[j-nsp] Juniper Equivalent to Cisco's qos pre-classify?

Jonathan Looney jonlooney at gmail.com
Tue Jun 7 14:16:28 EDT 2011


You didn't specify the platform.

If you're speaking of something with an AS or MS card/module of some kind,
then you can do this by classifying the pre-encrypted packet anytime between
input and encryption. If you want to classify it on output to the encryption
module, you would apply the classifier to the appropriate (inside) unit on
the sp-* interface. I believe you can even apply a re-write rule on that
interface that will change the original (unencrypted) packet's ToS bits as
it transmitted to the AS/MS card/module for encryption. The ToS bits should
get copied to the ESP (encrypted) packet's IP header, and I believe the
router should maintain the previously-assigned forwarding class and loss
priority for the packet. You'll just need to make sure you don't
accidentally change the forwarding class/loss priority as the encrypted
packet makes its way through the router a second time. Then, if desired, you
can apply a custom rewrite rule on output. (Keep in mind that - if I recall
correctly - the default IP precedence output rule may cause packets from
other forwarding classes to be marked as best effort.)

If you're speaking of an SRX device, then I can't help you definitively.
However, I suspect it may work in a similar way if you substitute st
interface for sp-* interface in the above.

Hope that helps.

-Jon

On Tue, Jun 7, 2011 at 11:19 AM, Devin Kennedy
<devinkennedy415 at hotmail.com>wrote:

> Hello:
>
>
>
> I'm trying to get our current CoS configurations to work with IPsec.  I
> know
> that the ToS bits are copied to the IP header that ESP places on the
> encrypted payload.  However, we are currently utilizing MF classifiers, so
> we are classifying based on dest/source addresses and ports.  The problem
> is
> that the classification happens after encryption so all of our packets are
> being sent to the BE queue (since the TCP header is no longer visible after
> encryption).
>
>
>
> Is anyone aware of a command or a method of accomplishing the same thing as
> Cisco's "qos pre-classify" command so that the classification is done
> before
> the encryption process?
>
>
>
>
>
> Thanks for any help on this.
>
>
>
>
>
>
>
> Best Regards,
>
>
>
> Devin J Kennedy
>
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list