connection Outbound" in-interface=CENTURYLINK new-packet-mark="CS3 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS4 Packet Marking - Return traffic incoming From Comcast" connection-mark="CS4 Traffic Connection Outbound" in-interface="INTEL QUAD MIDDLE TOP PORT" new-packet-mark=\
"CS4 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS4 Packet Marking - Return traffic incoming From Centurylink" connection-mark="CS4 Traffic Connection Outbound" in-interface=CENTURYLINK new-packet-mark="CS4 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS5 Packet Marking - Return traffic incoming From Comcast" connection-mark="CS5 Traffic Connection Outbound" in-interface="INTEL QUAD MIDDLE TOP PORT" new-packet-mark=\
"CS5 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS5 Packet Marking - Return traffic incoming From Centurylink" connection-mark="CS5 Traffic Connection Outbound" in-interface=CENTURYLINK new-packet-mark="CS5 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS6 Packet Marking - Return traffic incoming From Comcast" connection-mark="CS6 Traffic Connection Outbound" in-interface="INTEL QUAD MIDDLE TOP PORT" new-packet-mark=\
"CS6 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS6 Packet Marking - Return traffic incoming From Centurylink" connection-mark="CS6 Traffic Connection Outbound" in-interface=CENTURYLINK new-packet-mark="CS6 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS7 Packet Marking - Return traffic incoming From Comcast" connection-mark="CS7 Traffic Connection Outbound" in-interface="INTEL QUAD MIDDLE TOP PORT" new-packet-mark=\
"CS7 Return Traffic"
add action=mark-packet chain=prerouting comment="DSCP CS7 Packet Marking - Return traffic incoming From Centurylink" connection-mark="CS7 Traffic Connection Outbound" in-interface=CENTURYLINK new-packet-mark="CS7 Return Traffic
Code: Select all
add action=change-dscp chain=forward comment="DSCP BE Traffic Marking - Return BE traffic" out-interface="BUILT IN ETHERNET" packet-mark="BE Return Traffic"
add action=change-dscp chain=forward comment="DSCP CS1 Traffic Marking - Return CS1 traffic" new-dscp=8 out-interface="BUILT IN ETHERNET" packet-mark="CS1 Return Traffic"
add action=change-dscp chain=forward comment="DSCP CS2 Traffic Marking - Return CS2 traffic" new-dscp=16 out-interface="BUILT IN ETHERNET" packet-mark="CS2 Return Traffic"
add action=change-dscp chain=forward comment="DSCP CS3 Traffic Marking - Return CS3 traffic" new-dscp=24 out-interface="BUILT IN ETHERNET" packet-mark="CS3 Return Traffic"
add action=change-dscp chain=forward comment="DSCP CS4 Traffic Marking - Return CS4 traffic" new-dscp=32 out-interface="BUILT IN ETHERNET" packet-mark="CS4 Return Traffic"
add action=change-dscp chain=forward comment="DSCP CS5 Traffic Marking - Return CS5 traffic" new-dscp=40 out-interface="BUILT IN ETHERNET" packet-mark="CS5 Return Traffic"
add action=change-dscp chain=forward comment="DSCP CS6 Traffic Marking - Return CS6 traffic" new-dscp=48 out-interface="BUILT IN ETHERNET" packet-mark="CS6 Return Traffic"
add action=change-dscp chain=forward comment="DSCP CS7 Traffic Marking - Return CS7 traffic" new-dscp=56 out-interface="BUILT IN ETHERNET" packet-mark="CS7 Return Traffic"
It still doesn't produce packets as on my Cisco switch I see:
STUFF-NETWORK-CORE#show ip access-lists inbound_marking_verification
Extended IP access list inbound_marking_verification
10 permit ip any any dscp default (70 matches)
20 permit ip any any dscp cs1
30 permit ip any any dscp cs2
40 permit ip any any dscp cs3
50 permit ip any any dscp cs4
60 permit ip any any dscp cs5
70 permit ip any any dscp cs6 (1575 matches)
80 permit ip any any dscp cs7
90 permit ip any any
Config of the interface that is bound on:
Code: Select all
STUFF-NETWORK-CORE#show run interface gigabitEthernet 1/0/1
Building configuration...
Current configuration : 756 bytes
!
interface GigabitEthernet1/0/1
description L3 | STUFF-NETWORK-EDGE | BUILT IN ETHERNET
no switchport
bandwidth 100000
ip address 192.168.0.2 255.255.255.252
ip access-group inbound_marking_verification in
ip pim dr-priority 4294967294
ip pim query-interval 10
ip pim sparse-mode
ip ospf cost 20
ip ospf hello-interval 1
ip ospf dead-interval 5
ip ospf priority 255
load-interval 30
speed 1000
duplex full
srr-queue bandwidth share 242 242 242 242
srr-queue bandwidth shape 0 0 0 0
ipv6 address FDFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:2/126
ipv6 enable
ipv6 ospf cost 20
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 5
ipv6 ospf priority 255
ipv6 ospf 1 area 0.0.0.0
mls qos trust dscp
hold-queue 100 in
hold-queue 100 out
end
