Multifield classification policies

SR Linux supports rule-based QoS multifield classification of IPv4 and IPv6 packets. Each IPv4 and IPv6 multifield classification policy is structurally similar to an IPv4 or IPv6 interface ACL, containing a list of ordered entries, each specifying a set of match conditions and associated actions.

Each multifield classification rule, or entry, has a sequence ID. The policy evaluates packets starting with the entry with the lowest sequence ID, progressing to the entry with the highest sequence ID. Evaluation stops at the first matching entry (that is, when the packet matches all of the conditions specified by the multifield classification entry).

Multifield classification policies are supported on the following platforms:

  • 7220 IXR-D2/D2L/D3/D3L/D4/D5
  • 7250 IXR-6/6e and IXR-10/10e

Match conditions

Each IPv4 or IPv6 policy entry can specify zero or more of the following match conditions.

Table 1. Multifield classification match conditions
Match condition Description IPv4 policy support IPv6 policy support
Destination IP Matches by prefix or by address and mask
Destination port Matches by destination TCP or UDP port or range. Comparison operators define whether the matching destination port must be:
  • equal to the specified value
  • greater than or equal to the specified value
  • less than or equal to the specified value
DSCP set Matches one of the DSCP values listed. This setting matches against the ingress DSCP value (not the rewritten DSCP value). If left empty, any DSCP value matches.
Fragment/first-fragment Matches a packet that is a fragment, and optionally the first fragment Not applicable
ICMP type/code Matches one of the specified ICMP type and code combinations Not applicable
ICMPv6 type/code Matches one of the specified ICMPv6 type and code combinations Not applicable
Next-header number Matches the first next-header field (in the IPv6 fixed header) if it contains the specified value Not applicable
Protocol number Matches the IP protocol type field Not applicable
Source IP Matches by prefix or by address and mask
Source port Matches source TCP or UDP port or range. Comparison operators define whether the matching source port must be:
  • equal to the specified value
  • greater than or equal to the specified value
  • less than or equal to the specified value
TCP flags Matches the TCP flag names: RST, SYN, and ACK based on a logical expression using the &, |, and ! operators

Supported actions

Each IPv4 or IPv6 policy entry supports the following actions:

  • Set the forwarding class (mandatory action in each entry)
  • Set the drop probability (optional action in each entry, default is low)
  • Rewrite the ingress DSCP value (optional action in each entry, supported only on the 7220 IXR-D2/D2L/D3/D3L)

Supported interfaces: routed, bridged, and IRB

You can bind a multifield classification policy (IPv4, IPv6, or both) to the following subinterface types:

  • Routed subinterface of a default or ip-vrf network instance, associated with an Ethernet port, LAG, or IRB
  • Bridged subinterface of a mac-vrf network instance, associated with an Ethernet port or LAG

DSCP classification policy and multifield classifier policy on the same subinterface

You can apply both a DSCP classification policy and a multifield classifier policy to the same IP/routed subinterface for a specified protocol (IPv4 or IPv6). If an ingress IPv4 or IPv6 packet matches a multifield classification rule, its forwarding class and drop probability are determined solely by the matching multifield classification rule. If an ingress IPv4 or IPv6 packet does not match any multifield classification rule, forwarding class and drop probability are determined as follows:

  • On 7220 IXR-D2/D2L/D3/D3L/D4/D5:

    Forwarding class and drop probability are determined by the configured or default DSCP policy.

  • On 7250 IXR-6/6e and IXR-10/10e:

    Forwarding class and drop probability are determined by the configured or default IPv4 DSCP policy (for IPv4 packets) or IPv6 DSCP policy (for IPv6 packets).

Scaling and restrictions

The following describe scaling and restrictions for multifield classification policies.

7220 IXR-D2/D2L/D3/D3L/D4/D5

On the 7220 IXR-D2/D2L/D3/D3L/D4/D5:

  • Multifield classifier policies always operate in subinterface-specific mode, with no option available for a shared mode. As a result, the number of TCAM entries required to implement one multifield classifier policy is N * S, where N is the number of TCAM entries required to implement one instance of the policy and S is the number of subinterfaces where the policy is applied.
  • SR Linux blocks the binding of a MAC ACL and an IPv4 or IPv6 multifield classifier policy on the same subinterface. MAC ACL and multifield classification are mutually exclusive options.

7250 IXR-6/6e and IXR-10/10e

On the 7250 IXR-6/6e and IXR-10/10e:

  • Multifield classifier policies cannot operate in a subinterface-specific mode, with no option available to create subinterface-specific TCAM entries. As a result, the number of TCAM entries required to support one multifield classifier policy applied across S subintefaces is just N, where N is the number of TCAM entries required to implement one instance of the policy.
  • A maximum of 15 IPv4 and 15 IPv6 multifield classifier instances are supported, with utilization reported under info from state platform linecard slot forwarding-complex name (0?) acl resource [input-ipv4-filter-instances | input-ipv6-filter-instances].

Ingress DSCP rewrite

Ingress DSCP rewrite is supported only on the 7220 IXR-D2/D2L/D3/D3L.

Packets arriving on an interface can have IP DSCP markings that are not trusted. For example, when the upstream devices do not classify or mark the packets properly, or when the interface is at the beginning of a service SLA that is defined in terms of application characteristics instead of DSCP. In this case, an ingress DSCP rewrite action in the multifield classification policy can replace the DSCP value for matching IPv4 or IPv6 packets with a new value.

