Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: QOS/DSCP Configuration Question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
QOS/DSCP Configuration Question
Have a client that will be going over an MPLS for VOIP. They are currently on 5.2.1.
Their provider requires the following DSCP coding and priorities:
DSCP 24 - SIP Signaling - Medium High DSCP 34 - Notifier Signaling - Medium High DSCP 46 - RTP Audio - EF Top Priority All other traffic best effort.
What is the best way to configure this? Note - the current setup is a single VLAN for VOIP and the idea is all traffic going in and out of the MPLS needs to recognize and respond to the various DSCP codes for this traffic appropriately.
I've looked over the documentation for DSCP and TOS, and it appears there is multiple ways to accomplish this.
One way I suspect would be multiple traffic shapers for each DSCP code a separate policy for each one with each traffic shaper applied, although it seems to me this is not the best way to do it.
Any thoughts/suggestions?
Thanks!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can build a fwpolicy with fwd/rev dscp enabled and set the value per-interesting traffic. This works very well if you have a handful of policies to manage
e.g
edit 126 set srcintf "port1" set dstintf "wan1" set srcaddr "SoftSWITCHOccidental" set dstaddr "SoftSWITCHOriental" set action accept set schedule "always" set service "CUST-90" set diffserv-forward enable set diffservcode-forward 101000
set comments " TO ALLOW SIGNAL " next end
You can also allow prioritization within the firewall using a predefine 3 queues model for the scheduler
set traffic-shaper
and a shaper
edit "SIPudp-rate" set guaranteed-bandwidth 8000 set maximum-bandwidth 10000 set per-policy enable set priority low low medium high next
Just ensure you honer DSCP/TOS and trust it along your interfaces if you have any QoS enabled switches. It might beneficial to spot check DSCP values are no dropped or clear to 00/00 on each end of the MPLS provider.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:You can build a fwpolicy with fwd/rev dscp enabled and set the value per-interesting traffic. This works very well if you have a handful of policies to manage
e.g
edit 126 set srcintf "port1" set dstintf "wan1" set srcaddr "SoftSWITCHOccidental" set dstaddr "SoftSWITCHOriental" set action accept set schedule "always" set service "CUST-90" set diffserv-forward enable set diffservcode-forward 101000
set comments " TO ALLOW SIGNAL " next end
You can also allow prioritization within the firewall using a predefine 3 queues model for the scheduler
set traffic-shaper
and a shaper
edit "SIPudp-rate" set guaranteed-bandwidth 8000 set maximum-bandwidth 10000 set per-policy enable set priority low low medium high next
Just ensure you honer DSCP/TOS and trust it along your interfaces if you have any QoS enabled switches. It might beneficial to spot check DSCP values are no dropped or clear to 00/00 on each end of the MPLS provider.
Ken
So - for the first example, I'd essentially have a policy for each of the three types of traffic and set the DSCP inside the policy for each one - does that also set the priorities automatically, then, based on the DSCP value, or do I specify that somewhere else? I like this, currently there's not a ton of policies and I can't see a need for a lot of policies for this because its a devoted VLAN.
For the second possibility - if I create 3 shapers - one for each DSCP code, do I then need to identify a max/min bandwidth, or just make sure I have the priorities right? The way I see it - (and I could be wrong) - this one MIGHT be easier to implement as I could use a service of all, and then, one policy for each shaper with same source/destination?
Thanks,
Brent
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your understanding is correct, but one part needs to be cleared. If you set the DSCP on the policy and there's not TrafficShaper profile, you won't have QoS schedule against the 3 queues. All traffic is treat the same.
FWIW, The firewall has 4 queues;
BE ( best effort )
low
medium
high
And with no TSprofile defined, all is riding against BE. If your model is complex or become complex, you need to keep in consideration all of the totals within in TSprofiles to be sure you don't oversubscribe or deplete a queue limit.
But every else you said is correct, you defined your 3 TS profiles with the guaranteed bandwidth and queue. You can apply the DSCP l3 header fix up within the TS profile & apply it to the policy(s). I've always built mind with unique TS profiles for realtime data ( voice-path and signaling )
Also you can adjust the TOS or DSCP mapping in the system global setting and monitor TS usage in the monitor.
config sys global
set traffic-priority tos or dscp
end
I believe this set do we look and match on the 6bit TOS or full DSCP for matching.
And then remember to carry DSCP from the carrier inbound if you need to carry across the "ingress" interface to the application. Outside of that,you logic is correct.
If your using a ATT Eman or whatever it's not called, make you sure you monitor the DSCP markings after the turn up or activation. They have bad practices & history and will screw it up now or later from my experience. US Sprint and Patec was silghtly better ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Issue with Cross-VLAN Communication over VXLAN/IPSEC... 38 Views
- SSL VPN WITH ZTNA 74 Views
- Configuring SAML SSO Entra Login 167 Views
- Questions regarding antivirus profile ? 55 Views
- Assistance Needed for Dual Tunnel Setup... 68 Views
Labels
-
FortiGate
8,250 -
FortiClient
1,665 -
5.2
801 -
FortiManager
692 -
5.4
639 -
FortiAnalyzer
525 -
FortiSwitch
444 -
FortiAP
436 -
6.0
416 -
FortiClient EMS
382 -
5.6
362 -
FortiMail
306 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
SSL-VPN
196 -
FortiWeb
193 -
FortiNAC
167 -
IPsec
166 -
FortiGuard
131 -
6.4
128 -
SD-WAN
101 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
77 -
Customer Service
75 -
Wireless Controller
75 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
55 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
VLAN
46 -
ZTNA
44 -
High Availability
44 -
FortiExtender
43 -
FortiDNS
42 -
FortiSandbox
40 -
Routing
37 -
DNS
37 -
BGP
36 -
FortiGate v5.4
35 -
LDAP
35 -
FortiSwitch v6.4
33 -
SAML
32 -
Interface
31 -
Certificate
31 -
SSO
29 -
FortiConnect
28 -
Authentication
28 -
NAT
28 -
RADIUS
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiLink
25 -
VDOM
24 -
FortiGate v5.2
23 -
Application control
22 -
Virtual IP
22 -
Web profile
21 -
Logging
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
Traffic shaping
17 -
SSL SSH inspection
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
FortiSOAR
12 -
FortiCASB
12 -
SNMP
12 -
SSID
12 -
Admin
12 -
Static route
12 -
WAN optimization
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
Automation
11 -
System settings
11 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiDeceptor
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1593 | |
| 1045 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.