Description
This article describes how to configure Differentiated Services Code Point (DSCP) marking with shaping policy.
Solution
Consider an IPsec VPN tunnel is established between two FortiGates.
The IP addresses defined here are shown as an example.
On FortiGate, DSCP is enabled in both directions.
This article describes how to configure Differentiated Services Code Point (DSCP) marking with shaping policy.
Solution
Consider an IPsec VPN tunnel is established between two FortiGates.
The IP addresses defined here are shown as an example.
On FortiGate, DSCP is enabled in both directions.
The firewall policy on 'FGT-I' is defined as follows.
A shaping policy has been configured for the VPN tunnel interface 'FGT-II-VPN' with a guaranteed bandwidth of 20 Mbps.
# config firewall policyAccording to the firewall policy, FortiGate changes the DSCP field for both outgoing traffic and its reply traffic.
edit 1
set srcintf port1
set dstintf wan2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 010110
set diffserv-rev enable
set diffservcode-rev 010110
next
end
A shaping policy has been configured for the VPN tunnel interface 'FGT-II-VPN' with a guaranteed bandwidth of 20 Mbps.
# config firewall shaping-policyIf the sniffer is taken on outbound 'WAN2' interface on 'FGT-I', a Wireshark capture will show that traffic is not marked as AF23 (010110) for both outbound and inbound traffic.
edit 1
set service "ALL"
set dstintf "FGT-II-VPN"
set traffic-shaper "TS_20M"
set traffic-shaper-reverse "TS_20M"
set srcaddr "all"
set dstaddr "all"
next
end
# config firewall shaper traffic-shaper
edit "TS_20M"
set guaranteed-bandwidth 20000
next
end
The traffic on 'WAN2' interface is marked as CS0 (best effort).
Although, the firewall policy is configured with the AF23 marking.
The reason is that shaping policy is applied which has its own DSCP marking.
The full configuration under shaping policy will show 'diffserv' disabled due to which CS0 marking is shown in packet capture.
FGT5HD-2 (1) # sh fullOnce DSCP marking is configured under shaping policy, the packet capture will show the corresponding marking applied in both directions.
# config firewall shaping-policy
edit 1
set name ''
set comment ''
set status enable
set ip-version 4
set internet-service disable
set internet-service-src disable
set service "ALL"
set schedule ''
set dstintf "FGT5HD-3"
set tos-mask 0x00
set traffic-shaper "TS_20M"
set traffic-shaper-reverse "TS_20M"
set per-ip-shaper ''
unset class-id
set diffserv-forward disable
set diffserv-reverse disable
set srcaddr "all"
set dstaddr "all"
next
end
# config firewall shaping-policy
edit 1
set service "ALL"
set dstintf "FGT5HD-3"
set traffic-shaper "TS_shared_20M_guarantee_High"
set traffic-shaper-reverse "TS_shared_20M_guarantee_High"
set diffserv-forward enable
set diffserv-reverse enable
set srcaddr "all"
set dstaddr "all"
set diffservcode-forward 010110
set diffservcode-rev 010110
next
end
In conclusion, DSCP marking under shaping policy is prioritized over marking applied under firewall policy.
Related Articles
Technical Tip: Differentiated Services Code Point (DSCP) making
