I have a few questions regarding DSCP behavior on the 7600 platform. We are currently running into an issue where DSCP bits are being cleared as they traverse an FWSM module which is not ideal. Below is a simple diagram of the network in question.
Internet -> 7600 -> FWSM -> MPLS cloud
If a layer 3 interface is configured on the 7600 for the inside interface of the FWSM it appears that DSCP is overwritten as it passes through the FWSM. In other words
DSCP tagged traffic->public vlan on 7600->outside FWSM->inside FWSM->private VRF vlan on 7600->remote site = untagged DSCP traffic.
Turning DSCP rewrite off on the 7600 via "no mls qos rewrite ip dscp" seems to "fix" this behavior and allows the DSCP tagged traffic to traverse the entire path. However disabling dscp rewrite globally will have other adverse side effects as I understand it. We don't want to "trust" every DSCP value coming through this router and would prefer the standard "clear everything to zero" behavior.
We are running mls qos vlan-mode on all dot1q trunks. We require vlan-mode to support input tagging policies on several VLANs.
Is there an alternate way to trust DSCP values from the FWSM? Is it possible this behavior is a bug?