Enforce QoS Based on DSCP Classification
Focus
Focus

Enforce QoS Based on DSCP Classification

Table of Contents

Enforce QoS Based on DSCP Classification

A Differentiated Services Code Point (DSCP) is a packet header value that can be used to request (for example) high priority or best effort delivery for traffic. Session-Based DSCP Classification allows you to both honor DSCP values for incoming traffic and to mark a session with a DSCP value as session traffic exits the firewall. This enables all inbound and outbound traffic for a session can receive continuous QoS treatment as it flows through your network. For example, inbound return traffic from an external server can now be treated with the same QoS priority that the firewall initially enforced for the outbound flow based on the DSCP value the firewall detected at the beginning of the session. Network devices between the firewall and end user will also then enforce the same priority for the return traffic (and any other outbound or inbound traffic for the session).
You cannot apply DSCP code points or QoS to SSL Forward Proxy, SSL Inbound Inspection, and SSH Proxy traffic.
Different types of DSCP markings indicate different levels of service:
Completing this step enables the firewall to mark traffic with the same DSCP value that was detected at the beginning of a session (in this example, the firewall would mark return traffic with the DSCP AF11 value). While configuring QoS allows you to shape traffic as it egresses the firewall, enabling this option in a security rule allows the other network devices intermediate to the firewall and the client to continue to enforce priority for DSCP marked traffic.
  • Expedited Forwarding (EF)
    : Can be used to request low loss, low latency and guaranteed bandwidth for traffic. Packets with EF codepoint values are typically guaranteed highest priority delivery.
  • Assured Forwarding (AF)
    : Can be used to provide reliable delivery for applications. Packets with AF codepoint indicate a request for the traffic to receive higher priority treatment than best effort service provides (though packets with an EF codepoint will continue to take precedence over those with an AF codepoint).
  • Class Selector (CS)
    : Can be used to provide backward compatibility with network devices that use the IP precedence field to mark priority traffic.
  • IP Precedence (ToS)
    : Can be used by legacy network devices to mark priority traffic (the IP Precedence header field was used to indicate the priority for a packet before the introduction of the DSCP classification).
  • Custom Codepoint
    : Create a custom codepoint to match to traffic by entering a
    Codepoint Name
    and
    Binary Value
    .
For example, select the
Assured Forwarding (AF)
to ensure traffic marked with an AF codepoint value has higher priority for reliable delivery over applications marked to receive lower priority.Use the following steps to enable Session-Based DSCP Classification. Start by configuring QoS based on DSCP marking detected at the beginning of a session. You can then continue to enable the firewall to mark the return flow for a session with the same DSCP value used to enforce QoS for the initial outbound flow.
  1. Perform the preliminary steps to Configure QoS.
  2. Define the traffic to receive QoS treatment based on DSCP value.
    1. Select
      Policies
      QoS
      and
      Add
      or modify an existing QoS rule and populate required fields.
    2. Select
      DSCP/ToS
      and select
      Codepoints
      .
    3. Add
      DSCP/ToS codepoints for which you want to enforce QoS.
    4. Select the
      Type
      of DSCP/ToS marking for the QoS rule to match to traffic:
      It is a best practice to use a single DSCP type to manage and prioritize your network traffic.
    5. Match the QoS policy to traffic on a more granular scale by specifying the
      Codepoint
      value. For example, with Assured Forwarding (AF) selected as the
      Type
      of DSCP value for the policy to match, further specify an AF
      Codepoint
      value such as AF11.
      When Expedited Forwarding (EF) is selected as the
      Type
      of DSCP marking, a granular
      Codepoint
      value cannot be specified. The QoS policy rule matches to traffic marked with any EF codepoint value.
    6. Select
      Other Settings
      and assign a
      QoS Class
      to traffic matched to the QoS rule. In this example, assign Class 1 to sessions where a DSCP marking of AF11 is detected for the first packet in the session.
    7. Click
      OK
      to save the QoS rule.
  3. Define the QoS priority for traffic to receive when it is matched to a QoS rule based the DSCP marking detected at the beginning of a session.
    1. Select
      Network
      Network Profiles
      QoS Profile
      and
      Add
      or modify an existing QoS profile. For details on profile options to set priority and bandwidth for traffic, see QoS Concepts and Configure QoS.
    2. Add
      or modify a profile class. For example, because Step 2 showed steps to classify AF11 traffic as Class 1 traffic, you could add or modify a
      class1
      entry.
    3. Select a
      Priority
      for the class of traffic, such as
      high
      .
    4. Click
      OK
      to save the QoS Profile.
  4. Enable QoS on an interface.
    Select
    Network
    QoS
    and
    Add
    or modify an existing interface and
    Turn on QoS feature on this interface
    .
    In this example, traffic with an AF11 DSCP marking is matched to the QoS rule and assigned Class 1. The QoS profile enabled on the interface enforces high priority treatment for Class 1 traffic as it egresses the firewall (the session outbound traffic).
  5. Enable DSCP Marking.
    Mark return traffic with a DSCP value, enabling the inbound flow for a session to be marked with the same DSCP value detected for the outbound flow.
    1. Select
      Policies
      Security
      and
      Add
      or modify a security policy.
    2. Select
      Actions
      and in the
      QoS Marking
      drop-down, choose
      Follow Client-to-Server Flow
      .
    3. Click
      OK
      to save your changes.
    Completing this step enables the firewall to mark traffic with the same DSCP value that was detected at the beginning of a session (in this example, the firewall would mark return traffic with the DSCP AF11 value). While configuring QoS allows you to shape traffic as it egresses the firewall, enabling this option in a security rule allows the other network devices intermediate to the firewall and the client to continue to enforce priority for DSCP marked traffic.
  6. Commit the configuration.
    Commit
    your changes.

Recommended For You