Hot!Working example is set-tos needed

Author
aagrafi
Gold Member
  • Total Posts : 178
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/03/09 01:47:25
  • Status: offline
2019/11/19 01:37:10 (permalink)
0

Working example is set-tos needed

Hello,
 
I need a working example of setting two firewall shaping-policies to match DSCP EF and AF43 respectively. I don't understand how to use the commands set tos-mask and set tos as explained in CLI ref. for 6.2 (the examples and the documentation is pure **** IMHO). I'm thinking of using set tos-mask 0xc0 and set tos 0xb8 for EF and set tos 0x98. Do you think this is correct or should I use different values?
 
Thanks
Andreas
#1

6 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1791
    • Scores: 145
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Working example is set-tos needed 2019/11/19 10:51:17 (permalink)
    0
    Looks like they changed QoS again with 6.2 (last time was 5.4). I need to read the documentation through again and more importantly test it before upgrading our entire FGT fleet and new deployment to 6.2. Thank you for a wakeup call.
    At this moment, my guess is similar to yours but if I want to match those all 6 bits in the tos byte, like 0xb8 (101110xx), I would use tos-mask 0xfc (11111100). But I might be completely wrong.
    I strongly recommend you open a ticket with TAC to get the right answer, including other part of QoS operation w/ 6.2.
    We probably wouldn't need to use this DSCP matching unless they eliminated the system level DSCP mapping. But who knows. We'll likely open multiple tickets ourselves to figure them out.
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 1791
    • Scores: 145
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Working example is set-tos needed 2019/12/03 14:03:52 (permalink)
    0
    Based on my research so far, looks like they're trying to consolidate/unify terminology/syntax related to TOS/DSCP to TOS only. ex) They changed the syntax for firewall policy/SD-WAN rule from dscp-match/dscp-value/dscp-negate to tos-mask/tos/tos-negate with 6.2. There is no explanation at Traffic Shaping section of 6.2 cookbook (no handbook available yet) but at SD-WAN/DSCP matching section
    https://docs.fortinet.com/document/fortigate/6.2.0/new-features/159007/dscp-matching-shaping
     
    So my assumption in the previous post seems to be correct and when you need to match/handle DSCP bits (upper 6bits), you need to mask the TOS byte (8bits) and use [DSCP value x 4] to match what you're looking for. I have a ticket opened related to this at TAC. So I'll verify this and update this thread.
    #3
    aagrafi
    Gold Member
    • Total Posts : 178
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/03/09 01:47:25
    • Status: offline
    Re: Working example is set-tos needed 2019/12/04 12:12:47 (permalink)
    0
    Hi Toshi,
     
    Yes, I know this document. It confused me more than it clarified things to me... Let me know how it goes with the ticket you opened.
     
    Thanks
    Andreas
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 1791
    • Scores: 145
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Working example is set-tos needed 2019/12/04 12:32:22 (permalink)
    0
    it's totally depending on what exactly you need to do for your specific situation (almost every QoS needing situation is unique), but to me below is the most important page in the traffic shaping section of the Cookbook.
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/427882/type-of-service-based-prioritization-and-policy-based-traffic-shaping
     
    The architecture has two clasification/prioritization points in a FGT: ingress point and after when shaping-policies are examined. And both classification points affect to which one of 6 queues each packet is queued at the egress interface. This was never explained before anywhere until 6.0 handbook, which I found out after I read your original post (again, thanks). 
    You might just need to do ingress classification only and skip all shaping-policy part if your requirements of QoS isn't so specific unless it's in multi-vdom environment. This part is system global setting.
     
    #5
    aagrafi
    Gold Member
    • Total Posts : 178
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/03/09 01:47:25
    • Status: offline
    Re: Working example is set-tos needed 2019/12/05 09:11:49 (permalink)
    0
    All I want to do is to simply match DSCP EF and AF43. I'm not sure how the set tos-mask works and the original documentation did not help me at all to understand this either. The examples were confusing too...
     
    The documentation says: "tos-mask <mask_value> Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00)."
    What do I understand with that? NOTHING...
    #6
    Toshi Esumi
    Expert Member
    • Total Posts : 1791
    • Scores: 145
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Working example is set-tos needed 2019/12/05 10:01:42 (permalink)
    0
    It's simply reiterating how bitwise operation would work. Exactly in the same way with subnet-mask works. For DSCP, you need to match the top 6 bits. So in binary the mask need to be "11111100" (=0xfc).
     
    The main question is what you want to do (how you want to queue) with the matching. EF and AF43 packets into Queue0? The rest to be in Queue 2? Without setting any guaranteed bandwidth to other types of traffic? Then I wouldn't use shaping-policy, but do everything at ingress point. I'm assuming you don't have multiple vdoms.
     
      config sys global
         set traffic-priority dscp
         set traffic-priority-level  low (=2) <- default is high (=0). you need to change it.
      end
      config sys dscp-based-priority
        edit 46
          set ds 46
          set priority high (=0) <- default value
        next
        edit 38
          set ds 38
          set priority high (=0)
       next
    end
     
     
    #7
    Jump to:
    © 2019 APG vNext Commercial Version 5.5