Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec and qos


we have a central 7606 encsyptionrouter, which does encryption for our branches.

the traffic is marked with dscp bits and the encr-router copies the inner dscp value to the tunnelheader - thats ok.

but in the way from the central ip-sec(7606) router to the branches, there are other routers inbetween - for example a other 7606, which has no idea, that the paket is encrypted.

on this router inbetween we have a policy (llq) to the branches installed.

this policy has class-maps which match to dscp bits.

we see that the traffic from the encrytionrouter comes marked with dscp - but the router inbetween does not match do dscp - although it is configured to match dscp values.

could it be, that this is because there is a inner layer 3 header ???

any idea - thanks for any answer

Super Bronze

Re: ipsec and qos

If I understand you correctly, you say encryped packets have their original DSCP markings copied to the encrypted packet's header, but a downsteam router that matches against DSCP doesn't match against them?

I believe it should. Two items to confirm, first that the origianl DSCP markings are truly being copied and not be reset along the path before they get to the router of your concern. Second, that the router of your concern doesn't also include any other match criteria beyond DSCP markings.


You might also confirm that the QoS policies are configured correctly. I believe proper 76xx configuration is dependent on the sups and interface boards feature in conjunction with IOS.

New Member

Re: ipsec and qos

hi thanks for answer,

we found the reason:

we have a 48 port gig card (layer2) in the 7606 - and there we have to configure "mls qos trust dscp" because the switchengine rewrited our pakets !!

CreatePlease to create content