EasyManua.ls Logo

Nokia 7705 - 11.1 Overview; 11.1.1 Packet Queuing with DSCP

Nokia 7705
534 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Security Queue QoS Policies
462
Quality of Service Guide
3HE 11014 AAAC TQZZA Edition: 01
11.1 Overview
When a security zone and the corresponding security profile and policies have been
configured for security sessions on the 7705 SAR, data packets entering the zone
are extracted from the datapath to the CSM for examination. For packets being
extracted, there are two sets of queues from the datapath to the CSM: network
queues and access queues. These queues each contain two further queues:
expedited (EXP) queues and best-effort (BE) queues. The expedited and best-effort
queues are used only by security sessions that require all firewall processing to occur
in the CSM, such as security sessions configured with strict TCP. On the
7705 SAR-8 and 7705 SAR-18, expedited and best-effort queue are created per
MDA. Security sessions that use the datapath for firewall processing use the usual
datapath queues.
For further details about zone configuration and firewall session creation, refer to the
7705 SAR Router Configuration Guide, “Configuring Security Parameters”.
11.1.1 Packet Queuing with DSCP
By default, packets are assigned to the EXP and BE queues as follows.
For the base router context, packets are assigned to the EXP and BE queues
based on the DSCP marking in the packet IP header.
For the VPRN or IPSec context, packets are assigned to the EXP and BE
queues based on the EXP or DSCP marking of the outer tunnel. The EXP
marking is used for Layer 3 MPLS VPRNs, and the DSCP marking is used for
IPSec or Layer 3 GRE VPRNs.
However, it is possible to queue packets based on the inner (customer) IP header
DSCP marking by using the command config>qos>network>ingress>ler-use-
dscp. This is useful in situations where customers have policed bandwidth at the PE
and wish to differentiate their own network packets on the access PEs. By enabling
the ler-use-dscp command, the following occurs for encrypted VPRN, IPSec, and
NGE packets:
packets will be queued in the encryption queues based on the outer tunnel
MPLS EXP or IPSec/GRE DSCP marking
after decryption, for either firewall datapath queues or the regular datapath
queues, the packets will be queued based on the inner (customer) IP header
DSCP marking

Table of Contents

Other manuals for Nokia 7705

Preview: Guide
Guide594 pages
Preview: Configuration Guide
Configuration Guide538 pages
Preview: System Management Guide
System Management Guide404 pages

Related product manuals