ToS Preservation with egress remarking on inner packet

Unanswered Question
Jun 11th, 2008

Hi, I am using DMVPN/IPSEC/VRFs. On the egress of the DMVPN/VRF tunnel interfaces, I have applied a Service Policy to remark traffic. Hence the remarking occurs on the inner packet header.

Assuming qos-preclassify is NOT enabled. Does anyone know how 12.4T IOS code should operate (options)

1. Copy the "remarked" TOS value to the outer headers as part of the TOS preservation feature

2. Copy the original (pre remarking) TOS value of the inner packet header as part of the TOS preservation feature

3. Egress inner packet header remarking disables TOS preservation feature.

4. Other ?

Problem Space : At remote sites, I can easily perform the QOS remarking on the router LAN ingress interface, rather than on the egress DMVPN tunnel interface. However at the head end, the DMVPN/IPSEC/VRF routers also happen to be MPLS PE devices. Hence remarking on Layer3/4 (IP/Ports) criteria on the ingress interface is not possible as we are dealing with MPLS labels. Hence why I am attempting to do this on the egress on the DMVPN tunnel/VRF interface.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ggeorgas1 Thu, 06/12/2008 - 04:20

After testing. I can confirm that 2. appears to apply.

TOS preservation operation utilises the original inner header TOS values, rather than the remarked TOS value.

Hence even if the inner header is remarked (lets say from CS1 to AF11)on egress, the outer IPSEC header will still have the original TOS settings ie. CS1.

This aligns with the QoS Order of Operation.

which states -

"On the outbound path, common classification happens before any QoS features are applied. A result of this approach is that any QoS features applied on the outbound policy act upon the original priority value. If you need to take actions based on a remarked value on the same router, then you must mark the packets on the incoming interface and apply other QoS actions based on this new priority on the outgoing interface"

Hopefully the "qos pre-classify" feature should provide the capability to remark both the inner header and outer IPSEC header...back to testing...???





This Discussion