Created on 12-03-2024 02:23 AM Edited on 12-04-2024 05:18 AM
Description |
This article describes how to configure a reverse QoS to trust the DSCP marking from the FortiGate to FortiAP (QoS Downlink), traversing a FortiSwitch in this example.
Note: To configure QoS from the client station to FortiAP, which addresses QoS Uplink, refer to the following article: Technical Tip: Wireless WMM QoS FortiAP – DSCP Mapping and Marking for Microsoft Teams and Google Me... |
Scope |
FortiGate, FortiAP, FortiSwitch. |
Solution |
In this example, FortiGate marks the DSCP value when it receives Microsoft Teams traffic from the Internet, and both FortiSwitch and FortiAP will trust it. Refer to the following diagram to better understand the packet flow.
1st step: On the FortiGate GUI define a new service under ‘Policy & Objects - Services’. Create a new service for each media traffic type, such as Audio, Video, Application/ScreenSharing, and so on. Refer to Microsoft's official document for more details on DSCP values and port range. Note: For a reverse policy, the mapping needs to consider the destination port range.
Audio example:
Video example:
2nd step: Create a traffic shaper for each service under ‘Policy & Objects - Traffic Shaping - Traffic Shaper’. In this example ‘Per-IP’ shaper type is being used.
Audio example. DSCP 46 translates to 101110 in binary. More details on converting DSCP to binary are available here: Technical Tip: Differentiated Services Code Point (DSCP) marking.
All Services should be mapped in new Traffic Shapers and their corresponding DSCP values in binary.
3rd step: Create a new Traffic Shaping Policy for each service under ‘Policy & Objects - Traffic Shaping - Traffic Shaping Policies’.
Below are three Traffic Shaping Policies as examples.
It is possible to validate that FortiGate is indeed applying the correct traffic shaping policy through a session filter and session list. More details are available here: Technical Tip: Using filters to clear sessions on a FortiGate.
4th step: By default, FortiSwitch does not trust any DSCP value. There is a predefined ‘ip-dscp-map’ called ‘voice-dscp’ which maps the CoS queue to a DSCP value in decimal. Adjust the DSCP values accordingly.
FortiGate-60E-POE # config switch-controller qos ip-dscp-map FortiGate-60E-POE (ip-dscp-map) # show
By default, there are two QoS policies available: ‘default’ and ‘voice-qos’. The Voice QoS policy already defines the ‘trust-ip-dscp-map’ previously analyzed.
FortiGate-60E-POE # config switch-controller qos qos-policy FortiGate-60E-POE (qos-policy) # show
In order to trust the DSCP, apply the QoS policy ‘voice-qos’ in the Switch ports that need to honor the MS Teams traffic.
FortiGate-60E-POE # config switch-controller managed-switch FortiGate-60E-POE (managed-switch) # edit <FortiSwitch serial number> FortiGate-60E-POE (S108EF000000000) # config ports FortiGate-60E-POE (ports) # edit port2
Note: Edit the ports that will need to trust the DSCP. In this example, port2 is connected to FortiAP, and ports 7 and 8 belong to FortiLink, which is connected to FortiGate.
FortiGate-60E-POE (port2) # set qos-policy voice-qos FortiGate-60E-POE (port2) # next FortiGate-60E-POE (ports) # edit port7 FortiGate-60E-POE (port7) # set qos-policy voice-qos FortiGate-60E-POE (port7) # next FortiGate-60E-POE (ports) # edit port8 FortiGate-60E-POE (port8) # set qos-policy voice-qos FortiGate-60E-POE (port8) # end
It is also possible to check the QoS statistics on each switch port.
diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name
5th step: FortiGate acting as a Wireless Controller should already have the DSCP mapping defined under ‘WiFi & Switch Controller - Operation Profiles - QoS Profiles’. Enable 'Advanced Wireless Features' under 'System - Feature Visibility' to see the options below.
Select the QoS Profile with the respective SSID under ‘WiFi & Switch Controller - SSIDs - Advanced Settings - QoS Profile’.
6th step: Execute an over-the-air packet capture using FortiAP or any other solution to validate that FortiAP is prioritizing the traffic accordingly while transmitting to the client station.
Performing a packet capture in the client station should also reveal the DSCP values reaching it.
Related documents: Translating WiFi QoS WMM marking to DSCP valuesFortiAP Packet Sniffer Configuring QoS with managed FortiSwitch units |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.