Fortinet white logo
Fortinet white logo

New Features

Interface based QoS on individual child tunnels based on speed test results 7.0.1

Interface based QoS on individual child tunnels based on speed test results 7.0.1

In a hub and spoke SD-WAN topology that uses dial-up VPN overlays, QoS can be applied on individual tunnels based on the measured bandwidth between the hub and spokes. The FortiGate can use the built in speed test to dynamically populate the egress bandwidth to individual dial-up tunnels from the hub.

A bandwidth limit, derived from the speed test, and a traffic shaping profile can be applied on the dial-up IPsec tunnel interface on the hub. A class ID and percentage based QoS settings can be applied to individual child tunnels using a traffic shaping policy and profile.

CLI commands

If the interface is an IPsec dial-up server, then egress shaping profile type can only be set to policing; it cannot be set to queuing:

config firewall shaping-profile
    edit <profile-name>
        set type policing
    next
end

The outbandwidth value is dynamically obtained from the speed test results for each individual child tunnel, and should not be set manually:

config system interface
    edit <dialup-server-phase1-name> 
        set egress-shaping-profile <profile-name> 
        set outbandwidth <bandwidth>
    next
end

Example

In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone. Multiple WAN interfaces and VPN overlays could be used.

The VPN interfaces and IP addresses are:

FortiGate

Interface

IP Address

FGT_A (Hub)

hub-phase1

10.10.100.254

FGT_B (Spoke)

spoke11-p1

10.10.100.2

FGT_D (Spoke)

spoke21-p1

10.10.100.3

The hub VPN has two child tunnels, one to each spoke.

The speed test configuration is shown in Speed tests run from the hub to the spokes in dial-up IPsec tunnels 7.0.1. This example shows applying a shaping profile to the hub's tunnel interface in order to apply interface based traffic shaping to the child tunnels.

A traffic shaping policy is used to match and assign traffic to the classes in the shaping profile.

To configure the hub FortiGate (FGT_A) and check the results:
  1. Configure the hub FortiGate (FGT_A) as in Speed tests run from the hub to the spokes in dial-up IPsec tunnels 7.0.1.

  2. Configure the shaping profile:

    config firewall shaping-profile
        edit "profile_1"
            config shaping-entries
                edit 1
                    set class-id 2
                    set priority low
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 10
                next
                edit 2
                    set class-id 3
                    set priority medium
                    set guaranteed-bandwidth-percentage 30
                    set maximum-bandwidth-percentage 40
                next
                edit 3
                    set class-id 4
                    set priority high
                    set guaranteed-bandwidth-percentage 20
                    set maximum-bandwidth-percentage 60
                next
            end
            set default-class-id 2
        next
    end
  3. Configure a traffic shaping policy:

    config firewall shaping-policy
        edit 2
            set service "ALL"
            set schedule "always"
            set dstintf "hub-phase1"
            set class-id 3
            set srcaddr "all"
            set dstaddr "all"
        next
    end

    In this example, all traffic through the hub-phase1 interface is put into class ID 3. Class IDs an be assigned based on your traffic requirements.

  4. At the schedules time, the speed test will start for the hub-phase1 interface from the hub to the spokes. The speed test results can then be dynamically applied on individual child tunnels as egress traffic shaping, and the class ID percentage based QoS settings is applicable on them as templates.

    # diagnose vpn tunnel  list
    ------------------------------------------------------
    name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3
            class-id=2      allocated-bandwidth=73720(kbps)         guaranteed-bandwidth=73720(kbps)
                            max-bandwidth=73720(kbps)       current-bandwidth=0(kbps)
                            priority=low    forwarded_bytes=52
                            dropped_packets=0       dropped_bytes=0
            class-id=3      allocated-bandwidth=221163(kbps)        guaranteed-bandwidth=221162(kbps)
                            max-bandwidth=294883(kbps)      current-bandwidth=0(kbps)
                            priority=medium         forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
            class-id=4      allocated-bandwidth=442325(kbps)        guaranteed-bandwidth=147441(kbps)
                            max-bandwidth=442325(kbps)      current-bandwidth=0(kbps)
                            priority=high   forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
    ------------------------------------------------------
    name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3
            class-id=2      allocated-bandwidth=72681(kbps)         guaranteed-bandwidth=72681(kbps)
                            max-bandwidth=72681(kbps)       current-bandwidth=0(kbps)
                            priority=low    forwarded_bytes=123
                            dropped_packets=0       dropped_bytes=0
            class-id=3      allocated-bandwidth=218044(kbps)        guaranteed-bandwidth=218043(kbps)
                            max-bandwidth=290725(kbps)      current-bandwidth=0(kbps)
                            priority=medium         forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
            class-id=4      allocated-bandwidth=436087(kbps)        guaranteed-bandwidth=145362(kbps)
                            max-bandwidth=436087(kbps)      current-bandwidth=0(kbps)
                            priority=high   forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0

    The guaranteed and maximum bandwidths equal 10% of the speed test result, as expected.

