I’m doing a lab on SRX320 because I need to tag outgoing traffic to apply QoS on my ISP link.

I’m at a point where I’m able to identify and categorise egress traffic depending on destination IP.

I’m also able to apply the DSCP tag I want on those packets.
What is missing here is a way to rewrite the 802.1p tag depending on the forwarding class or the DSCP applyed.

Here is the configuration :

set security policies from-zone EXT to-zone TRUST policy P1 match source-address any
set security policies from-zone EXT to-zone TRUST policy P1 match destination-address any
set security policies from-zone EXT to-zone TRUST policy P1 match application any
set security policies from-zone EXT to-zone TRUST policy P1 then permit
set security policies from-zone EXT to-zone TRUST policy P1 then count
set security policies from-zone TRUST to-zone EXT policy P2 match source-address any
set security policies from-zone TRUST to-zone EXT policy P2 match destination-address any
set security policies from-zone TRUST to-zone EXT policy P2 match application any
set security policies from-zone TRUST to-zone EXT policy P2 then permit
set security policies from-zone TRUST to-zone EXT policy P2 then count
set security policies from-zone TRUST to-zone TRUST policy P3 match source-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match destination-address any
set security policies from-zone TRUST to-zone TRUST policy P3 match application any
set security policies from-zone TRUST to-zone TRUST policy P3 then permit
set security policies from-zone TRUST to-zone TRUST policy P3 then count
set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ping
set security zones security-zone EXT interfaces irb.667 host-inbound-traffic system-services ssh
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/0 unit 0 description LAN
set interfaces ge-0/0/0 unit 0 family inet address 10.12.251.254/24
set interfaces ge-0/0/5 unit 0 description UPL
set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members 667
set interfaces irb unit 667 description COL
set interfaces irb unit 667 family inet filter output QOS
set interfaces irb unit 667 family inet address 172.31.150.78/30
set class-of-service interfaces irb unit 667 rewrite-rules dscp QOS
set class-of-service rewrite-rules dscp QOS forwarding-class assured-forwarding loss-priority medium-low code-point cs4
set class-of-service rewrite-rules dscp QOS forwarding-class expedited-forwarding loss-priority low code-point ef
set firewall family inet filter QOS term VOIX from destination-address 10.10.10.10/32
set firewall family inet filter QOS term VOIX then count VOIX
set firewall family inet filter QOS term VOIX then loss-priority low
set firewall family inet filter QOS term VOIX then forwarding-class expedited-forwarding
set firewall family inet filter QOS term PROD from destination-address 10.10.10.11/32
set firewall family inet filter QOS term PROD then count PROD
set firewall family inet filter QOS term PROD then loss-priority medium-low
set firewall family inet filter QOS term PROD then forwarding-class assured-forwarding
set firewall family inet filter QOS term INTERNET then count INTERNET
set firewall family inet filter QOS term INTERNET then loss-priority high
set firewall family inet filter QOS term INTERNET then forwarding-class best-effort
set firewall family inet filter QOS term INTERNET then accept
set vlans COL vlan-id 667
set vlans COL l3-interface irb.667
set protocols l2-learning global-mode switching
set routing-options static route 0.0.0.0/0 next-hop 172.31.150.77