ipsec and qos

Unanswered Question
Mar 10th, 2008


we have a central 7606 encsyptionrouter, which does encryption for our branches.

the traffic is marked with dscp bits and the encr-router copies the inner dscp value to the tunnelheader - thats ok.

but in the way from the central ip-sec(7606) router to the branches, there are other routers inbetween - for example a other 7606, which has no idea, that the paket is encrypted.

on this router inbetween we have a policy (llq) to the branches installed.

this policy has class-maps which match to dscp bits.

we see that the traffic from the encrytionrouter comes marked with dscp - but the router inbetween does not match do dscp - although it is configured to match dscp values.

could it be, that this is because there is a inner layer 3 header ???

any idea - thanks for any answer

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Joseph W. Doherty Mon, 03/10/2008 - 05:59

If I understand you correctly, you say encryped packets have their original DSCP markings copied to the encrypted packet's header, but a downsteam router that matches against DSCP doesn't match against them?

I believe it should. Two items to confirm, first that the origianl DSCP markings are truly being copied and not be reset along the path before they get to the router of your concern. Second, that the router of your concern doesn't also include any other match criteria beyond DSCP markings.


You might also confirm that the QoS policies are configured correctly. I believe proper 76xx configuration is dependent on the sups and interface boards feature in conjunction with IOS.

rabeder Mon, 03/10/2008 - 06:05

hi thanks for answer,

we found the reason:

we have a 48 port gig card (layer2) in the 7606 - and there we have to configure "mls qos trust dscp" because the switchengine rewrited our pakets !!


This Discussion