Forum Discussion

nwputra_225841's avatar
nwputra_225841
Icon for Nimbostratus rankNimbostratus
Dec 11, 2017

DSCP / ToS in UDP Profile not working

Hi,

When we assign a custom UDP profile to the server side on a Virtual Server, the custom profile has no effect to the outgoing packet. Here we apply a specific value to the ToS :

root@(bigip)(cfg-sync Standalone)(Active)(/NWP)(tmos) list ltm profile udp udp_dscp 
ltm profile udp udp_dscp {
    app-service none
    defaults-from /Common/udp
    ip-tos-to-client 42
}

Here is the VS :

root@(bigip)(cfg-sync Standalone)(Active)(/NWP)(tmos) list ltm virtual vs_dns 
ltm virtual vs_dns {
    destination 10.10.1.100:domain
    ip-protocol udp
    mask 255.255.255.255
    partition NWP
    pool dns_pool
    profiles {
        /Common/udp {
            context clientside
        }
        udp_dscp {
            context serverside
        }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vlans {
        /Common/VLAN1010
    }
    vlans-enabled
    vs-index 2
}

If client send DNS query (UDP port 53), the VS proxy the query to the backend DNS server. But the value of ToS is still zero [00, the second byte that is after 45] as shown below :

[root@bigip:Active:Standalone] tmp  tcpdump -X -nni VLAN172 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on VLAN172, link-type EN10MB (Ethernet), capture size 65535 bytes
12:11:21.568618 IP 172.16.1.33.53144 > 172.16.20.1.53: 63798+ A? f5trn.lab. (27) out slot1/tmm1 lis=/NWP/vs_dns
    0x0000:  4500 0037 5025 4000 ff11 be4d ac10 0121  E..7P%@....M...!
    0x0010:  ac10 1401 cf98 0035 0023 6d77 f936 0100  .......5.mw.6..
    0x0020:  0001 0000 0000 0000 0566 3574 726e 036c  .........f5trn.l
    0x0030:  6162 0000 0100 0101 1001 0000 010b 2f4e  ab............/N
    0x0040:  5750 2f76 735f 646e 73                   WP/vs_dns
12:11:21.570893 IP 172.16.20.1.53 > 172.16.1.33.53144: 63798 NXDomain 0/1/0 (68) in slot1/tmm1 lis=/NWP/vs_dns
    0x0000:  4500 0060 2c00 0000 4011 e14a ac10 1401  E..`,...@..J....
    0x0010:  ac10 0121 0035 cf98 004c 5ca1 f936 8183  ...!.5...L\..6..
    0x0020:  0001 0000 0001 0000 0566 3574 726e 036c  .........f5trn.l
    0x0030:  6162 0000 0100 01c0 1200 0600 0100 0010  ab..............
    0x0040:  6700 1dc0 1204 726f 6f74 c012 0000 0006  g.....root......
    0x0050:  0001 5180 0000 0e10 0024 ea00 0009 3a80  ..Q......$....:.
    0x0060:  0110 0101 0001 0b2f 4e57 502f 7673 5f64  ......./NWP/vs_d
    0x0070:  6e73                                     ns
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

What am I doing wrong in the configuration ? or is it really the custom UDP profile was not used for this type of traffic ?

Thank you for your input and regards.

1 Reply

  • There is another option to set DSCP, that is in pool parameter :

    By setting Pool Advanced Parameter, ToS to Server, we are able to mark the outgoing packet :

    [root@bigip:Active:Standalone] tmp  tmsh list ltm pool /NWP/dns_pool
    ltm pool /NWP/dns_pool {
        ip-tos-to-server 42
        members {
            /NWP/server1:domain {
                address 172.16.20.1
            }
        }
        partition NWP
    }
    

    Using the parameter, I can apply DSCP to the outgoing packet.

    09:08:00.312106 IP 172.16.1.33.51840 > 172.16.20.1.53: 44978+ A? f5trn.lab. (27) out slot1/tmm1 lis=/NWP/vs_dns
        0x0000:  452a 0037 ed5e 4000 ff11 20ea ac10 0121  E*.7.^@........!
        0x0010:  ac10 1401 ca80 0035 0023 6d77 afb2 0100  .......5.mw....
        0x0020:  0001 0000 0000 0000 0566 3574 726e 036c  .........f5trn.l
        0x0030:  6162 0000 0100 0101 1001 0000 010b 2f4e  ab............/N
        0x0040:  5750 2f76 735f 646e 73                   WP/vs_dns
    09:08:00.317369 IP 172.16.20.1.53 > 172.16.1.33.51840: 44978 NXDomain 0/1/0 (68) in slot1/tmm1 lis=/NWP/vs_dns
        0x0000:  4500 0060 2c00 0000 4011 e14a ac10 1401  E..`,...@..J....
        0x0010:  ac10 0121 0035 ca80 004c 2624 afb2 8183  ...!.5...L&$....
        0x0020:  0001 0000 0001 0000 0566 3574 726e 036c  .........f5trn.l
        0x0030:  6162 0000 0100 01c0 1200 0600 0100 0029  ab.............)
        0x0040:  ec00 1dc0 1204 726f 6f74 c012 0000 0006  ......root......
        0x0050:  0001 5180 0000 0e10 0024 ea00 0009 3a80  ..Q......$....:.
        0x0060:  0110 0101 0001 0b2f 4e57 502f 7673 5f64  ......./NWP/vs_d
        0x0070:  6e73                                     ns
    

    Still it did not answer the question about why protocol profile does not have any effect to the VS.