Fortinet white logo
Fortinet white logo

Cookbook

Results

Results

The following sections show the function of the FortiGate and specifically of secure SD-WAN with respect to DSCP tagged traffic steering, and can be used to confirm that it is setup and running correctly:

Verifying the DSCP tagged traffic on FortiGate

To verify the incoming DSCP tagged traffic, we used packet sniffing and converting the sniffed traffic to a desired format. To know more about packet sniffing, refer to the Using the FortiOS built-in packet sniffer guide on the Fortinet Knowledge Base.

For VoIP traffic that is marked with DSCP tag 0x70:

FortiGate # diag sniffer packet any '(ip and ip[1] & 0xfc == 0x70)' 6 0 l

We used the open-source packet analyzer Wireshark to verify that VoIP traffic is tagged with the 0x70 DSCP tag.

DSCP tagged VoIP traffic analysis

For web traffic marked with DSCP tag 0x30:

FortiGate # diag sniffer packet any '(ip and ip[1] & 0xfc == 0x30)' 6 0 l

We used the open-source packet analyzer Wireshark to verify that web traffic is tagged with the 0x30 DSCP tag.

DSCP tagged VoIP traffic analysis

Verifying service rules

The following CLI commands show the appropriate DSCP tags and the corresponding interfaces selected by the SD-WAN rules to steer traffic:

FortiGate # diag sys virtual-wan-link service

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x70/0xf0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(jitter), link-cost-threshold(10), health-check(Default_DNS)

Service role: standalone

Member sub interface:

Members:

1: Seq_num(4), alive, jitter: 0.624, selected

2: Seq_num(3), alive, jitter: 0.643, selected

Dst address:

0.0.0.0-255.255.255.255

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x30/0xf0), Protocol(0: 1->65535), Mode(manual)

Service role: standalone

Member sub interface:

Members:

1: Seq_num(2), alive, selected

Dst address:

0.0.0.0-255.255.255.255

Service(3): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

Service role: standalone

Member sub interface:

Members:

1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected

2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(10), selected

Dst address:

0.0.0.0-255.255.255.255

Verifying steered traffic leaving the required interface

Go to Dashboard > Top Policies to confirm that web traffic (port 443) flows through the right underlay interface members, and VoIP traffic flows through the right overlay interface member.

Web traffic leaves either Interface_A(port1) or Interface_B(port5).

Steered web traffic

VoIP traffic leaves the preferred VPN_B_Tunnel(Branch-HQ-B) interface.

Steered VoIP traffic

Results

Results

The following sections show the function of the FortiGate and specifically of secure SD-WAN with respect to DSCP tagged traffic steering, and can be used to confirm that it is setup and running correctly:

Verifying the DSCP tagged traffic on FortiGate

To verify the incoming DSCP tagged traffic, we used packet sniffing and converting the sniffed traffic to a desired format. To know more about packet sniffing, refer to the Using the FortiOS built-in packet sniffer guide on the Fortinet Knowledge Base.

For VoIP traffic that is marked with DSCP tag 0x70:

FortiGate # diag sniffer packet any '(ip and ip[1] & 0xfc == 0x70)' 6 0 l

We used the open-source packet analyzer Wireshark to verify that VoIP traffic is tagged with the 0x70 DSCP tag.

DSCP tagged VoIP traffic analysis

For web traffic marked with DSCP tag 0x30:

FortiGate # diag sniffer packet any '(ip and ip[1] & 0xfc == 0x30)' 6 0 l

We used the open-source packet analyzer Wireshark to verify that web traffic is tagged with the 0x30 DSCP tag.

DSCP tagged VoIP traffic analysis

Verifying service rules

The following CLI commands show the appropriate DSCP tags and the corresponding interfaces selected by the SD-WAN rules to steer traffic:

FortiGate # diag sys virtual-wan-link service

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x70/0xf0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(jitter), link-cost-threshold(10), health-check(Default_DNS)

Service role: standalone

Member sub interface:

Members:

1: Seq_num(4), alive, jitter: 0.624, selected

2: Seq_num(3), alive, jitter: 0.643, selected

Dst address:

0.0.0.0-255.255.255.255

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x30/0xf0), Protocol(0: 1->65535), Mode(manual)

Service role: standalone

Member sub interface:

Members:

1: Seq_num(2), alive, selected

Dst address:

0.0.0.0-255.255.255.255

Service(3): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

Service role: standalone

Member sub interface:

Members:

1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected

2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(10), selected

Dst address:

0.0.0.0-255.255.255.255

Verifying steered traffic leaving the required interface

Go to Dashboard > Top Policies to confirm that web traffic (port 443) flows through the right underlay interface members, and VoIP traffic flows through the right overlay interface member.

Web traffic leaves either Interface_A(port1) or Interface_B(port5).

Steered web traffic

VoIP traffic leaves the preferred VPN_B_Tunnel(Branch-HQ-B) interface.

Steered VoIP traffic