During our investigation of QoS state in Juniper contrail we found strange behaviour of NetworkPolicies.
Let's assume we have 2 networks connected with 2 bidirectional policies:
-
Policy 1 should pass any protocol from/to network A with ports [ 0-6000 ] to network B. Also Policy 1 rule have configured QoS that should mark traffic with tag DSCP 30 (TOS 120).
-
Policy 2 should pass any protocol from/to network A with ports [ 6001-20000 ] to network B.
In such scenario networks A and B both have 2 different policies connected to them.
To verify Tags on network packets, we listen traffic with TCPDump on computes phisical interface. For unknown reason traffic have no correct marking.
Let's assume we have 2 networks connected with single bidirectional policy:
- Policy 1 should pass any protocol from/to network A with ports [ 0-6000 ] (that rule have configured QoS that should mark traffic with tag DSCP 30 (TOS 120).) AND [ 6001-20000 ] (no QoS) to network B.
In such scenario networks A and B both have single policy.
To verify Tags on network packets, we listen traffic with TCPDump on computes phisical interface. Captured traffic have correct marking on it.
Seems that Contrail does not support multiple policies with QoS attached to networks, and force to use single policy with multiple rules, but still let us create broken infrostructure.