If we have an IPSec tunnel established between 2 FTDs (tunnel mode). The tunnel was created via an FMC.
If before been encrypted/encapsulated, packets were marked with DSCP values. Does the FTD copies the DSCP value to the outer header of the tunnel ? (so the DSCP value can be viewed by the routers in the middle).
We did a test, we marked traffic before the tunnel (with ef) , after the tunnel with the traffic with dscp value of 0
Can someone help us confirm if it can be copied to the outer header and what config is needed ?
I saw an article about ToS preservation , but the article is only for IPSec over GRE. (which i guess doesn't work on FTD)
1. I think or rather i believe that "copy of DSCP from Inner IP-Header to Outer IP-Header" is NOT supported (yet...) for IPSec Tunneled traffic on FTD-routers
- The Inner-IP-Header would be of "outbound" IPv4 and/or IPv6 plain packet that is being routed thru the ipsec tunnel under consideration
- The Outer-IP-Header would be of IPv4 and/or IPv6 "outbound" ESP packet that is generated by the FTD-router for that specified IPsec tunnel to remote peer
2. I dont really know how at this time, but since you are a cisco customer You should kindly submit a new-feature request for supporting the "Copy of DSCP values from Inner-IP-Header to Outer-ESP-packet-Header for IPsec tunnels.
- becos unlike policies for handling DF-bit flag for ipsec tunneled packets which is mentioned as a MUST in the RFC-4301 (section-8 i guess) and is supported/implemented as such on FTD routers too (details in next point below), the implementation/support for copy-dscp-value to outer-header is a custom-vendor-specific implementation and NOT all vendors implement/support it.
- This will be very very useful for setting QoS policies for ipsec tunnels too. Maybe this will also mean that there will be a related new-feature request to enhance QoS support for IPsec tunneled traffic too...lots of possibilities.
3. In FTD, if you check the ESPv3 settings for the site-to-site tunnel configured, you have the below options for DF-bit flag handling in ipsec tunnels....so you can run a check for DF-bit to confirm in your deployments
Enable dummy TFC packets that mask the traffic profile which traverses the tunnel. Use the Burst, Payload Size, and Timeout parameters to generate random length packets at random intervals across the specified SA.
We’re excited to announce new capabilities with Secure Endpoint that allow you to simplify your security and maximize your security operations: Unify your security stack and reduce agent fatigue with Cisco Secure Client; harness integrated risk-based vuln...
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/CiscoChampion
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of di...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...