When traffic is traversing an encrypted tunnel such as IPSec, every flow within that tunnel shares the same layer 3 headers, making them difficult if not impossible to disambiguate from each other.
When the tunnel endpoint encrypts traffic, it can set a DSCP value representative of the traffic within the tunnel. When the traffic reaches the SSR, the DSCP value can be used as both a representation of traffic engineering priority, and path priority.
DSCP traffic steering must be configured at both the
service level and the
A DSCP value or range can be configured at the Service level. DSCP aware services are configured in a hierarchy; the parent service is configured without a DSCP value, and each child service is configured with a DSCP value.
The following configuration splits the tunnel across 3 services: the traffic with
dscp value 14 is handled by the high-priority service; the traffic with
dscp values from 26 to 28 is handled by the low-priority service. The remaining traffic falls back into the tunnel service.
dscp-steering option is available at the network-interface level. This allows you to enable traffic steering for DSCP traffic entering on a specific transport and port range rather than an entire interface.
Only traffic matching the
dscp-steering properties configured in the
service and on the
network-interface will be steered using DSCP. Other traffic will be handled according to the relevant configuration.
The following example is designed to target IPSec NAT traversal traffic which is typically UDP, with a destination port 4500.
- The DSCP steering transport list for a network-interface is limited to one range.
- Any service with a
dscp-rangeconfiguration must be a child service.
- Only provisioned service-routes are supported.
- DSCP steering ranges must not overlap.
The following screens demonstrate configuring the network interface using the GUI.
Enable DSCP Steering, and select the DSCP Steering Transport button.
Select a protocol.
Enter the port or port range.