SonicOSX 7 Profile Objects

Managing QoS Marking

The QoS Marking Profile is configured from the Bandwidth/QoS view of the Add/Edit Security Rule Action dialog of the OBJECT | Actions > Security Rule page:

Both 802.1p and DSCP marking as managed by SonicOS Security Rules, provide four actions: None, Preserve, Explicit, and Map. The default action for DSCP is Preserve and the default action for 802.1p is None.

QoS marking: Behavior describes the behavior of each action on both methods of marking:

QoS Marking: Behavior
Action 802.1p (Layer 2 CoS) DSCP (Layer 3) Notes
None When packets matching this class of traffic (as defined by the Security Rule) are sent out the egress interface, no 802.1p tag is added. The DSCP tag is explicitly set (or reset) to 0. If the target interface for this class of traffic is a VLAN subinterface, the 802.1p portion of the 802.1q tag is explicitly set to 0. If this class of traffic is destined for a VLAN and is using 802.1p for prioritization, a specific Security Rule using the Preserve, Explicit, or Map action should be defined for this class of traffic.
Preserve Existing 802.1p tag is preserved. Existing DSCP tag value is preserved.
Explicit An explicit 802.1p tag value can be assigned (0-7) from a drop-down menu that is presented. An explicit DSCP tag value can be assigned (0-63) from a drop-down menu that is presented. If either the 802.1p or the DSCP action is set to Explicit while the other is set to Map, the explicit assignment occurs first, and then the other is mapped according to that assignment.
Map The mapping setting defined in the OBJECT | Actions > Security Rule page is used to map from a DSCP tag to an 802.1p tag. The mapping setting defined in the OBJECT | Actions > Security Rule page is used to map from an 802.1 tag to a DSCP tag. An additional checkbox is presented to Allow 802.1p Marking to override DSCP values. Selecting this checkbox asserts the mapped 802.1p value over any DSCP value that might have been set by the client. This is useful to override clients setting their own DSCP CoS values. If Map is set as the action on both DSCP and 802.1p, mapping only occurs in one direction: if the packet is from a VLAN and arrives with an 802.1p tag, then DSCP is mapped from the 802.1p tag; if the packet is destined to a VLAN, then 802.1p is mapped from the DSCP tag.

For example, refer to Bi-directional DSCP tag action, which provides a bi-directional DSCP tag action.

Bi-directional DSCP Tag Action

HTTP access from a Web-browser on 192.168.168.100 to the Web server on 10.50.165.2 results in the tagging of the inner (payload) packet and the outer (encapsulating ESP) packets with a DSCP value of 8. When the packets emerge from the other end of the tunnel, and are delivered to 10.50.165.2, they bear a DSCP tag of 8. When 10.50.165.2 sends response packets back across the tunnel to 192.168.168.100 (beginning with the very first SYN/ACK packet) the Security Rule tags the response packets delivered to 192.168.168.100 with a DSCP value of 8.

This behavior applies to all four QoS action settings for both DSCP and 802.1p marking.

One practical application for this behavior would be configuring an 802.1p marking rule for traffic destined for the VPN zone. Although 802.1p tags cannot be sent across the VPN, reply packets coming back across the VPN can be 802.1p tagged on egress from the tunnel. This requires that 802.1p tagging is active of the physical egress interface, and that the [Zone] > VPN Access Rule has an 802.1p marking action other than None.

After ensuring 802.1p compatibility with your relevant network devices, and enabling 802.1p marking on applicable SonicWall interfaces, you can begin configuring Security Rules to manage 802.1p tags.

The Remote Site 1 network could have two Access Rules configured as in Remote site 1: Sample access rule configuration.

