Enforce QoS Based on DSCP Classification
Focus
Focus

Enforce QoS Based on DSCP Classification

Table of Contents

Enforce QoS Based on DSCP Classification

A Differentiated Services Code Point (DSCP) is a packet header value that can be used to request (for example) high priority or best effort delivery for traffic. Session-Based DSCP Classification allows you to both honor DSCP values for incoming traffic and to mark a session with a DSCP value as session traffic exits the firewall. This enables all inbound and outbound traffic for a session to receive continuous QoS treatment as it flows through your network. For example, inbound return traffic from an external server can now be treated with the same QoS priority that the firewall initially enforced for the outbound flow based on the DSCP value the firewall detected at the beginning of the session. Network devices between the firewall and end user will also then enforce the same priority for the return traffic (and any other outbound or inbound traffic for the session).
You cannot apply DSCP code points or QoS to SSL Forward Proxy, SSL Inbound Inspection, and SSH Proxy traffic.
Different types of DSCP markings indicate different levels of service:
Completing this step enables the firewall to mark traffic with the same DSCP value that was detected at the beginning of a session (in this example, the firewall would mark return traffic with the DSCP AF11 value). While configuring QoS allows you to shape traffic as it egresses the firewall, enabling this option in a security rule allows the other network devices intermediate to the firewall and the client to continue to enforce priority for DSCP marked traffic.
  • Expedited Forwarding (EF): Can be used to request low loss, low latency and guaranteed bandwidth for traffic. Packets with EF codepoint values are typically guaranteed highest priority delivery.
  • Assured Forwarding (AF): Can be used to provide reliable delivery for applications. Packets with AF codepoint indicate a request for the traffic to receive higher priority treatment than the best-effort service provides (though packets with an EF codepoint will continue to take precedence over those with an AF codepoint).
  • Class Selector (CS): Can be used to provide backward compatibility with network devices that use the IP precedence field to mark priority traffic.
  • IP Precedence (ToS): Can be used by legacy network devices to mark priority traffic (the IP Precedence header field was used to indicate the priority for a packet before the introduction of the DSCP classification).
  • Custom Codepoint: Create a custom codepoint to match to traffic by entering a Codepoint Name and Binary Value.
For example, select the Assured Forwarding (AF) to ensure traffic marked with an AF codepoint value has higher priority for reliable delivery over applications marked to receive lower priority.Use the following steps to enable Session-Based DSCP Classification. Start by configuring QoS based on the DSCP marking detected at the beginning of a session. You can then continue to enable the firewall to mark the return flow for a session with the same DSCP value used to enforce QoS for the initial outbound flow.
  1. Perform the preliminary steps to Configure QoS.
  2. Define the traffic to receive QoS treatment based on DSCP value.
    1. Select PoliciesQoS and Add or modify an existing QoS rule and populate required fields.
    2. Select DSCP/ToS and select Codepoints.
    3. Add DSCP/ToS codepoints for which you want to enforce QoS.
    4. Select the Type of DSCP/ToS marking for the QoS rule to match to traffic:
      It is a best practice to use a single DSCP type to manage and prioritize your network traffic.
    5. Match the QoS policy to traffic on a more granular scale by specifying the Codepoint value. For example, with Assured Forwarding (AF) selected as the Type of DSCP value for the policy to match, further specify an AF Codepoint value such as AF11.
      When Expedited Forwarding (EF) is selected as the Type of DSCP marking, a granular Codepoint value cannot be specified. The QoS policy rule matches to traffic marked with any EF codepoint value.
    6. Select Other Settings and assign a QoS Class to traffic matched to the QoS rule. In this example, assign Class 1 to sessions where a DSCP marking of AF11 is detected for the first packet in the session.
    7. Click OK to save the QoS rule.
  3. Define the QoS priority for traffic to receive when it is matched to a QoS rule based the DSCP marking detected at the beginning of a session.
    1. Select NetworkNetwork ProfilesQoS Profile and Add or modify an existing QoS profile. For details on profile options to set priority and bandwidth for traffic, see QoS Concepts and Configure QoS.
    2. Add or modify a profile class. For example, because Step 2 showed steps to classify AF11 traffic as Class 1 traffic, you could add or modify a class1 entry.
    3. Select a Priority for the class of traffic, such as high.
    4. Click OK to save the QoS Profile.
  4. Enable QoS on an interface.
    Select NetworkQoS and Add or modify an existing interface and Turn on QoS feature on this interface.
    In this example, traffic with an AF11 DSCP marking is matched to the QoS rule and assigned Class 1. The QoS profile enabled on the interface enforces high priority treatment for Class 1 traffic as it egresses the firewall (the session outbound traffic).
  5. Enable DSCP Marking.
    Mark return traffic with a DSCP value, enabling the inbound flow for a session to be marked with the same DSCP value detected for the outbound flow.
    1. Select PoliciesSecurity and Add or modify a security policy.
    2. Select Actions and in the QoS Marking drop-down, choose Follow Client-to-Server Flow.
    3. Click OK to save your changes.
    Completing this step enables the firewall to mark traffic with the same DSCP value that was detected at the beginning of a session (in this example, the firewall would mark return traffic with the DSCP AF11 value). While configuring QoS allows you to shape traffic as it egresses the firewall, enabling this option in a security rule allows the other network devices intermediate to the firewall and the client to continue to enforce priority for DSCP marked traffic.
  6. Commit the configuration.
    Commit your changes.