Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: QOS/DSCP Configuration Question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
QOS/DSCP Configuration Question
Have a client that will be going over an MPLS for VOIP. They are currently on 5.2.1.
Their provider requires the following DSCP coding and priorities:
DSCP 24 - SIP Signaling - Medium High DSCP 34 - Notifier Signaling - Medium High DSCP 46 - RTP Audio - EF Top Priority All other traffic best effort.
What is the best way to configure this? Note - the current setup is a single VLAN for VOIP and the idea is all traffic going in and out of the MPLS needs to recognize and respond to the various DSCP codes for this traffic appropriately.
I've looked over the documentation for DSCP and TOS, and it appears there is multiple ways to accomplish this.
One way I suspect would be multiple traffic shapers for each DSCP code a separate policy for each one with each traffic shaper applied, although it seems to me this is not the best way to do it.
Any thoughts/suggestions?
Thanks!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can build a fwpolicy with fwd/rev dscp enabled and set the value per-interesting traffic. This works very well if you have a handful of policies to manage
e.g
edit 126 set srcintf "port1" set dstintf "wan1" set srcaddr "SoftSWITCHOccidental" set dstaddr "SoftSWITCHOriental" set action accept set schedule "always" set service "CUST-90" set diffserv-forward enable set diffservcode-forward 101000
set comments " TO ALLOW SIGNAL " next end
You can also allow prioritization within the firewall using a predefine 3 queues model for the scheduler
set traffic-shaper
and a shaper
edit "SIPudp-rate" set guaranteed-bandwidth 8000 set maximum-bandwidth 10000 set per-policy enable set priority low low medium high next
Just ensure you honer DSCP/TOS and trust it along your interfaces if you have any QoS enabled switches. It might beneficial to spot check DSCP values are no dropped or clear to 00/00 on each end of the MPLS provider.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:You can build a fwpolicy with fwd/rev dscp enabled and set the value per-interesting traffic. This works very well if you have a handful of policies to manage
e.g
edit 126 set srcintf "port1" set dstintf "wan1" set srcaddr "SoftSWITCHOccidental" set dstaddr "SoftSWITCHOriental" set action accept set schedule "always" set service "CUST-90" set diffserv-forward enable set diffservcode-forward 101000
set comments " TO ALLOW SIGNAL " next end
You can also allow prioritization within the firewall using a predefine 3 queues model for the scheduler
set traffic-shaper
and a shaper
edit "SIPudp-rate" set guaranteed-bandwidth 8000 set maximum-bandwidth 10000 set per-policy enable set priority low low medium high next
Just ensure you honer DSCP/TOS and trust it along your interfaces if you have any QoS enabled switches. It might beneficial to spot check DSCP values are no dropped or clear to 00/00 on each end of the MPLS provider.
Ken
So - for the first example, I'd essentially have a policy for each of the three types of traffic and set the DSCP inside the policy for each one - does that also set the priorities automatically, then, based on the DSCP value, or do I specify that somewhere else? I like this, currently there's not a ton of policies and I can't see a need for a lot of policies for this because its a devoted VLAN.
For the second possibility - if I create 3 shapers - one for each DSCP code, do I then need to identify a max/min bandwidth, or just make sure I have the priorities right? The way I see it - (and I could be wrong) - this one MIGHT be easier to implement as I could use a service of all, and then, one policy for each shaper with same source/destination?
Thanks,
Brent
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your understanding is correct, but one part needs to be cleared. If you set the DSCP on the policy and there's not TrafficShaper profile, you won't have QoS schedule against the 3 queues. All traffic is treat the same.
FWIW, The firewall has 4 queues;
BE ( best effort )
low
medium
high
And with no TSprofile defined, all is riding against BE. If your model is complex or become complex, you need to keep in consideration all of the totals within in TSprofiles to be sure you don't oversubscribe or deplete a queue limit.
But every else you said is correct, you defined your 3 TS profiles with the guaranteed bandwidth and queue. You can apply the DSCP l3 header fix up within the TS profile & apply it to the policy(s). I've always built mind with unique TS profiles for realtime data ( voice-path and signaling )
Also you can adjust the TOS or DSCP mapping in the system global setting and monitor TS usage in the monitor.
config sys global
set traffic-priority tos or dscp
end
I believe this set do we look and match on the 6bit TOS or full DSCP for matching.
And then remember to carry DSCP from the carrier inbound if you need to carry across the "ingress" interface to the application. Outside of that,you logic is correct.
If your using a ATT Eman or whatever it's not called, make you sure you monitor the DSCP markings after the turn up or activation. They have bad practices & history and will screw it up now or later from my experience. US Sprint and Patec was silghtly better ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,693 -
FortiClient
1,762 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.