Traffic Shaping

DiffServ Codepoint Marking: Click the check box to enable DSCP. Differentiated Services (DiffServ) is a system for tagging (or marking) traffic at a position within a hierarchy of priority. Selecting this option maps the eight ScreenOS priority levels (IP Precedence) to the DiffServ system. The highest priority (priority 0) maps to 111 in the DS byte (see RFC 2474) or TOS byte (see RFC 1349) in the IP packet header, and the lowest priority (priority 8) maps to 000.

Some devices require that you explicitly enable DSCP marking by setting a system-wide environmental variable. Refer to your hardware manual to find out if your device requires that you explicitly enable DSCP marking before using it in policies. If your device requires it, use the following CLI command to enable DSCP marking system wide: set envar ipsec-dscp-mark=yes. This variable cannot be set using the WebUI. Use the unset envar ipsec-dscp-mark command to disable DSCP marking system wide.

Warning:  Please note that this feature is CPU intensive and under certain high traffic volume conditions can cause high CPU utilization.

DSCP marking is supported on all platforms and can be configured with traffic shaping or independently. The following tables describe how DSCP marking works in all scenarios.

• DSCP Marking for Cleartext Traffic

  Description	Action
  Clear packet with no marking on the policy.	No marking.
  Clear packet with marking on the policy.	The packet is marked based on the policy.
  Pre-marked packet with no marking on the policy.	Retain marking in the packet.
  Pre-marked packet with marking on the policy.	Overwrite marking in the packet based on the policy.

• DSCP Marking for Policy-Based VPNs

  Description	Action
  Clear packet into policy-based VPN with no marking on the policy.	No marking.
  Clear packet into policy-based VPN with marking on the policy.	Mark the inner packet and ESP header based on the policy.
  Pre-marked packet into policy-based VPN with no marking on the policy.	Copy the inner packet marking to the ESP header, and retain marking in the inner packet.
  Pre-marked packet into policy-based VPN with marking on the policy.	Overwrite the marking in the inner packet based on the policy, and copy the inner packet marking to the ESP header.

• DSCP Marking for Route-Based VPNs

  Description	Action
  Clear packet into route-based VPN with no marking on the policy.	No marking.
  Clear packet into route-based VPN with marking on the policy.	Mark the inner packet and ESP header based on the policy.
  Pre-marked packet into route-based VPN with no marking on the policy.	Copy the inner packet marking to the ESP header, retain marking in the inner packet.
  Pre-marked packet into route-based VPN with marking on the policy.	Overwrite the marking in the inner packet based on the policy, and copy the inner packet marking to the ESP header.

IP Precedence: Traffic with higher priority will be passed first, and lower priority traffic is passed only if there is no other higher priority traffic for a certain period. There are eight priority levels.

Mode: Select a traffic-shaping mode. The default mode is Auto. In Auto mode, shaping will be enabled automatically only when there is a policy that has either ingress policing or traffic shaping enabled. On mode means traffic shaping is enabled regardless of the presence of a policy that has ingress policing or traffic shaping enabled. Off mode means traffic shaping is not enabled even if there is a policy that has either ingress policing or traffic shaping enabled.

To Enable DiffServ Code Point Marking and Turn on Traffic Shaping:

QoS Profile

You can create two types of quality of service (Qos) profiles based on the IP precedence and DSCP values of an incoming packet.

To Create a QoS Profile

To Modify a QoS Profile

To Remove a QoS Profile