Description
This article describes configuration of a Differentiated Services Code Point (DSCP) marking on FortiGate units.
Scope
FortiGate; QoS; DSCP.
Solution
Differentiated Services (also called DiffServ) is defined by RFC2474 and RFC2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop.
Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the traffic class field in the IPv6 header.
FortiGate Differentiated Services feature can be used to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy.
The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing.
DSCP features are applied to traffic by configuring the FortiGate to apply different service levels to packets depending on the DSCP value of the packet.
If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the DSCP value is set to the default (CS0), and will not change IP packets' DSCP field.
Starting from FortiOS 7.4.4 DSCP marking can be applied to traffic originating from a FortiGate unit itself (local-out) or being destined for the unit itself (local-in).
Refer: DSCP-marking-for-self-generated-traffic-7-4-4
The packet's DSCP field for traffic initiating a session (forward) or for reply traffic (reverse) can be changed and enabled in each direction separately by configuring it in the firewall policy.
Changes to DSCP values in a firewall policy affect new sessions.
If traffic must use the new DSCP values immediately, it is advised to clear all existing sessions.
DSCP can be enabled by using the following CLI command:
config firewall policy
edit <policy_number>
...
set diffserv-forward enable
set diffservcode-forward <binary_integer>
set diffserv-reverse enable
set diffservcode-rev <binary_integer>
end
DSCP is a number in the range from decimal value 0 to 63 that is placed into an IP packet to mark it according to the class of traffic it belongs in.
The following table defines the relationship between service classes and DSCP markings.
| DSCP Name | Decimal Value | DSCP Value | tos* | tos-mask* | tos** | tos-mask** | Service Class Name |
| AF11 | 10 | 001 010 | 0x28 | 0xfc | 0x0a | 0x3f | High-Throughput Data |
| AF12 | 12 | 001 100 | 0x30 | 0xfc | 0x0c | 0x3f | High-Throughput Data |
| AF13 | 14 | 001 110 | 0x38 | 0xfc | 0x0e | 0x3f | High-Throughput Data |
| AF21 | 18 | 010 010 | 0x48 | 0xfc | 0x12 | 0x3f | Low-Latency Data |
| AF22 | 20 | 010 100 | 0x50 | 0xfc | 0x14 | 0x3f | Low-Latency Data |
| AF23 | 22 | 010 110 | 0x58 | 0xfc | 0x16 | 0x3f | Low-Latency Data |
| AF31 | 26 | 011 010 | 0x68 | 0xfc | 0x1a | 0x3f | Multimedia Streaming |
| AF32 | 28 | 011 100 | 0x70 | 0xfc | 0x1c | 0x3f | Multimedia Streaming |
| AF33 | 30 | 011 110 | 0x78 | 0xfc | 0x1e | 0x3f | Multimedia Streaming |
| AF41 | 34 | 100 010 | 0x88 | 0xfc | 0x22 | 0x3f | Multimedia Conferencing |
| AF42 | 36 | 100 100 | 0x90 | 0xfc | 0x24 | 0x3f | Multimedia Conferencing |
| AF43 | 38 | 100 110 | 0x98 | 0xfc | 0x26 | 0x3f | Multimedia Conferencing |
| CS0 | 0 | 000 000 | 0x00 | 0xfc | 0x00 | 0x3f | Standard (Default/Best Effort) |
| CS1 | 8 | 001 000 | 0x20 | 0xfc | 0x08 | 0x3f | Low-Priority Data |
| CS2 | 16 | 010 000 | 0x40 | 0xfc | 0x10 | 0x3f | OAM (Operations, Administration, and Management) |
| CS3 | 24 | 011 000 | 0x60 | 0xfc | 0x18 | 0x3f | Broadcast Video |
| CS4 | 32 | 100 000 | 0x80 | 0xfc | 0x20 | 0x3f | Real-Time Interactive |
| CS5 | 40 | 101 000 | 0xa0 | 0xfc | 0x28 | 0x3f | Signaling |
| CS6 | 48 | 110 000 | 0xc0 | 0xfc | 0x30 | 0x3f | Network Control |
| CS7 | 56 | 111 000 | 0xe0 | 0xfc | 0x38 | 0x3f | Reserved |
| EF | 46 | 101 110 | 0xb8 | 0xfc | 0x2e | 0x3f | Telephony |
*extra bits are added at the end.
** extra bits are added at the front.
Consider an example where an ICMP echo request is sent from a host to a public DNS server 4.2.2.2.
On FortiGate, DSCP is enabled in both directions.
The firewall policy on FortiGate is as follows.
config firewall policy
edit 1
set srcintf port1
set dstintf wan2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 011010
set diffserv-rev enable
set diffservcode-rev 011010
next
end
edit 1
set srcintf port1
set dstintf wan2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 011010
set diffserv-rev enable
set diffservcode-rev 011010
next
end
According to the firewall policy, FortiGate changes the DSCP field for both outgoing traffic and its reply traffic.
If the sniffer is taken on outbound 'wan2' interface, a wireshark capture will show that traffic is marked as AF31(011010) for outbound traffic.
If the sniffer is taken on outbound 'wan2' interface, a wireshark capture will show that traffic is marked as AF31(011010) for outbound traffic.
diagnose sniffer packet wan2 “ping 4.2.2.2 and icmp” 6 0 a
However, the incoming traffic on wan2 interface is still marked as CS0 (best effort).
This is expected as the marking is applied on the port1 interface for incoming traffic.
If the sniffer is taken on the 'port1' interface, the default marking is applied for outbound traffic as the marking is applied for reverse traffic.
diagnose sniffer packet port1 “ping 4.2.2.2 and icmp” 6 0 a
However, the traffic is marked as AF31 for inbound traffic.
DSCP marking can also be configured in firewall shaping policies and has the same logic as in firewall policy.
config firewall shaping-policy
edit <id>
set service "ALL"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set diffservcode-forward 011010
set diffservcode-rev 011010
next
end
Related documents:
Configuring differentiated services - FortiGate 6.0.0 handbook
ToS and DSCP traffic mapping - FortiOS Help
RFC4594
