Communicating DSCP markers to other network equipment to prioritize traffic

You and your ISP might have routers that also decide how to handle packets based on the priority of the traffic. DSCP (DiffServ type of service field) markers in the traffic are a standard way to indicate priorities in network traffic.

It is possible to read or write DSCP markers for a particular type of traffic without configuring Access rules to apply a QoS Class to the traffic. The matching is done based on the QoS Policy. When a packet that matches a particular protocol comes in, the engine reads the DSCP markers and assigns a QoS Class according to the DSCP Match/Mark rules of the QoS Policy. When the packet is sent out, the engine writes a DSCP mark in the packets. The marking is based on the QoS Class according to the DSCP Match/Mark rules of the QoS Policy on the interface through which the traffic leaves the engine.

The markers allow you to:
  • Communicate the priority of this traffic to other devices that support QoS.
  • Convert the packet to use a different classification scheme, if the QoS Class was originally assigned to matching traffic by a DSCP match in the source interface’s QoS Policy.
  • Remove the DSCP classification set by other devices by entering 0 as the value (shown in the policy as 0x00).
Two QoS Policies on two Physical Interfaces can be used together to translate between two different DSCP schemes as shown in the illustration.

Figure: Translating between two DSCP schemes



In the illustration, the packets arrive at Physical Interface 1. The firewall reads the existing DSCP value and compares it to the QoS Policy assigned to Physical Interface 1. The policy has a DSCP Match rule for the DSCP marker with an associated QoS Class, which is then assigned to this traffic.

Note: The same traffic must not match any firewall Access rule with a QoS Class definition. The QoS Class in the Access rule overrides the QoS Class that is assigned based on the DSCP marker.

When the packets are sent out through Physical Interface 2, the Firewall checks the QoS Policy assigned to this Physical Interface. In this QoS Policy, a DSCP Match/Mark rule defines that traffic with the assigned QoS Class is marked with a DSCP marker specified in the rule. The firewall overwrites the original DSCP marker before sending the packets onwards.