06-28-2006 12:17 AM - edited 02-21-2020 02:30 PM
Hi,
I have the following setup:
PC/IPPHONE---PIX------RTR/T1----INTERNET
|---IPSEC-----------------
I am trying to classify voice pakets within the IPSEC tunnel so that I can do LLQ on RTR. Is there a way to copy the DSCP tag from original packet to the IPSEC packet header?
Or is there a better way of doing it?
Thanks,
Peter
Solved! Go to Solution.
06-28-2006 05:53 AM
Hi Peter,
the IPSec RFC mandates to copy the TOS-Byte (includes DSCP) from the original IP header to the newly created IPSec IP header. So the best approach would be to mark before the encryption and to match on DSCP in the encrypted packets.
If the router itself does the encryption (not quite clear from your drawing) you could use "qos pre-classify" on the tunnel or crypto map. The router then keeps a copy of the original IP packet header associated with the IPSec packet allowing you to classify based on the original header. This however can only work within the router doing encryption, because once the IP packet leaves the box the content can not be detected (this is the idea of IPSec isn?t it? ;-).
So either qos pre-classify or DSCP marking before encryption would allow you to use LLQ/CBWFQ for encrypted VoIP and other applications.
Hope this helps! Please rate all posts.
regards, Martin
06-28-2006 05:53 AM
Hi Peter,
the IPSec RFC mandates to copy the TOS-Byte (includes DSCP) from the original IP header to the newly created IPSec IP header. So the best approach would be to mark before the encryption and to match on DSCP in the encrypted packets.
If the router itself does the encryption (not quite clear from your drawing) you could use "qos pre-classify" on the tunnel or crypto map. The router then keeps a copy of the original IP packet header associated with the IPSec packet allowing you to classify based on the original header. This however can only work within the router doing encryption, because once the IP packet leaves the box the content can not be detected (this is the idea of IPSec isn?t it? ;-).
So either qos pre-classify or DSCP marking before encryption would allow you to use LLQ/CBWFQ for encrypted VoIP and other applications.
Hope this helps! Please rate all posts.
regards, Martin
06-28-2006 07:21 AM
I am already marking before encryption so that makes it easy. I wasn't sure if the encrypted packets inherited the DSCP bits.
Thank you very much for your help!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide