Cisco ASA VPN QoS

Answered Question
Nov 29th, 2009

Hi

Does the ASA copy the ToS byte from the original packet into the newly created IP header of an encrypted packet (VPN)? I'd appreciate a pointer to a Cisco doc that has the details.

Thanks

Correct Answer by Panos Kampanakis about 7 years 2 months ago

On the ASA the TOS bits in the original IP header are copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption.

It is done by default with no extra commands needed as on the routers.

Please check if your incoming packet have the DSCP bits set if you see that there are no DSCP on the outside.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vttendere Tue, 12/01/2009 - 00:10

Hi

Thanks for your response. I had actually configured QoS on the ASA, however when I was sniffing traffic after the ASA I noticed that the traffic traversing the VPN (ESP packets) had DSCP DEFAULT markings, so I was a bit concerned about the preservation of the TOS information. I thought that maybe there is an extra command I need to put, I cant see this in the doc you sent me though.

Thanks guys

Correct Answer
Panos Kampanakis Tue, 12/01/2009 - 06:46

On the ASA the TOS bits in the original IP header are copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption.

It is done by default with no extra commands needed as on the routers.

Please check if your incoming packet have the DSCP bits set if you see that there are no DSCP on the outside.

PK

vttendere Wed, 12/02/2009 - 02:56

Hi

Indeed traffic coming into the ASA was not marked correctly.

Thanks a lot for your assistance.

Actions

This Discussion