IPsec QoS

Overload Processing

Packets received by a board enter different queues based on different DSCP values. Each queue has a different priority. When the board's CPU is overloaded, back pressure occurs on the multi-core CPU. The board preferentially forwards high-priority packets and discards low-priority packets.

Priority Re-marking

When a user packet enters an IPsec tunnel, a new IP header is generated. By default, the DSCP value in the original IP header is used as the value of the DSCP field in the new IP header. You can also configure the DSCP field in the new IP header to use a specified value.

When the packet leaves the tunnel, the packet is decapsulated and an IP header is generated. You can change the value of the DSCP field in the IP header.

In MPLS scenarios, after a user packet is encrypted or decrypted, it is encapsulated with an MPLS label. You can configure the EXP value in the MPLS label to flexibly control EXP re-marking.

Fragmentation and Re-organization

• Encryption before fragmentation

  After being encrypted on the board, packets are fragmented based on the default MTU. If the MTU value is set on the specified outbound interface for sending packets, packets are fragmented based on the set MTU value. Packets are re-organized and then decrypted on the decryption end.

• Fragmentation before encryption

  After receiving packets, the board fragments packets based on the MTU value at first, and then encrypts each packet and sends it. Each packet is decrypted at first, and then re-organized on the decryption end, and sent at last.