Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Configuring and Applying Rewrite Rules on a Security Device

This example shows how to configure and apply rewrite rules for a device.


Before you begin, create and configure the forwarding classes.


You can configure rewrite rules to replace CoS values on packets received from the customer or host with the values expected by other devices. You do not have to configure rewrite rules if the received packets already contain valid CoS values. Rewrite rules apply the forwarding class information and packet loss priority used internally by the device to establish the CoS value on outbound packets. After you configure rewrite rules, you must apply them to the correct interfaces.

In this example, you configure the rewrite rule for DiffServ CoS as rewrite-dscps. You specify the best-effort forwarding class as be-class, expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control class as nc-class. Finally, you apply the rewrite rule to an IRB interface.


You can apply one rewrite rule to each logical interface.

Table 1 shows how the rewrite rules replace the DSCPs on packets in the four forwarding classes.

Table 1: Sample rewrite-dscps Rewrite Rules to Replace DSCPs

mf-classifier Forwarding Class

For CoS Traffic Type

rewrite-dscps Rewrite Rules


Best-effort traffic—Provides no special CoS handling of packets. Typically, RED drop profile is aggressive and no loss priority is defined.

Low-priority code point: 000000

High-priority code point: 000001


Expedited forwarding traffic—Provides low loss, low delay, low jitter, assured bandwidth, and end-to-end service. Packets can be forwarded out of sequence or dropped.

Low-priority code point: 101110

High-priority code point: 101111


Assured forwarding traffic—Provides high assurance for packets within the specified service profile. Excess packets are dropped.

Low-priority code point: 001010

High-priority code point: 001100


Network control traffic—Packets can be delayed, but not dropped.

Low-priority code point: 110000

High-priority code point: 110001


Forwarding classes can be configured in a DSCP rewriter and also as an action of an IDP policy to rewrite DSCP code points. To ensure that the forwarding class is used as an action in an IDP policy, it is important that you do not configure an IDP policy and interface-based rewrite rules with the same forwarding class.



CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure and apply rewrite rules for a device:

  1. Configure rewrite rules for DiffServ CoS.

  2. Configure best-effort forwarding class rewrite rules.

  3. Configure expedited forwarding class rewrite rules.

  4. Configure assured forwarding class rewrite rules.

  5. Configure network control class rewrite rules.

  6. Apply rewrite rules to an IRB interface.


From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.


Verifying Rewrite Rules Configuration


Verify that rewrite rules are configured properly.


From operational mode, enter the show class-of-service interface irb command.


Rewrite rules are configured on IRB interface as expected.