Note: If an egress DSCP rewrite rule is also applied to a Layer 3 subinterface, it does not overwrite the ingress DSCP rewrite action. In this case, the packet is transmitted with the DSCP specified in the ingress DSCP rewrite rule.

The following table provides more details about the packet flows that are supported with ingress DSCP rewrite.

Table 2. Supported packet flows with ingress DSCP rewrite
Ingress packet Ingress subif type Ingress subif MF classifier entry action Forwarding IRB subif MF classifier entry action Egress subif(s) DSCP rewrite policy Egress Packet
IP/Ethernet bridged (mac-vrf)

set fc=A

dscp-rewrite=B

L2 switched configured or not configured (no effect in either case) bridged subif DSCP rewrite policy: NO effect DSCP=B
IP/Ethernet bridged (mac-vrf)

set fc=A

dscp-rewrite=B

L3 routed between mac‑vrf1 and mac‑vrf2 using IRB not configured

mac-vrf2 IRB subif DSCP rewrite policy: NO effect

mac-vrf2 bridged subif DSCP rewrite policy: NO effect

DSCP=B
IP/Ethernet bridged (mac-vrf)

set fc=A

dscp-rewrite=B

L3 routed between mac‑vrf1 and mac‑vrf2 using IRB

IRB of mac-vrf1:

set fc=C

dscp-rewrite=D

mac-vrf2 IRB subif DSCP rewrite policy: NO effect

mac-vrf2 bridged subif DSCP rewrite policy: NO effect

DSCP=D
IP/Ethernet bridged (mac-vrf)

set fc=A

dscp-rewrite=B

L3 routed followed by VXLAN encap (symmetric or asymmetric) not configured routed subif DSCP rewrite policy: only changes outer DSCP VXLAN with outer DSCP based on fc=A lookup in the DSCP rewrite policy, payload DSCP=B
IP/Ethernet bridged (mac-vrf)

set fc=A

dscp-rewrite=B

L3 routed followed by VXLAN encap (symmetric or asymmetric)

IRB of mac-vrf1:

set fc=C

dscp-rewrite=D

routed subif DSCP rewrite policy: only changes outer DSCP VXLAN with outer DSCP based on fc=C lookup in the DSCP rewrite policy, payload DSCP=D
IP/Ethernet routed (ip-vrf or default)

set fc=A

dscp-rewrite=B

L3 routed N/A routed subif DSCP rewrite policy: NO effect DSCP=B

Configuring multifield classification policies for input traffic

To create a multifield classification policy, define either an IPv4 or IPv6 policy name using the qos classifiers multifield command. Within the named policy, configure one or more entries that consist of match conditions and the associated action to apply to matching packets.

The following examples create IPv4 and IPv6 multifield classifier policies, each containing one entry with multiple match conditions and associated actions.

Note: The rewrite set-dscp parameter is supported only on the 7220 IXR-D2/D2L/D3/D3L.

Configure IPv4 multifield classification policy

--{ candidate shared default }--[  ]--
# info qos classifiers multifield ipv4-policy multifield-test
    qos {
        classifiers {
            multifield {
                ipv4-policy multifield-test {
                    entry 10 {
                        match {
                            fragment true
                            first-fragment true
                            protocol tcp
                            tcp-flags syn&ack
                            dscp-set [
                                AF11
                            ]
                            destination-ip {
                                prefix 10.10.20.0/24
                            }
                            source-ip {
                                address 10.10.10.1
                                mask 255.255.255.0
                            }
                            destination-port {
                                operator eq
                                value 25
                            }
                            source-port {
                                operator ge
                                value 2526
                            }
                        }
                        action {
                            forwarding-class fc6
                            drop-probability low
                            rewrite {          
                                set-dscp 40
                            }
                        }
                    }
                }
            }
        }
    }

Configure IPv6 multifield classification policy

--{ candidate shared default }--[  ]--
# info qos classifiers multifield ipv6-policy multifield-test-v6    
    qos {
        classifiers {
            multifield {
                ipv6-policy multifield-test-v6 {
                    entry 100 {
                        match {
                            next-header tcp
                            tcp-flags ack
                            dscp-set [
                                CS7
                            ]
                            destination-ip {
                                prefix 2001:db8:fe10::/64
                            }
                            source-ip {
                                prefix 2001:db8:fc00::/64
                            }
                            destination-port {
                                range {
                                    start 800
                                    end 1000
                                }
                            }
                            source-port {
                                operator le
                                value 700
                            }
                        }
                        action {
                            forwarding-class fc7
                            drop-probability medium
                            rewrite {             
                                set-dscp 56
                            }
                        }
                    }
                }
            }
        }
    }

Applying a multifield classification policy to a subinterface

To apply an IPv4 or IPv6 multifield classification policy (or both) to a subinterface, use the qos input classifiers multifield command.

The following example applies the IPv4 and IPv6 multifield classification policies to inbound traffic on subinterface ethernet-1/1.1.

Apply multifield classification policy to subinterface

--{ candidate shared default }--[  ]--
# info interface ethernet-1/1 subinterface 1 qos
    interface ethernet-1/1 {
        subinterface 1 {
            qos {
                input {
                    classifiers {
                        multifield {
                            ipv4-policy multifield-test
                            ipv6-policy multifield-test-v6
                        }
                    }
                }
            }
        }
    }