Technical Tip: Differentiated Services Code Point (DSCP) marking with shaping policy

alif · ‎05-07-2020

Description

This article describes how to configure Differentiated Services Code Point (DSCP) marking with shaping policy.

Scope

FortiGate.

Solution

Consider that an IPsec VPN tunnel is established between two FortiGates. The IP addresses defined here are shown as an example. On FortiGate, DSCP is enabled in both directions.

The firewall policy on 'FGT-I' is defined as follows.

config firewall policy
    edit 1
        set srcintf port1
        set dstintf wan2
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set diffserv-forward enable
        set diffservcode-forward 010110
        set diffserv-rev enable
        set diffservcode-rev 010110
    next
end

According to the firewall policy, FortiGate changes the DSCP field for both outgoing traffic and its reply traffic.

A shaping policy has been configured for the VPN tunnel interface 'FGT-II-VPN' with a guaranteed bandwidth of 20 Mbps.

config firewall shaping-policy
    edit 1
        set service "ALL"
        set dstintf "FGT-II-VPN"
        set traffic-shaper "TS_20M"
        set traffic-shaper-reverse "TS_20M"
        set srcaddr "all"
        set dstaddr "all"
    next
end

config firewall shaper traffic-shaper
    edit "TS_20M"
        set guaranteed-bandwidth 20000
    next
end

If the sniffer is taken on the outbound 'WAN2' interface on 'FGT-I', a Wireshark capture will show that traffic is not marked as AF23 (010110) for both outbound and inbound traffic. The traffic on 'WAN2' interface is marked as CS0 (best effort).

Although the firewall policy is configured with the AF23 marking.

The reason is that shaping policy is applied, which has its own DSCP marking. The full configuration under shaping policy will show 'diffserv' disabled, due to which CS0 marking is shown in packet capture.

Note:

Wireshark capture can be used to see DSCP marking in the traffic.

FGT5HD-2 (1) # sh full
config firewall shaping-policy
    edit 1
        set name ''
        set comment ''
        set status enable
        set ip-version 4
        set internet-service disable
        set internet-service-src disable
        set service "ALL"
        set schedule ''
        set dstintf "FGT5HD-3"
        set tos-mask 0x00
        set traffic-shaper "TS_20M"
        set traffic-shaper-reverse "TS_20M"
        set per-ip-shaper ''
        unset class-id
        set diffserv-forward disable
        set diffserv-reverse disable
        set srcaddr "all"
        set dstaddr "all"
    next
end

Once DSCP marking is configured under shaping policy, the packet capture will show the corresponding marking applied in both directions.

config firewall shaping-policy
    edit 1
        set service "ALL"
        set dstintf "FGT5HD-3"
        set traffic-shaper "TS_shared_20M_guarantee_High"
        set traffic-shaper-reverse "TS_shared_20M_guarantee_High"
        set diffserv-forward enable
        set diffserv-reverse enable
        set srcaddr "all"
        set dstaddr "all"
        set diffservcode-forward 010110
        set diffservcode-rev 010110
    next
end

In conclusion, DSCP marking under shaping policy is prioritized over marking applied under firewall policy.

Note:

Offloading traffic to the NPU must be disabled for the tunnel.

config vpn ipsec phase1-interface
     edit <Tunnel_Name>
          set npu-offload disable
     next
end

Related documents:

Technical Tip: Differentiated Services Code Point (DSCP) making

Configure DSCP for IPsec tunnels

Technical Tip: Differentiated Services Code Point (DSCP) marking with shaping policy

You are leaving our website