Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor

Doubt about DSCP value

ToIP traffic that is already marked with a DSCP (EF) value will pass through my firewall. I need the firewall to keep that value and not modify it. That keep the same input value as output. On the other hand, I also need you to prioritize it internally. If I don't do any configuration and just let traffic through, I'm not sure if the firewall keeps the value or resets it to zero. Can you help me?

 

"If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the DSCP value is set to the default (00), and will not change IP packets’ DSCP field."


Thank you very much

1 Solution
GDiFi
Staff
Staff

You can verify the DSCP values are staying on egress by doing a packet capture on the ingress and egress interfaces and check the packet header on both to make sure they stay the same.

 

As far as prioritizing the traffic in the Fortigate, the Traffic shaping section of the admin guide will outline different ways to do this.  You can setup Global traffic prioritization for three priority levels or if you want more granular control you can create traffic shaping policies.

 

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/297431/traffic-shaping

 

View solution in original post

6 REPLIES 6
GDiFi
Staff
Staff

You can verify the DSCP values are staying on egress by doing a packet capture on the ingress and egress interfaces and check the packet header on both to make sure they stay the same.

 

As far as prioritizing the traffic in the Fortigate, the Traffic shaping section of the admin guide will outline different ways to do this.  You can setup Global traffic prioritization for three priority levels or if you want more granular control you can create traffic shaping policies.

 

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/297431/traffic-shaping

 

fortimaster

Thank you very much for your help. I understand that if what I want is that the traffic that is already marked with DSCP EF be kept (without remarking) and prioritized in the firewall, it would be worth the global command:

set traffic-priority DSCP
set traffic-priority-level high

 

With these commands all the traffic that enters the firewall with DSCP 46 will be prioritized as high and will leave with DSCP 46 through the exit port.

GDiFi
Staff
Staff

If you do:

set traffic-priority DSCP
set traffic-priority-level high

 

this will prioritize all traffic as high.  You will want to set that as the default medium or change it to low.  You can then set matching DSCP values to priority queues based on this:

config system dscp-based-priority
    edit <id>
        set ds <0-63>
        set priority (high | medium | low)      
    next
end

 https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/15578/global-traffic-priorit...

 

fortimaster

Thanks for you reply ¡¡¡ I don't really need to configure different queues. I don't care if they are all high since all the traffic will enter with EF marking, there are no more types of DSCP markings in my network and I think it will be the easiest. 

I have seen that with the command that I have put all the queues are high and it is enough for me.

 

pa_iva
New Contributor II

To answer to your original question here is a quick lab:

 

topo.PNG

 

Generating traffic from R2 to R3 with DSCP EF (46), and doing a pcap on interface Port1 and Port2:

 

lan.PNGwan.PNG

You can tell it´s the exact same packet as is has the same IPv4 identification 0x0023 (35), it´s just been nated as it exits port1, and it has kept the DSCP field.

 

The policy has diffserv-forward and reverse disabled:

 

diffserv-forward : disable
diffserv-reverse : disable

 

These commands are used if you need to remark the traffic, if you enable it, you´ll have the option to remark the traffic that hits the policy with the DSCP values you want.

 

Hope that´s helpful.

fortimaster

Yes, it's just what I need. That the packet maintains the marking when it passes through the firewall and the firewall, in turn, prioritizes it. So I think everything is clear and it has been very helpful. Directly I do not have to do anything in the policies through which the traffic passes and the DSCP will maintain its origin marking since the policies, by default, have the commands that you indicate disabled.

Top Kudoed Authors