Remote Site 1: Sample Security Rule Configuration
Setting Access Rule 1 Access Rule 2
General View
Action Allow Allow
From Zone LAN VPN
To Zone VPN LAN
Service VoIP VoIP
Source Lan Primary Subnet Main Site Subnets
Destination Main Site Subnets Lan Primary Subnet
Users Allowed All All
Schedule Always on Always on
Enable Logging Enabled Enabled
Allow Fragmented Packets Enabled Enabled
Qos View
DSCP Marking Action Map Map
Allow 802.1p Marking to override DSCP values Enabled Enabled
802.1p Marking Action Map Map

The first Access Rule (governing LAN>VPN) would have the following effects:

  • VoIP traffic (as defined by the Service Group) from LAN Primary Subnet destined to be sent across the VPN to Main Site Subnets would be evaluated for both DSCP and 802.1p tags.
    • The combination of setting both DSCP and 802.1p marking actions to Map is described in the table earlier in Managing QoS Marking.
    • Sent traffic containing only an 802.1p tag (for example, CoS = 6) would have the VPN-bound inner (payload) packet DSCP tagged with a value of 48. The outer (ESP) packet would also be tagged with a value of 48.
    • Assuming returned traffic has been DSCP tagged (CoS = 48) by the firewall at the Main Site, the return traffic is 802.1p tagged with CoS = 6 on egress.
    • Sent traffic containing only a DSCP tag (for example, CoS = 48) would have the DSCP value preserved on both inner and outer packets.
    • Assuming returned traffic has been DSCP tagged (CoS = 48) by the firewall at the Main Site, the return traffic is 802.1p tagged with CoS = 6 on egress.
    • Sent traffic containing only both an 802.1p tag (for example, CoS = 6) and a DSCP tag (for example, CoS = 63) would give precedence to the 802.1p tag and would be mapped accordingly. The VPN-bound inner (payload) packet DSCP would be tagged with a value of 48. The outer (ESP) packet would also be tagged with a value of 48.

Assuming returned traffic has been DSCP tagged (CoS = 48) by the firewall at the Main Site, the return traffic is 802.1p tagged with CoS = 6 on egress.

To examine the effects of the second Security Rule (VPN>LAN), we will look at the Security Rules configured at the Main Site, as shown in Main site: Sample access rule configurations.

Main Site: Sample Security Rule Configurations
Setting Security Rule 1 Security Rule 2
General View
Action Allow Allow
From Zone LAN VPN
To Zone VPN LAN
Service VoIP VoIP
Source Lan Subnets Remote Site 1 Subnets
Destination Remote Site 1 Subnets Lan Subnets
Users Allowed All All
Schedule Always on Always on
Enable Logging Enabled Enabled
Allow Fragmented Packets Enabled Enabled
Qos View
DSCP Marking Action Map Map
Allow 802.1p Marking to override DSCP values Enabled Enabled
802.1p Marking Action Map Map

VoIP traffic (as defined by the Service Group) arriving from Remote Site 1 Subnets across the VPN destined to LAN Subnets on the LAN zone at the Main Site would hit the Access Rule for inbound VoIP calls. Traffic arriving at the VPN zone does not have any 802.1p tags, only DSCP tags.

  • Traffic exiting the tunnel containing a DSCP tag (for example, CoS = 48) would have the DSCP value preserved. Before the packet is delivered to the destination on the LAN, it is also 802.1p tagged according to the QoS Mapping settings (for example, CoS = 6) by the firewall at the Main Site.
  • Assuming returned traffic has been 802.1p tagged (for example, CoS = 6) by the VoIP phone receiving the call at the Main Site, the return traffic is DSCP tagged according to the conversion map (CoS = 48) on both the inner and outer packet sent back across the VPN.
  • Assuming returned traffic has been DSCP tagged (for example, CoS = 48) by the VoIP phone receiving the call at the Main Site, the return traffic has the DSCP tag preserved on both the inner and outer packet sent back across the VPN.
  • Assuming returned traffic has been both 802.1p tagged (for example, CoS = 6) and DSCP tagged (for example, CoS = 14) by the VoIP phone receiving the call at the Main Site, the return traffic is DSCP tagged according to the conversion map (CoS = 48) on both the inner and outer packet sent back across the VPN.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden