we have a central 7606 encsyptionrouter, which does encryption for our branches.
the traffic is marked with dscp bits and the encr-router copies the inner dscp value to the tunnelheader - thats ok.
but in the way from the central ip-sec(7606) router to the branches, there are other routers inbetween - for example a other 7606, which has no idea, that the paket is encrypted.
on this router inbetween we have a policy (llq) to the branches installed.
this policy has class-maps which match to dscp bits.
we see that the traffic from the encrytionrouter comes marked with dscp - but the router inbetween does not match do dscp - although it is configured to match dscp values.
could it be, that this is because there is a inner layer 3 header ???
any idea - thanks for any answer