A Differentiated Services Code Point (DSCP)
is a packet header value that can be used to request (for example)
high priority or best effort delivery for traffic. Session-Based
DSCP Classification allows you to both honor DSCP values for incoming
traffic and to mark a session with a DSCP value as session traffic
exits the firewall. This enables all inbound and outbound traffic
for a session can receive continuous QoS treatment as it flows through
your network. For example, inbound return traffic from an external
server can now be treated with the same QoS priority that the firewall
initially enforced for the outbound flow based on the DSCP value
the firewall detected at the beginning of the session. Network devices
between the firewall and end user will also then enforce the same
priority for the return traffic (and any other outbound or inbound
traffic for the session).
You cannot apply DSCP code
points or QoS to SSL Forward Proxy, SSL Inbound Inspection, and
SSH Proxy traffic.
Different types of DSCP markings
indicate different levels of service:
Completing this step
enables the firewall to mark traffic with the same DSCP value that
was detected at the beginning of a session (in this example, the
firewall would mark return traffic with the DSCP AF11 value). While
configuring QoS allows you to shape traffic as it egresses the firewall,
enabling this option in a security rule allows the other network
devices intermediate to the firewall and the client to continue
to enforce priority for DSCP marked traffic.
Expedited
Forwarding (EF)
: Can be used to request low loss, low
latency and guaranteed bandwidth for traffic. Packets with EF codepoint
values are typically guaranteed highest priority delivery.
Assured Forwarding (AF)
: Can be used
to provide reliable delivery for applications. Packets with AF codepoint
indicate a request for the traffic to receive higher priority treatment
than best effort service provides (though packets with an EF codepoint
will continue to take precedence over those with an AF codepoint).
Class Selector (CS)
: Can be used to
provide backward compatibility with network devices that use the
IP precedence field to mark priority traffic.
IP Precedence (ToS)
: Can be used by
legacy network devices to mark priority traffic (the IP Precedence header
field was used to indicate the priority for a packet before the
introduction of the DSCP classification).
Custom Codepoint
: Create a custom
codepoint to match to traffic by entering a
Codepoint Name
and
Binary
Value
.
For example, select the
Assured
Forwarding (AF)
to ensure traffic marked with an AF
codepoint value has higher priority for reliable delivery over applications
marked to receive lower priority.Use the following steps to enable
Session-Based DSCP Classification. Start by configuring QoS based
on DSCP marking detected at the beginning of a session. You can
then continue to enable the firewall to mark the return flow for
a session with the same DSCP value used to enforce QoS for the initial
outbound flow.
Define
the traffic to receive QoS treatment based on DSCP value.
Select
Policies
QoS
and
Add
or
modify an existing QoS rule and populate required fields.
Select
DSCP/ToS
and select
Codepoints
.
Add
DSCP/ToS codepoints for
which you want to enforce QoS.
Select the
Type
of DSCP/ToS
marking for the QoS rule to match to traffic:
It is a best practice to use a
single DSCP type to manage and prioritize your network traffic.
Match the QoS policy to traffic on a more granular
scale by specifying the
Codepoint
value.
For example, with Assured Forwarding (AF) selected as the
Type
of
DSCP value for the policy to match, further specify an AF
Codepoint
value
such as AF11.
When Expedited Forwarding (EF) is selected as the
Type
of
DSCP marking, a granular
Codepoint
value
cannot be specified. The QoS policy rule matches to traffic marked
with any EF codepoint value.
Select
Other Settings
and assign
a
QoS Class
to traffic matched to the QoS
rule. In this example, assign Class 1 to sessions where a DSCP marking
of AF11 is detected for the first packet in the session.
Click
OK
to save the QoS rule.
Define the QoS priority for traffic to receive when it
is matched to a QoS rule based the DSCP marking detected at the
beginning of a session.
Select
Network
Network Profiles
QoS Profile
and
Add
or
modify an existing QoS profile. For details on profile options to
set priority and bandwidth for traffic, see QoS Concepts and Configure QoS.
Add
or modify a profile class.
For example, because Step 2 showed steps to classify
AF11 traffic as Class 1 traffic, you could add or modify a
class1
entry.
Select a
Priority
for the class
of traffic, such as
high
.
Click
OK
to save the QoS Profile.
Enable QoS on an interface.
Select
Network
QoS
and
Add
or modify
an existing interface and
Turn on QoS feature on this
interface
.
In this example, traffic with an AF11
DSCP marking is matched to the QoS rule and assigned Class 1. The
QoS profile enabled on the interface enforces high priority treatment
for Class 1 traffic as it egresses the firewall (the session outbound traffic).
Enable DSCP Marking.
Mark return traffic with a DSCP value, enabling the inbound
flow for a session to be marked with the same DSCP value detected
for the outbound flow.
Select
Policies
Security
and
Add
or
modify a security policy.
Select
Actions
and in the
QoS
Marking
drop-down, choose
Follow Client-to-Server
Flow
.
Click
OK
to save your changes.
Completing this step enables the firewall to mark traffic
with the same DSCP value that was detected at the beginning of a
session (in this example, the firewall would mark return traffic
with the DSCP AF11 value). While configuring QoS allows you to shape
traffic as it egresses the firewall, enabling this option in a security
rule allows the other network devices intermediate to the firewall
and the client to continue to enforce priority for DSCP marked traffic.