About QoS Marking
Today’s networks often consist of many kinds of network traffic that compete for bandwidth. All traffic, whether of prime importance or negligible importance, has an equal chance of reaching its destination in a timely manner. Quality of Service (QoS) marking gives critical traffic preferential treatment to make sure it is delivered quickly and reliably.
QoS functionality must be able to differentiate the various types of data streams that flow across your network. It must then mark data packets. QoS marking creates different classifications of service for different kinds of network traffic. When you mark traffic, you change up to six bits on packet header fields defined for this purpose. Firebox and other QoS-capable devices can use this marking to provide appropriate handling of a packet as it travels from one point to another in a network.
Before You Begin
- Make sure your LAN equipment supports QoS marking and handling. You may also need to make sure your ISP supports QoS.
- The use of QoS procedures on a network requires extensive planning. You can first identify the theoretical bandwidth available and then determine which network applications are high priority, particularly sensitive to latency and jitter, or both.
QoS Marking for Interfaces and Policies
You can enable QoS marking for an individual interface or an individual policy. When you define QoS marking for an interface, each packet that leaves the interface is marked. When you define QoS marking for a policy, all traffic that uses that policy is also marked. The QoS marking for a policy overrides any QoS marking set on an interface.
For example, suppose your Firebox receives QoS-marked traffic from a trusted network and sends it to an external network. The trusted network already has QoS marking applied, but you want the traffic to your executive team to be given higher priority than other network traffic from the trusted interface. First, set the QoS marking for the trusted interface to one value. Then, add a policy with QoS marking set for the traffic to your executive team with a higher value.
For information about QoS and interfaces, go to Enable QoS Marking for an Interface.
For information about QoS and policies, go to Enable QoS Marking and Prioritization in a Policy.
For information about QoS and BOVPNs, go to Enable QoS Marking for a Managed BOVPN Tunnel.
In Fireware v12.7 or higher, you can enable 802.1p priority marking (tagging) for VLAN interfaces on your Firebox. For more information about QoS and VLAN interfaces, go to About 802.1p Marking for VLAN Interfaces.
You cannot configure QoS in the link aggregation settings or in the interface settings for a link aggregation member.
QoS Marking and IPSec Traffic
If you want to apply QoS to IPsec traffic, you must create a specific firewall policy for the corresponding IPsec policy and apply QoS marking to that policy.
You can also choose whether to preserve existing marking when a marked packed is encapsulated in an IPSec header.
To preserve marking, from Fireware Web UI:
- Select VPN > Global Settings.
- Select the Enable TOS for IPSec check box.
All existing marking is preserved when the packet is encapsulated in an IPSec header. - Click Save.
To preserve marking, from Policy Manager:
- Select VPN > VPN Settings.
- Select the Enable TOS for IPSec check box.
All existing marking is preserved when the packet is encapsulated in an IPSec header. - Click OK.
- Save the configuration.