[j-nsp] Single SRX DSCP writing before traffic is encrypted into IPSec
ben b
benboyd.lists at gmail.com
Mon Aug 22 01:29:11 EDT 2011
Last I heard from JTAC, this was still not available with no ETA. Even with
several high profile enterprises requesting it.
-Ben
On Wednesday, August 10, 2011, Andrew Jones <andrew at commitconfirmed.com>
wrote:
> Hi,
>
> I've got an SRX240 runing 10.4R4.5 running at a brach site serving as
> the site gateway and I figure out a way to write DSCP values before
traffic
> is encrypted into an IPSec VPN due to the SRX being the only device at the
> site. The only place I can apply outbound DSCP marking is on the Interface
> that the IPSec VPN lies, since you can't configure dscp rewrites on the
> st0.x interfaces. This works okay since the IPSec packet is marked and
> scheduled correctly, but once the traffic makes it to the other site and
is
> decrypted, the DSCP marking is lost and needs to be re-marked again. It
also
> makes it hard to audit how much traffic is being put into each class when
> doing J-Flow exports, or if certain types of traffic are being marked
> correctly.
>
> Has anyone else got a similar setup or experienced and fixed this issue?
I'm
> currently terminating VPN's on the physical interface itself, could I
> potentially move this to a vlan.x interface and perform outbound DSCP
> marking there?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list