Automatic QoS Priority for MACsec Packets on Intermediate Switches
Note
This feature does not apply to VSP 4450 Series and VSP 8600 Series.
In certain situations where MACsec encrypted packets traverse intermediate non-MAC switches, QoS visibility is lost.
This feature uses confidentiality-offset to specify that the first 30 to 50 bytes within the MACsec frame transmit without encryption, thus leaving the 802.1Q VLAN tag p-bits in the clear so that the intermediate switch can differentiate between encrypted traffic. With the 802.1Q p-bits in the clear, internal QoS priority for MACsec packets on intermediate switches can be automatically assigned.
Note
This feature is always enabled.
Operational Considerations
The following list describes the operational considerations for automatic QoS prioritization for MACsec packets on intermediate switches:
-
The MACsec port on the end point switch must have confidentiality offset configured to leave the 802.1Q VLAN tag p-bits in the clear.
-
The intermediate switch port must be a Layer 2 trusted port.
-
If the port on an intermediate switch is an untrusted port or if the packet is not originally VLAN tagged, the switch assigns MACsec packets to the default QoS level.
-
ACL QoS rules can override the automatic QoS prioritization for MACsec packets.
-
Internal QoS level assignment is on ingress. The egress queue and remarking the packet is derived from the internal QoS level.
-
The priority extraction is performed from the original VLAN Tag only.
-
If a switch is the endpoint of a MACsec flow, it decrypts the packets and uses the standard priority assignment.