SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Kurlon
Contributor
Kurlon
Posts: 28
Registered: ‎02-19-2010
0

CoS over IPSec

Options

‎03-10-2011 01:29 PM

I can't find a KB article that confirms or denies this, I know the old Netscreens would do this:  Does the SRX duplicate CoS bits from a packet going out IPSec to the encrypted packet or does it not set CoS bits on generated IPSec packets?

Message 1 of 5 (878 Views)
 
Reply
Distinguished Expert
Distinguished Expert
muttbarker
Posts: 1,946
Registered: ‎01-29-2008
0

Re: CoS over IPSec

Options

‎03-10-2011 02:36 PM

CoS can't be applied on traffic within a tunnel. CoS can be applied on the encrypted traffic itself on the inbound/outbound interfaces that handle the tunnel.

 

You can also unmask DSCP bits so that they can be written to the IPSec packet and honored downstream.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 2 of 5 (872 Views)
 
Reply
Kurlon
Contributor
Kurlon
Posts: 28
Registered: ‎02-19-2010
0

Re: CoS over IPSec

Options

‎03-10-2011 07:17 PM

Packets will be coming into the SRX allready marked.  The WAN links are set to honor the markings.  We're looking to drop SRX's in front of the WAN links and encrypt the traffic with IPSec, but we want that traffic to still be queued/throttled by the WAN side as it was before the SRXs were dropped in.

 

I haven't seen references to unmasking DSCP bits in IPSec, sounds like that's where I need to be looking next.

Message 3 of 5 (852 Views)
 
Reply
Kurlon
Contributor
Kurlon
Posts: 28
Registered: ‎02-19-2010
0

Re: CoS over IPSec

Options

‎03-15-2011 12:39 PM

And now I get more details on the network, packets will be coming in already tagged using DSCP bits, not CoS.

 

Do you have any pointers to relevant KB articles?  Most of the items I'm finding discussing dealing with DSCP bits are in reference to IDP which isn't in play here.

Message 4 of 5 (759 Views)
 
Reply
Distinguished Expert
Distinguished Expert
muttbarker
Posts: 1,946
Registered: ‎01-29-2008
0

Re: CoS over IPSec

Options

‎04-05-2011 04:24 PM

Been traveling for the last couple of weeks and now reading about 1000 unread messages on the Forums. Saw your posts from a few days ago and not sure if you still want answers or not.

 

But I remembered where I saw the post that caused me to make a note on CoS IPSec behavior. Here is a link to it. Hope it helps!

 

http://forums.juniper.net/t5/Tech-Cafe-Current-Event/CoS-over-a-IPSec-tunnel/m-p/62727/highlight/tru...

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 5 of 5 (646 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.