Wednesday, February 4, 2015

HOWTO: fortigate tos/dscp markup

In this post we will look at how easy it is to classified  QoS within the layer3 header of a IP datagram on a fortigate.

1st a little background, there's 8 bits allowed in ip_header  for QoS, but the 8th bit is unused. So this leaves us really with 7 bits. This 8th bit should always be "0" btw.

So in IP_Precedence  the 1st 3 bits are used for classification of traffic and setting traffic in one of the 8 precedences.

With DSCP you now have  6 bits total that can be used for classification, with 3 levels & with 4 drop-class.

So this gives you more room with fine tuning your QoS classifications and markups.
BTW: The 1st 3 bits in DSCP are class-selectors and  reflects the classes  of 1-thru-4  in the above snapshot

Now for DSCP on a fortigate, you  needs to 1st enabled it for the firewall-policy and in the direction.

e.g enabling  a dscp  value of  3F binary 111 111

Here's I'm demonstrating a DSCP value of 63 0x3F which is not a common DSCP value. And will use the diagnostic sessions to validate  my fwpolicy by id#.

If you want to  know the real values for DSCP use a cheat-sheet, similar to the following link.

Tip I marked off a few of the common values used everyday by VoIP solutions. 0x0 is BE ( best effort ) or simply known as the default.

Yeap, it's that easy for you to enable  DSCP on a fortigate. Most carriers will give you a QoS contract and tell you what markings it will expect and the bandwidth and prioritization for the traffic that you markup.

I've seem various QoS agreements from ATT, Paetec and Sprint,but  they all work about the same. A QoS policy could be similar to the below xls snapshot with any traffic exceeding the limits reclassified to Best Effort or drop if bandwidth is not available. Your provider should explain the terms of the QoS contract and any re-classifications.

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( #  # )=
      /   \

1 comment:

  1. Hi!

    I Would like to know if is it possible to classify/priorize traffic on GRE Tunnel?