03-10-2011 01:29 PM
I can't find a KB article that confirms or denies this, I know the old Netscreens would do this: Does the SRX duplicate CoS bits from a packet going out IPSec to the encrypted packet or does it not set CoS bits on generated IPSec packets?
03-10-2011 02:36 PM
CoS can't be applied on traffic within a tunnel. CoS can be applied on the encrypted traffic itself on the inbound/outbound interfaces that handle the tunnel.
You can also unmask DSCP bits so that they can be written to the IPSec packet and honored downstream.
03-10-2011 07:17 PM
Packets will be coming into the SRX allready marked. The WAN links are set to honor the markings. We're looking to drop SRX's in front of the WAN links and encrypt the traffic with IPSec, but we want that traffic to still be queued/throttled by the WAN side as it was before the SRXs were dropped in.
I haven't seen references to unmasking DSCP bits in IPSec, sounds like that's where I need to be looking next.
03-15-2011 12:39 PM
And now I get more details on the network, packets will be coming in already tagged using DSCP bits, not CoS.
Do you have any pointers to relevant KB articles? Most of the items I'm finding discussing dealing with DSCP bits are in reference to IDP which isn't in play here.
04-05-2011 04:24 PM
Been traveling for the last couple of weeks and now reading about 1000 unread messages on the Forums. Saw your posts from a few days ago and not sure if you still want answers or not.
But I remembered where I saw the post that caused me to make a note on CoS IPSec behavior. Here is a link to it. Hope it helps!