Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Copying Outer IP Header DSCP and ECN to Inner IP Header

Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, copying of a Differentiated Services Code Point (DSCP) (outer DSCP+ECN) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path is supported.

The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules.

This feature supports chassis cluster and also supports IPv6 and IPv4. The following are supported:

  • Copying outer IPv4 DSCP and Explicit Congestion Notification (ECN) field to inner IPv4 DSCP and ECN field

  • Copying outer IPv6 DSCP and ECN field to inner IPv6 DSCP and ECN field

  • Copying outer IPv4 DSCP and ECN field to inner IPv6 DSCP and ECN field

  • Copying outer IPv6 DSCP and ECN field to inner IPv4 DSCP and ECN field

By default this feature is disabled. When you enable this feature on a VPN object, the corresponding IPsec security Association (SA) is cleared and reestablished.

  • To enable the feature:

    set security ipsec vpn vpn-name copy-outer-dscp

  • To disable the feature:

    delete security ipsec vpn vpn-name copy-outer-dscp

  • To verify whether the feature is enabled or not:

    show security ipsec security-associations detail

Release History Table
Release
Description
15.1X49-D30
Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, copying of a Differentiated Services Code Point (DSCP) (outer DSCP+ECN) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path is supported.