Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Francesko
Staff
Staff

Created on ‎11-28-2025 04:15 AM

Article Id 420868

Technical Tip: DSCP Marking in IPv4 Packets over a VXLAN Interface

Description This article describes how to apply DSCP marking to encapsulated IP traffic within a VXLAN tunnel.
Scope FortiGate.
Solution

VXLAN encapsulates an original Ethernet frame (Layer 2) inside a UDP header (Layer 4) and an outer IP header (Layer 3) for transport across an IP network. When traffic enters the VXLAN tunnel, it is the outer IP header of the tunnel that is visible and readable by the core underlay routers and switches.

 

The core network devices cannot see the DSCP value in the original, inner IP header because the entire original frame is now payload within the VXLAN tunnel.
Only the DSCP value in the outer IP header is visible to these core devices. If the VXLAN is terminated on a physical interface and the VXLAN traffic itself needs to be marked, the DSCP marking for self-generated traffic feature can be used.

DSCP marking for self-generated traffic 7.4.4

 

For VXLAN over IPsec deployments, UDP port 4789 can be marked directly in the firewall policy when it is allowed into the IPsec tunnel.

 

Drawing 15.png

 

In some scenarios, the traffic encapsulated within the VXLAN tunnel must be marked. To apply this marking easily through a firewall policy, the switch-interface configuration must be changed from an implicit intra-switch policy to an explicit one.

 

This change requires traffic between switch members to match firewall policies, meaning explicit policies must be created to permit inter-member traffic. Once DSCP marking is configured in the policy, the encapsulated traffic will be marked accordingly.

Based on the configuration of the switch interface below, the firewall policy is set up to mark traffic as follows:

 

config system switch-interface

    edit "VXLAN_SWITCH"

        set vdom "root"

        set member "VXLAN" "port1"

        set intra-switch-policy explicit

    next

end

 

config firewall policy

    edit 1

        set name "ExplicitSw"

        set srcintf "port1"

        set dstintf "VXLAN"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set diffserv-forward enable

        set diffserv-reverse enable

        set diffservcode-forward 110000

        set diffservcode-rev 110000

    next

    edit 2

        set srcintf "VXLAN"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set diffserv-forward enable

        set diffserv-reverse enable

        set diffservcode-forward 110000

        set diffservcode-rev 110000

        set comments " (Reverse of ExplicitSw)"

    next

end

 

Originating TrafficOriginating Traffic

 

Reply Traffic - FGT2Reply Traffic - FGT2

 

Related documents:

Technical Tip: Differentiated Services Code Point (DSCP) marking

General VXLAN configuration and topologies

Technical Tip: How to setup a VXLAN over IPsec deployment
123
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.