Multifield classification policies
SR Linux supports rule-based QoS multifield classification of IPv4 and IPv6 packets. Each IPv4 and IPv6 multifield classification policy is structurally similar to an IPv4 or IPv6 interface ACL, containing a list of ordered entries, each specifying a set of match conditions and associated actions.
Each multifield classification rule, or entry, has a sequence ID. The policy evaluates packets starting with the entry with the lowest sequence ID, progressing to the entry with the highest sequence ID. Evaluation stops at the first matching entry (that is, when the packet matches all of the conditions specified by the multifield classification entry).
Multifield classification policies are supported on the following platforms:
- 7220 IXR-D2/D2L/D3/D3L/D4/D5
- 7250 IXR-6/6e and IXR-10/10e
Match conditions
Each IPv4 or IPv6 policy entry can specify zero or more of the following match conditions.
Match condition | Description | IPv4 policy support | IPv6 policy support |
---|---|---|---|
Destination IP | Matches by prefix or by address and mask | ✔ | ✔ |
Destination port | Matches by destination TCP or UDP port or range. Comparison operators define
whether the matching destination port must be:
|
✔ | ✔ |
DSCP set | Matches one of the DSCP values listed. This setting matches against the ingress DSCP value (not the rewritten DSCP value). If left empty, any DSCP value matches. | ✔ | ✔ |
Fragment/first-fragment | Matches a packet that is a fragment, and optionally the first fragment | ✔ | Not applicable |
ICMP type/code | Matches one of the specified ICMP type and code combinations | ✔ | Not applicable |
ICMPv6 type/code | Matches one of the specified ICMPv6 type and code combinations | Not applicable | ✔ |
Next-header number | Matches the first next-header field (in the IPv6 fixed header) if it contains the specified value | Not applicable | ✔ |
Protocol number | Matches the IP protocol type field | ✔ | Not applicable |
Source IP | Matches by prefix or by address and mask | ✔ | ✔ |
Source port | Matches source TCP or UDP port or range. Comparison operators define whether
the matching source port must be:
|
✔ | ✔ |
TCP flags | Matches the TCP flag names: RST, SYN, and ACK based on a logical expression using the &, |, and ! operators | ✔ | ✔ |
Supported actions
Each IPv4 or IPv6 policy entry supports the following actions:
- Set the forwarding class (mandatory action in each entry)
- Set the drop probability (optional action in each entry, default is low)
- Rewrite the ingress DSCP value (optional action in each entry, supported only on the 7220 IXR-D2/D2L/D3/D3L)
Supported interfaces: routed, bridged, and IRB
You can bind a multifield classification policy (IPv4, IPv6, or both) to the following subinterface types:
- Routed subinterface of a default or ip-vrf network instance, associated with an Ethernet port, LAG, or IRB
- Bridged subinterface of a mac-vrf network instance, associated with an Ethernet port or LAG
DSCP classification policy and multifield classifier policy on the same subinterface
You can apply both a DSCP classification policy and a multifield classifier policy to the same IP/routed subinterface for a specified protocol (IPv4 or IPv6). If an ingress IPv4 or IPv6 packet matches a multifield classification rule, its forwarding class and drop probability are determined solely by the matching multifield classification rule. If an ingress IPv4 or IPv6 packet does not match any multifield classification rule, forwarding class and drop probability are determined as follows:
- On 7220
IXR-D2/D2L/D3/D3L/D4/D5:
Forwarding class and drop probability are determined by the configured or default DSCP policy.
- On 7250 IXR-6/6e and IXR-10/10e:
Forwarding class and drop probability are determined by the configured or default IPv4 DSCP policy (for IPv4 packets) or IPv6 DSCP policy (for IPv6 packets).
Scaling and restrictions
The following describe scaling and restrictions for multifield classification policies.
7220 IXR-D2/D2L/D3/D3L/D4/D5
On the 7220 IXR-D2/D2L/D3/D3L/D4/D5:
- Multifield classifier policies always operate in subinterface-specific mode, with no option available for a shared mode. As a result, the number of TCAM entries required to implement one multifield classifier policy is N * S, where N is the number of TCAM entries required to implement one instance of the policy and S is the number of subinterfaces where the policy is applied.
- SR Linux blocks the binding of a MAC ACL and an IPv4 or IPv6 multifield classifier policy on the same subinterface. MAC ACL and multifield classification are mutually exclusive options.
7250 IXR-6/6e and IXR-10/10e
On the 7250 IXR-6/6e and IXR-10/10e:
- Multifield classifier policies cannot operate in a subinterface-specific mode, with no option available to create subinterface-specific TCAM entries. As a result, the number of TCAM entries required to support one multifield classifier policy applied across S subintefaces is just N, where N is the number of TCAM entries required to implement one instance of the policy.
- A maximum of 15 IPv4 and 15 IPv6 multifield classifier instances are supported, with utilization reported under info from state platform linecard slot forwarding-complex name (0?) acl resource [input-ipv4-filter-instances | input-ipv6-filter-instances].
