Hi, I've got an SRX240 runing 10.4R4.5 running at a brach site serving as the site gateway and I figure out a way to write DSCP values before traffic is encrypted into an IPSec VPN due to the SRX being the only device at the site. The only place I can apply outbound DSCP marking is on the Interface that the IPSec VPN lies, since you can't configure dscp rewrites on the st0.x interfaces. This works okay since the IPSec packet is marked and scheduled correctly, but once the traffic makes it to the other site and is decrypted, the DSCP marking is lost and needs to be re-marked again. It also makes it hard to audit how much traffic is being put into each class when doing J-Flow exports, or if certain types of traffic are being marked correctly.
Has anyone else got a similar setup or experienced and fixed this issue? I'm currently terminating VPN's on the physical interface itself, could I potentially move this to a vlan.x interface and perform outbound DSCP marking there? _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
