Determining your QoS requirements
Before implementing QoS, you should identify the types of traffic that:
- Are important to your organization
- Use high amounts of bandwidth
- Are sensitive to latency or packet loss
Discovering the needs and relative importance of each traffic type on your network will help you design an appropriate overall approach, including how you configure each available QoS component technique. Some organizations discover they only need to configure bandwidth limits for some services. Other organizations determine they need to fully configure interface and security policy bandwidth limits for all services, and prioritize the queuing of critical services relative to traffic rate.
For example, your organization wants to guarantee sufficient bandwidth for revenue-producing e-commerce traffic. You need to ensure that customers complete transactions and do not experience service delays. At the same time, you need to ensure low latency for voice over IP (VoIP) traffic that sales and customer support teams use, while traffic latency and bursts may be less critical to the success of other network applications, such as long term, resumable file transfers.
Best practices
The following list includes recommendations and considerations when configuring QoS in your network:
- Ensure maximum bandwidth limits at the source interface and security policy are not too low. This can cause the FortiGate to discard an excessive number of packets.
- Consider the ratios of how packets are distributed between the available queues, and which queues are used by which types of services. Assigning most packets to the same priority queue can reduce the effects of configuring prioritization. Assigning a lot of high bandwidth services to high priority queues may take too much bandwidth away from lower priority queues and cause increased or indefinite latency. For example, you may want to prioritize a latency-sensitive service, such as SIP, over a bandwidth-intensive service, such as FTP. Also consider that bandwidth guarantees can affect queue distribution, and assign packets to queue 0 instead of their regular queue in high-volume situations.
- Decide whether or not to guarantee bandwidth because it causes the FortiGate to assign packets to queue 0 if the guaranteed packet rate is not being met. When you compare queuing behavior for low and high bandwidth situations, this means the effect of prioritization only becomes visible as traffic volumes rise and exceed their guarantees. Because of this, you might want only some services to use bandwidth guarantees. This way, you can avoid the possibility that all traffic uses the same queue in high-volume situations, which negates the effects of configuring prioritization.
- Configure prioritization for all through traffic by either ToS (type of service)-based priority or security policy priority, not both, to simplify analysis and troubleshooting. Traffic subject to both ToS-based and security policy priorities use a combined priority from both parts of the configuration. Traffic subject to only one of the prioritization methods will use only that priority. If you configure both methods, or if you configure either method for only a subset of traffic, packets that apply to the combined configuration may receive a lower priority queue than packets that apply to only one of the priority methods, as well as packets that do not apply to the configured prioritization. For example, if both the ToS-based priority and security policy priority dictate that a packet should receive a medium priority, in the absence of bandwidth guarantees, a packet will use queue 3. If only ToS-based priority is configured, the packet will use queue 1. If only security policy priority is configured, the packet will use queue 2. If no prioritization is configured, the packet will use queue 0.
- Because you can configure QoS using a combination of security policies and ToS-based priorities, and to distribute traffic over the six possible queues for each physical interface, the results of those configurations can be more difficult to analyze because of their complexity. In those cases, prioritization behavior can vary by several factors, including: traffic volume, ToS or differentiated services (DiffServ) markings, and correlation of session to a security policy.
The FortiGate does not prioritize traffic based on the differentiated services code point (DSCP) marking configured in the security policy. However, ToS-based prioritization can be used for ingress traffic.
- Because you can configure QoS using a combination of security policies and ToS-based priorities, and to distribute traffic over the six possible queues for each physical interface, the results of those configurations can be more difficult to analyze because of their complexity. In those cases, prioritization behavior can vary by several factors, including: traffic volume, ToS or differentiated services (DiffServ) markings, and correlation of session to a security policy.
- Use the UDP protocol to obtain more accurate testing results. Packets that are discarded by traffic shapers impact flow-control mechanisms, such as TCP.
- Do not oversubscribe outbandwidth throughput. For example, sum [guaranteed bandwidth] < outbandwidth. For accurate bandwidth calculations, you must set the outbandwidth parameter on interfaces.