Communicating DSCP markers to other network equipment to prioritize traffic

DSCP (DiffServ type of service field) markers in the traffic are a standard way to indicate priorities in network traffic. You and your ISP might have routers that decide how to handle packets based on the priority of the traffic.

It is possible to read or write DSCP markers for a particular type of traffic without configuring Access rules to apply a QoS Class to the traffic. The matching is done based on the QoS Policy. When a packet that matches a particular protocol comes in, the Engine reads the DSCP markers and assigns a QoS Class according to the DSCP Match/Mark rules of the QoS Policy. When the packet is sent out, the Engine writes a DSCP mark in the packets. The marking is based on the QoS Class according to the DSCP Match/Mark rules of the QoS Policy on the interface through which the traffic leaves the Engine.

The markers allow you to:

  • Communicate the priority of this traffic to other devices that support QoS.
  • Convert the packet to use a different classification scheme, if the QoS Class was originally assigned to matching traffic by a DSCP match in the source interface’s QoS Policy.
  • Remove the DSCP classification set by other devices by entering 0 as the value (shown in the policy as 0x00).
Two QoS Policies on two Physical Interfaces can be used together to translate between two different DSCP schemes as shown in the illustration.

Figure: Translating between two DSCP schemes



In the illustration, the packets arrive at Physical Interface 1. The firewall reads the existing DSCP value and compares it to the QoS Policy assigned to Physical Interface 1. The policy has a DSCP Match rule for the DSCP marker with an associated QoS Class, which is then assigned to this traffic.

Note: The same traffic must not match any firewall Access rule with a QoS Class definition. The QoS Class in the Access rule overrides the QoS Class that is assigned based on the DSCP marker.

When the packets are sent out through Physical Interface 2, the Firewall checks the QoS Policy assigned to this Physical Interface. In this QoS Policy, a DSCP Match/Mark rule defines that traffic with the assigned QoS Class is marked with a DSCP marker specified in the rule. The firewall overwrites the original DSCP marker before sending the packets onwards.

  • By default, the DSCP mark for the encrypted ESP packet in VPN traffic is inherited from the plaintext packet. Selecting a QoS Policy in the properties of the policy-based VPN makes it possible to mark the ESP packet after encryption.
  • Priorities, limits, and guarantees are applied. DSCP codes are written to outgoing packets on the interface that the traffic uses to exit the Engine according to the QoS Policy and interface speed defined for that interface.
  • For packets entering the Engine, the QoS Policy on that interface is only used for reading DSCP codes and matching them to QoS Classes for further use. It is the only QoS operation that is done on the interface that the traffic uses to enter the Engine.

    Example: A new packet enters a Firewall through interface A and leaves the Firewall through interface B. The priorities, guarantees, and limits configured on interface A are ignored for packets in this direction. Any priorities, guarantees, and limits are configured and applied on interface B. If the packet contains a DSCP code when entering the Firewall, the DSCP code is read and matched to a QoS Class on interface A. If a new DSCP code is (over)written in the packet, the new code is written on interface B.