SRX Services Gateway
Reply
Contributor
Kurlon
Posts: 28
Registered: ‎02-19-2010
0

CoS over IPSec

I can't find a KB article that confirms or denies this, I know the old Netscreens would do this:  Does the SRX duplicate CoS bits from a packet going out IPSec to the encrypted packet or does it not set CoS bits on generated IPSec packets?

Distinguished Expert
muttbarker
Posts: 2,285
Registered: ‎01-29-2008
0

Re: CoS over IPSec

CoS can't be applied on traffic within a tunnel. CoS can be applied on the encrypted traffic itself on the inbound/outbound interfaces that handle the tunnel.

 

You can also unmask DSCP bits so that they can be written to the IPSec packet and honored downstream.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Kurlon
Posts: 28
Registered: ‎02-19-2010
0

Re: CoS over IPSec

Packets will be coming into the SRX allready marked.  The WAN links are set to honor the markings.  We're looking to drop SRX's in front of the WAN links and encrypt the traffic with IPSec, but we want that traffic to still be queued/throttled by the WAN side as it was before the SRXs were dropped in.

 

I haven't seen references to unmasking DSCP bits in IPSec, sounds like that's where I need to be looking next.

Contributor
Kurlon
Posts: 28
Registered: ‎02-19-2010
0

Re: CoS over IPSec

And now I get more details on the network, packets will be coming in already tagged using DSCP bits, not CoS.

 

Do you have any pointers to relevant KB articles?  Most of the items I'm finding discussing dealing with DSCP bits are in reference to IDP which isn't in play here.

Distinguished Expert
muttbarker
Posts: 2,285
Registered: ‎01-29-2008
0

Re: CoS over IPSec

Been traveling for the last couple of weeks and now reading about 1000 unread messages on the Forums. Saw your posts from a few days ago and not sure if you still want answers or not.

 

But I remembered where I saw the post that caused me to make a note on CoS IPSec behavior. Here is a link to it. Hope it helps!

 

http://forums.juniper.net/t5/Tech-Cafe-Current-Event/CoS-over-a-IPSec-tunnel/m-p/62727/highlight/tru...

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.