qos verification into carrier network

kst.amand · ‎03-27-2009

We classify / mark traffic inbound on LAN interface and shape / queue on outbound interface in a DMVPN / GETVPN environment. Our understanding is that with classification and marking on LAN interface, DSCP / TOS bits are preserved (copied to IP Header during IPSEC encryption)on Tunnel interface. Therefore, original DSCP settings would be preserved and visible into carrier network.

Questions;

* is our understanding on preserved DSCP values correct?

* how could we verify / view, from the router itself, the DSCP are exiting the interface to the carrier

Thank you

kst.amand · ‎03-27-2009

Point of clarification, our outbound policy map (shape / queue) is on the WAN's physical interface.

Will the original DSCP values marked on the LAN side interface be preserved / visible as the traffic leaves the tunnel (encrypted) and goes out WAN interface?

Joseph W. Doherty · ‎03-27-2009

"is our understanding on preserved DSCP values correct? "

My understanding is the same for single GRE/IPSec VPN. Not 100% positive about DMVPN(mGRE) and/or GETVPN, but I think it's also true for those too.

"how could we verify / view, from the router itself, the DSCP are exiting the interface to the carrier "

What might verify the above,

1) insure outbound policy isn't remarking

2) insure outbound policy is applied to VPN's physical egress interface

3) insure pre-classify is off and/or match against a protocol that's being used (should fail)

4) examine any stats that count against DSCP markings (e.g. class match stats, DSCP WRED stats)