QoS Use Cases

Table of Contents

Enforce QoS Based on DSCP Classification

QoS Use Cases

Implement Quality of Service in common scenarios, such as prioritizing traffic for a single user or ensuring performance for voice and video applications on next-generation firewalls.

Where Can I Use This?	What Do I Need?
NGFW	No separate license required for QoS when using NGFWs

The following use cases demonstrate how to use QoS in common scenarios.

Use Case: QoS for a Single User

A CEO finds that during periods of high network usage, she is unable to access enterprise applications to respond effectively to critical business communications. The IT admin wants to ensure that all traffic to and from the CEO receives preferential treatment over other employee traffic so that she is guaranteed not only access to, but high performance of, critical network resources.

The admin creates the QoS Profile CEO_traffic to define how traffic originating from the CEO will be treated and shaped as it flows out of the company network:

The admin assigns a guaranteed bandwidth (Egress Guaranteed) of 50 Mbps to ensure that the CEO will have that amount that bandwidth guaranteed to her at all times (more than she would need to use), regardless of network congestion.

The admin continues by designating Class 1 traffic as high priority and sets the profile’s maximum bandwidth usage (Egress Max) to 1,000 Mbps, the same maximum bandwidth for the interface that the admin will enable QoS on. The admin is choosing to not restrict the CEO’s bandwidth usage in any way.

It is a best practice to populate the Egress Max field for a QoS Profile, even if the max bandwidth of the profile matches the max bandwidth of the interface. The QoS Profile’s max bandwidth should never exceed the max bandwidth of the interface you're planning to enable QoS on.
The admin creates a QoS policy rule to identify the CEO’s traffic (PoliciesQoS) and assigns it the class that he defined in the QoS Profile (see prior step). Because User-ID is configured, the admin uses the Source tab in the QoS policy rule to singularly identify the CEO’s traffic by her company network username. (If User-ID is not configured, the administrator could Add the CEO’s IP address under Source Address. See User-ID.):

The admin associates the CEO’s traffic with Class 1 (Other Settings tab) and then continues to populate the remaining required policy fields; the admin gives the policy a descriptive Name (General tab) and selects Any for the Source Zone (Source tab) and Destination Zone (Destination tab):
Now that Class 1 is associated with the CEO’s traffic, the admin enables QoS by checking the Turn on QoS feature on interface and selecting the traffic flow’s egress interface. The egress interface for the CEO’s traffic flow is the external-facing interface, in this case, ethernet 1/2:

Because the admin wants to ensure that all traffic originating from the CEO is guaranteed by the QoS Profile and associated QoS policy rule he created, he selects the CEO_traffic to apply to Clear Text traffic flowing from Ethernet 1/2.
After committing the QoS configuration, the admin navigates to the NetworkQoS page to confirm that the QoS Profile CEO_traffic is enabled on the external-facing interface, Ethernet 1/2:
He clicks Statistics to view how traffic originating with the CEO (Class 1) is being shaped as it flows from Ethernet 1/2:

This case demonstrates how to apply QoS to traffic originating from a single source user. However, if you also wanted to guarantee or shape traffic to a destination user, you could configure a similar QoS setup. Instead of, or in addition to this workflow, create a QoS policy rule that specifies the user’s IP address as the Destination Address on the PoliciesQoS page (instead of specifying the user’s source information) and then enable QoS on the network’s internal-facing interface on the NetworkQoS page (instead of the external-facing interface).

Use Case: QoS for Voice and Video Applications

Voice and video traffic is sensitive to measurements that the QoS feature shapes and controls, especially latency and jitter. For voice and video transmissions to be audible and clear, voice and video packets cannot be dropped, delayed, or delivered inconsistently. A best practice for voice and video applications, in addition to guaranteeing bandwidth, is to guarantee priority to voice and video traffic.

In this example, employees at a company branch office are experiencing difficulties and unreliability in using video conferencing and Voice over IP (VoIP) technologies to conduct business communications with other branch offices, with partners, and with customers. An IT admin intends to implement QoS to address these issues and ensure effective and reliable business communication for the branch employees. Because the admin wants to guarantee QoS to both incoming and outgoing network traffic, he will enable QoS on both the firewall’s internal- and external-facing interfaces.

The admin creates a QoS Profile, defining Class 2 so that Class 2 traffic receives real-time priority and on an interface with a maximum bandwidth of 1,000 Mbps, is guaranteed a bandwidth of 250 Mbps at all times, including peak periods of network usage.

Real-time priority is typically recommended for applications affected by latency, and is useful in guaranteeing performance and quality of voice and video applications.

On the firewall web interface, the admin selects the NetworkNetwork ProfilesQoS Profile page, clicks Add, enters the Profile Name, "ensure voip-video traffic", and defines Class 2 traffic.
The admin creates a QoS policy rule to identify voice and video traffic. Because the company does not have one standard voice and video application, the admin wants to ensure QoS is applied to a few applications that are widely and regularly used by employees to communicate with other offices, with partners, and with customers. On the PoliciesQoSQoS Policy RuleApplications tab, the admin clicks Add and opens the Application Filter window. The admin continues by selecting criteria to filter the applications he wants to apply QoS to, choosing the Subcategory voip-video, and narrowing that down by specifying only voip-video applications that are both low-risk and widely used.

The application filter is a dynamic tool that, when used to filter applications in the QoS policy rule, enables QoS to be applied to all applications that meet the criteria of voip-video, low risk, and widely used at any given time.

The admin names the Application Filter voip-video-low-risk and includes it in the QoS policy rule:

The admin names the QoS policy rule Voice-Video and selects Other Settings to assign all traffic matched to the policy rule Class 2. He is going to use the Voice-Video QoS policy rule for both incoming and outgoing QoS traffic, so he sets Source and Destination information to Any:
Because the admin wants to ensure QoS for both incoming and outgoing voice and video communications, he enables QoS on the network’s external-facing interface (to apply QoS to outgoing communications) and to the internal-facing interface (to apply QoS to incoming communications).

The admin begins by enabling the QoS Profile he created, ensure voice-video traffic (Class 2 in this profile is associated with policy rule, Voice-Video) on the external-facing interface, in this case, ethernet 1/2.

He then enables the same QoS Profile ensure voip-video traffic on a second interface, the internal-facing interface (in this case, ethernet 1/1).
The admin selects NetworkQoS to confirm that QoS is enabled for both incoming and outgoing voice and video traffic:

The admin has successfully enabled QoS on both the network’s internal- and external-facing interfaces. Real-time priority is now ensured for voice and video application traffic as it flows both into and out of the network, ensuring that these communications, which are sensitive to latency and jitter, can be used reliably and effectively to perform both internal and external business communications.