By default, packets are assigned to the EXP and BE queues as follows.
For the base router context, packets are assigned to the EXP and BE queues based on the DSCP marking in the packet IP header.
For the VPRN or IPSec context, packets are assigned to the EXP and BE queues based on the EXP or DSCP marking of the outer tunnel. The EXP marking is used for Layer 3 MPLS VPRNs, and the DSCP marking is used for IPSec or Layer 3 GRE VPRNs.
However, it is possible to queue packets based on the inner (customer) IP header DSCP marking by using the command config>qos>network>ingress>ler-use-dscp. This is useful where customers have policed bandwidth at the PE and wish to differentiate their own network packets on the access PEs. By enabling the ler-use-dscp command, the following occurs for encrypted VPRN, IPSec, and NGE packets:
packets will be queued in the encryption queues based on the outer tunnel MPLS EXP or IPSec/GRE DSCP marking
after decryption, for either firewall datapath queues or the regular datapath queues, the packets will be queued based on the inner (customer) IP header DSCP marking
For more information, see ler-use-dscp in the Network QoS Policy Command Reference chapter.