FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
alissonfreire
Article Id 361951
Description

This article describes how to configure a reverse QoS to trust the DSCP marking from the FortiGate to FortiAP (QoS Downlink), traversing a FortiSwitch in this example.

 

Note: To configure QoS from the client station to FortiAP, which addresses QoS Uplink, refer to the following article: Technical Tip: Wireless WMM QoS FortiAP – DSCP Mapping and Marking for Microsoft Teams and Google Me...

Scope

FortiGate, FortiAP, FortiSwitch.

Solution

In this example, FortiGate marks the DSCP value when it receives Microsoft Teams traffic from the Internet, and both FortiSwitch and FortiAP will trust it. Refer to the following diagram to better understand the packet flow.

 

alissonfreire_0-1733173611117.png

 

1st step: On the FortiGate GUI define a new service under ‘Policy & Objects - Services’. Create a new service for each media traffic type, such as Audio, Video, Application/ScreenSharing, and so on. Refer to Microsoft's official document for more details on DSCP values and port range. 

Note: For a reverse policy, the mapping needs to consider the destination port range.

 

Audio example:

 

alissonfreire_1-1733173611133.png

 

Video example:

 

alissonfreire_2-1733173611147.png

 

2nd step: Create a traffic shaper for each service under ‘Policy & Objects - Traffic Shaping - Traffic Shaper’. In this example ‘Per-IP’ shaper type is being used.

 

Audio example. DSCP 46 translates to 101110 in binary. More details on converting DSCP to binary are available here: Technical Tip: Differentiated Services Code Point (DSCP) marking.

 

alissonfreire_3-1733173611150.png

 

All Services should be mapped in new Traffic Shapers and their corresponding DSCP values in binary.

 

alissonfreire_4-1733173611163.png

 

3rd step: Create a new Traffic Shaping Policy for each service under ‘Policy & Objects - Traffic Shaping - Traffic Shaping Policies’.

 

alissonfreire_5-1733173611177.png

 

Below are three Traffic Shaping Policies as examples.

 

alissonfreire_6-1733173611182.png

 

It is possible to validate that FortiGate is indeed applying the correct traffic shaping policy through a session filter and session list. More details are available here: Technical Tip: Using filters to clear sessions on a FortiGate.

 

4th step: By default, FortiSwitch does not trust any DSCP value. There is a predefined ‘ip-dscp-map’ called ‘voice-dscp’ which maps the CoS queue to a DSCP value in decimal. Adjust the DSCP values accordingly.

 

FortiGate-60E-POE # config switch-controller qos ip-dscp-map

FortiGate-60E-POE (ip-dscp-map) # show

 

alissonfreire_7-1733173611184.png

 

By default, there are two QoS policies available: ‘default’ and ‘voice-qos’.

The Voice QoS policy already defines the ‘trust-ip-dscp-map’ previously analyzed.

 

FortiGate-60E-POE # config switch-controller qos qos-policy

FortiGate-60E-POE (qos-policy) # show

 

alissonfreire_8-1733173611185.png

 

In order to trust the DSCP, apply the QoS policy ‘voice-qos’ in the Switch ports that need to honor the MS Teams traffic.

 

FortiGate-60E-POE # config switch-controller managed-switch

FortiGate-60E-POE (managed-switch) # edit <FortiSwitch serial number>

FortiGate-60E-POE (S108EF000000000) # config ports

FortiGate-60E-POE (ports) # edit port2

 

Note: Edit the ports that will need to trust the DSCP. In this example, port2 is connected to FortiAP, and ports 7 and 8 belong to FortiLink, which is connected to FortiGate.

 

FortiGate-60E-POE (port2) # set qos-policy voice-qos

FortiGate-60E-POE (port2) # next

FortiGate-60E-POE (ports) # edit port7

FortiGate-60E-POE (port7) # set qos-policy voice-qos

FortiGate-60E-POE (port7) # next

FortiGate-60E-POE (ports) # edit port8

FortiGate-60E-POE (port8) # set qos-policy voice-qos

FortiGate-60E-POE (port8) # end

 

It is also possible to check the QoS statistics on each switch port.

 

diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name

 

5th step: FortiGate acting as a Wireless Controller should already have the DSCP mapping defined under ‘WiFi & Switch Controller - Operation Profiles - QoS Profiles’.

Enable 'Advanced Wireless Features' under 'System - Feature Visibility' to see the options below.

 

10.JPG

 

Select the QoS Profile with the respective SSID under ‘WiFi & Switch Controller - SSIDs - Advanced Settings - QoS Profile’.

 

alissonfreire_10-1733173611227.png

 

6th step: Execute an over-the-air packet capture using FortiAP or any other solution to validate that FortiAP is prioritizing the traffic accordingly while transmitting to the client station.

 

alissonfreire_11-1733173611291.png

 

Performing a packet capture in the client station should also reveal the DSCP values reaching it.

 

alissonfreire_12-1733173611375.png

 

Related documents:

Translating WiFi QoS WMM marking to DSCP values
FortiAP Packet Sniffer
Configuring QoS with managed FortiSwitch units