A Differentiated Services Code Point (DSCP) is a packet header value that can be used to request
(for example) high priority or best effort delivery for traffic. Session-Based DSCP
Classification allows you to both honor DSCP values for incoming traffic and to mark
a session with a DSCP value as session traffic exits the firewall. This enables all
inbound and outbound traffic for a session to receive continuous QoS treatment as it
flows through your network. For example, inbound return traffic from an external
server can now be treated with the same QoS priority that the firewall initially
enforced for the outbound flow based on the DSCP value the firewall detected at the
beginning of the session. Network devices between the firewall and end user will
also then enforce the same priority for the return traffic (and any other outbound
or inbound traffic for the session).
You cannot apply DSCP code
points or QoS to SSL Forward Proxy, SSL Inbound Inspection, and
SSH Proxy traffic.
Different types of DSCP markings
indicate different levels of service:
Completing this step
enables the firewall to mark traffic with the same DSCP value that
was detected at the beginning of a session (in this example, the
firewall would mark return traffic with the DSCP AF11 value). While
configuring QoS allows you to shape traffic as it egresses the firewall,
enabling this option in a security rule allows the other network
devices intermediate to the firewall and the client to continue
to enforce priority for DSCP marked traffic.
Expedited
Forwarding (EF)
: Can be used to request low loss, low
latency and guaranteed bandwidth for traffic. Packets with EF codepoint
values are typically guaranteed highest priority delivery.
Assured Forwarding (AF)
: Can be used to provide reliable delivery for
applications. Packets with AF codepoint indicate a request for the traffic
to receive higher priority treatment than the best-effort service provides
(though packets with an EF codepoint will continue to take precedence over
those with an AF codepoint).
Class Selector (CS)
: Can be used to
provide backward compatibility with network devices that use the
IP precedence field to mark priority traffic.
IP Precedence (ToS)
: Can be used by
legacy network devices to mark priority traffic (the IP Precedence
header field was used to indicate the priority for a packet before
the introduction of the DSCP classification).
Custom Codepoint
: Create a custom
codepoint to match to traffic by entering a
Codepoint
Name
and
Binary Value
.
For example, select the
Assured Forwarding (AF)
to ensure traffic marked
with an AF codepoint value has higher priority for reliable delivery over
applications marked to receive lower priority.Use the following steps to enable
Session-Based DSCP Classification. Start by configuring QoS based on the DSCP
marking detected at the beginning of a session. You can then continue to enable the
firewall to mark the return flow for a session with the same DSCP value used to
enforce QoS for the initial outbound flow.
Define
the traffic to receive QoS treatment based on DSCP value.
Select
Policies
QoS
and
Add
or
modify an existing QoS rule and populate required fields.
Select
DSCP/ToS
and select
Codepoints
.
Add
DSCP/ToS codepoints for
which you want to enforce QoS.
Select the
Type
of DSCP/ToS
marking for the QoS rule to match to traffic:
It is a best practice to use a
single DSCP type to manage and prioritize your network traffic.
Match the QoS policy to traffic on a more granular
scale by specifying the
Codepoint
value. For
example, with Assured Forwarding (AF) selected as the
Type
of
DSCP value for the policy to match, further specify an AF
Codepoint
value
such as AF11.
When Expedited Forwarding (EF) is selected as the
Type
of
DSCP marking, a granular
Codepoint
value
cannot be specified. The QoS policy rule matches to traffic marked
with any EF codepoint value.
Select
Other Settings
and assign
a
QoS Class
to traffic matched to the QoS
rule. In this example, assign Class 1 to sessions where a DSCP marking
of AF11 is detected for the first packet in the session.
Click
OK
to save the QoS rule.
Define the QoS priority for traffic to receive when it
is matched to a QoS rule based the DSCP marking detected at the
beginning of a session.
Select
Network
Network Profiles
QoS Profile
and
Add
or
modify an existing QoS profile. For details on profile options to
set priority and bandwidth for traffic, see QoS Concepts and Configure QoS.
Add
or modify a profile class.
For example, because Step 2 showed steps
to classify AF11 traffic as Class 1 traffic, you could add or modify
a
class1
entry.
Select a
Priority
for the class
of traffic, such as
high
.
Click
OK
to save the QoS Profile.
Enable QoS on an interface.
Select
Network
QoS
and
Add
or
modify an existing interface and
Turn on QoS feature
on this interface
.
In this example, traffic with
an AF11 DSCP marking is matched to the QoS rule and assigned Class
1. The QoS profile enabled on the interface enforces high priority
treatment for Class 1 traffic as it egresses the firewall (the session outbound traffic).
Enable DSCP Marking.
Mark return traffic with a DSCP value, enabling the inbound
flow for a session to be marked with the same DSCP value detected
for the outbound flow.
Select
Policies
Security
and
Add
or
modify a security policy.
Select
Actions
and in the
QoS
Marking
drop-down, choose
Follow Client-to-Server
Flow
.
Click
OK
to save your changes.
Completing this step enables the firewall to mark traffic
with the same DSCP value that was detected at the beginning of a session
(in this example, the firewall would mark return traffic with the
DSCP AF11 value). While configuring QoS allows you to shape traffic as
it egresses the firewall, enabling this option in a security rule
allows the other network devices intermediate to the firewall and
the client to continue to enforce priority for DSCP marked traffic.