Interface based QoS on individual child tunnels based on speed test results 7.0.1

Interface based QoS on individual child tunnels based on speed test results 7.0.1

In a hub and spoke SD-WAN topology that uses dial-up VPN overlays, QoS can be applied on individual tunnels based on the measured bandwidth between the hub and spokes. The FortiGate can use the built in speed test to dynamically populate the egress bandwidth to individual dial-up tunnels from the hub.

A bandwidth limit, derived from the speed test, and a traffic shaping profile can be applied on the dial-up IPsec tunnel interface on the hub. A class ID and percentage based QoS settings can be applied to individual child tunnels using a traffic shaping policy and profile.

CLI commands

If the interface is an IPsec dial-up server, then egress shaping profile type can only be set to policing; it cannot be set to queuing:

config firewall shaping-profile
    edit <profile-name>
        set type policing
    next
end

The outbandwidth value is dynamically obtained from the speed test results for each individual child tunnel, and should not be set manually:

config system interface
    edit <dialup-server-phase1-name> 
        set egress-shaping-profile <profile-name> 
        set outbandwidth <bandwidth>
    next
end

Example

In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone. Multiple WAN interfaces and VPN overlays could be used.

The VPN interfaces and IP addresses are:

FortiGate

Interface

IP Address

FGT_A (Hub)

hub-phase1

10.10.100.254

FGT_B (Spoke)

spoke11-p1

10.10.100.2

FGT_D (Spoke)

spoke21-p1

10.10.100.3

The hub VPN has two child tunnels, one to each spoke.

The speed test configuration is shown in Speed tests run from the hub to the spokes in dial-up IPsec tunnels 7.0.1. This example shows applying a shaping profile to the hub's tunnel interface in order to apply interface based traffic shaping to the child tunnels.

A traffic shaping policy is used to match and assign traffic to the classes in the shaping profile.

To configure the hub FortiGate (FGT_A) and check the results:
  1. Configure the hub FortiGate (FGT_A) as in Speed tests run from the hub to the spokes in dial-up IPsec tunnels 7.0.1.

  2. Configure the shaping profile:

    config firewall shaping-profile
        edit "profile_1"
            config shaping-entries
                edit 1
                    set class-id 2
                    set priority low
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 10
                next
                edit 2
                    set class-id 3
                    set priority medium
                    set guaranteed-bandwidth-percentage 30
                    set maximum-bandwidth-percentage 40
                next
                edit 3
                    set class-id 4
                    set priority high
                    set guaranteed-bandwidth-percentage 20
                    set maximum-bandwidth-percentage 60
                next
            end
            set default-class-id 2
        next
    end
  3. Configure a traffic shaping policy:

    config firewall shaping-policy
        edit 2
            set service "ALL"
            set schedule "always"
            set dstintf "hub-phase1"
            set class-id 3
            set srcaddr "all"
            set dstaddr "all"
        next
    end

    In this example, all traffic through the hub-phase1 interface is put into class ID 3. Class IDs an be assigned based on your traffic requirements.

  4. At the schedules time, the speed test will start for the hub-phase1 interface from the hub to the spokes. The speed test results can then be dynamically applied on individual child tunnels as egress traffic shaping, and the class ID percentage based QoS settings is applicable on them as templates.

    # diagnose vpn tunnel  list
    ------------------------------------------------------
    name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3
            class-id=2      allocated-bandwidth=73720(kbps)         guaranteed-bandwidth=73720(kbps)
                            max-bandwidth=73720(kbps)       current-bandwidth=0(kbps)
                            priority=low    forwarded_bytes=52
                            dropped_packets=0       dropped_bytes=0
            class-id=3      allocated-bandwidth=221163(kbps)        guaranteed-bandwidth=221162(kbps)
                            max-bandwidth=294883(kbps)      current-bandwidth=0(kbps)
                            priority=medium         forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
            class-id=4      allocated-bandwidth=442325(kbps)        guaranteed-bandwidth=147441(kbps)
                            max-bandwidth=442325(kbps)      current-bandwidth=0(kbps)
                            priority=high   forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
    ------------------------------------------------------
    name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
    ...
    egress traffic control:
            bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3
            class-id=2      allocated-bandwidth=72681(kbps)         guaranteed-bandwidth=72681(kbps)
                            max-bandwidth=72681(kbps)       current-bandwidth=0(kbps)
                            priority=low    forwarded_bytes=123
                            dropped_packets=0       dropped_bytes=0
            class-id=3      allocated-bandwidth=218044(kbps)        guaranteed-bandwidth=218043(kbps)
                            max-bandwidth=290725(kbps)      current-bandwidth=0(kbps)
                            priority=medium         forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0
            class-id=4      allocated-bandwidth=436087(kbps)        guaranteed-bandwidth=145362(kbps)
                            max-bandwidth=436087(kbps)      current-bandwidth=0(kbps)
                            priority=high   forwarded_bytes=0
                            dropped_packets=0       dropped_bytes=0

    The guaranteed and maximum bandwidths equal 10% of the speed test result, as expected.