Ingress DSCP rewrite
Ingress DSCP rewrite is supported only on the 7220 IXR-D2/D2L/D3/D3L.
Packets arriving on an interface can have IP DSCP markings that are not trusted. For example, when the upstream devices do not classify or mark the packets properly, or when the interface is at the beginning of a service SLA that is defined in terms of application characteristics instead of DSCP. In this case, an ingress DSCP rewrite action in the multifield classification policy can replace the DSCP value for matching IPv4 or IPv6 packets with a new value.
The following table provides more details about the packet flows that are supported with ingress DSCP rewrite.
Ingress packet | Ingress subif type | Ingress subif MF classifier entry action | Forwarding | IRB subif MF classifier entry action | Egress subif(s) DSCP rewrite policy | Egress Packet |
---|---|---|---|---|---|---|
IP/Ethernet | bridged (mac-vrf) |
set fc=A dscp-rewrite=B |
L2 switched | configured or not configured (no effect in either case) | bridged subif DSCP rewrite policy: NO effect | DSCP=B |
IP/Ethernet | bridged (mac-vrf) |
set fc=A dscp-rewrite=B |
L3 routed between mac‑vrf1 and mac‑vrf2 using IRB | not configured |
mac-vrf2 IRB subif DSCP rewrite policy: NO effect mac-vrf2 bridged subif DSCP rewrite policy: NO effect |
DSCP=B |
IP/Ethernet | bridged (mac-vrf) |
set fc=A dscp-rewrite=B |
L3 routed between mac‑vrf1 and mac‑vrf2 using IRB |
IRB of mac-vrf1: set fc=C dscp-rewrite=D |
mac-vrf2 IRB subif DSCP rewrite policy: NO effect mac-vrf2 bridged subif DSCP rewrite policy: NO effect |
DSCP=D |
IP/Ethernet | bridged (mac-vrf) |
set fc=A dscp-rewrite=B |
L3 routed followed by VXLAN encap (symmetric or asymmetric) | not configured | routed subif DSCP rewrite policy: only changes outer DSCP | VXLAN with outer DSCP based on fc=A lookup in the DSCP rewrite policy, payload DSCP=B |
IP/Ethernet | bridged (mac-vrf) |
set fc=A dscp-rewrite=B |
L3 routed followed by VXLAN encap (symmetric or asymmetric) |
IRB of mac-vrf1: set fc=C dscp-rewrite=D |
routed subif DSCP rewrite policy: only changes outer DSCP | VXLAN with outer DSCP based on fc=C lookup in the DSCP rewrite policy, payload DSCP=D |
IP/Ethernet | routed (ip-vrf or default) |
set fc=A dscp-rewrite=B |
L3 routed | N/A | routed subif DSCP rewrite policy: NO effect | DSCP=B |
Configuring multifield classification policies for input traffic
To create a multifield classification policy, define either an IPv4 or IPv6 policy name using the qos classifiers multifield command. Within the named policy, configure one or more entries that consist of match conditions and the associated action to apply to matching packets.
The following examples create IPv4 and IPv6 multifield classifier policies, each containing one entry with multiple match conditions and associated actions.
Configure IPv4 multifield classification policy
--{ candidate shared default }--[ ]--
# info qos classifiers multifield ipv4-policy multifield-test
qos {
classifiers {
multifield {
ipv4-policy multifield-test {
entry 10 {
match {
fragment true
first-fragment true
protocol tcp
tcp-flags syn&ack
dscp-set [
AF11
]
destination-ip {
prefix 10.10.20.0/24
}
source-ip {
address 10.10.10.1
mask 255.255.255.0
}
destination-port {
operator eq
value 25
}
source-port {
operator ge
value 2526
}
}
action {
forwarding-class fc6
drop-probability low
rewrite {
set-dscp 40
}
}
}
}
}
}
}
Configure IPv6 multifield classification policy
--{ candidate shared default }--[ ]--
# info qos classifiers multifield ipv6-policy multifield-test-v6
qos {
classifiers {
multifield {
ipv6-policy multifield-test-v6 {
entry 100 {
match {
next-header tcp
tcp-flags ack
dscp-set [
CS7
]
destination-ip {
prefix 2001:db8:fe10::/64
}
source-ip {
prefix 2001:db8:fc00::/64
}
destination-port {
range {
start 800
end 1000
}
}
source-port {
operator le
value 700
}
}
action {
forwarding-class fc7
drop-probability medium
rewrite {
set-dscp 56
}
}
}
}
}
}
}
Applying a multifield classification policy to a subinterface
To apply an IPv4 or IPv6 multifield classification policy (or both) to a subinterface, use the qos input classifiers multifield command.
The following example applies the IPv4 and IPv6 multifield classification policies to inbound traffic on subinterface ethernet-1/1.1.
Apply multifield classification policy to subinterface
--{ candidate shared default }--[ ]--
# info interface ethernet-1/1 subinterface 1 qos
interface ethernet-1/1 {
subinterface 1 {
qos {
input {
classifiers {
multifield {
ipv4-policy multifield-test
ipv6-policy multifield-test-v6
}
}
}
}
}
}