Interface based QoS on individual child tunnels based on speed test results
In a hub and spoke SD-WAN topology that uses dial-up VPN overlays, QoS can be applied on individual tunnels based on the measured bandwidth between the hub and spokes. The FortiGate can use the built in speed test to dynamically populate the egress bandwidth to individual dial-up tunnels from the hub.
A bandwidth limit, derived from the speed test, and a traffic shaping profile can be applied on the dial-up IPsec tunnel interface on the hub. A class ID and percentage based QoS settings can be applied to individual child tunnels using a traffic shaping policy and profile.
CLI commands
If the interface is an IPsec dial-up server, then egress shaping profile type can only be set to policing; it cannot be set to queuing:
config firewall shaping-profile
edit <profile-name>
set type policing
next
end
The outbandwidth value is dynamically obtained from the speed test results for each individual child tunnel, and should not be set manually:
config system interface
edit <dialup-server-phase1-name>
set egress-shaping-profile <profile-name>
set outbandwidth <bandwidth>
next
end
Example
In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone. Multiple WAN interfaces and VPN overlays could be used.
The VPN interfaces and IP addresses are:
|
FortiGate |
Interface |
IP Address |
|---|---|---|
|
FGT_A (Hub) |
hub-phase1 |
10.10.100.254 |
|
FGT_B (Spoke) |
spoke11-p1 |
10.10.100.2 |
|
FGT_D (Spoke) |
spoke21-p1 |
10.10.100.3 |
The hub VPN has two child tunnels, one to each spoke.
The speed test configuration is shown in Speed tests run from the hub to the spokes in dial-up IPsec tunnels. This example shows applying a shaping profile to the hub's tunnel interface in order to apply interface based traffic shaping to the child tunnels.
A traffic shaping policy is used to match and assign traffic to the classes in the shaping profile.
To configure the hub FortiGate (FGT_A) and check the results:
-
Configure the hub FortiGate (FGT_A) as in Speed tests run from the hub to the spokes in dial-up IPsec tunnels.
-
Configure the shaping profile:
config firewall shaping-profile edit "profile_1" config shaping-entries edit 1 set class-id 2 set priority low set guaranteed-bandwidth-percentage 10 set maximum-bandwidth-percentage 10 next edit 2 set class-id 3 set priority medium set guaranteed-bandwidth-percentage 30 set maximum-bandwidth-percentage 40 next edit 3 set class-id 4 set priority high set guaranteed-bandwidth-percentage 20 set maximum-bandwidth-percentage 60 next end set default-class-id 2 next end -
Configure a traffic shaping policy:
config firewall shaping-policy edit 2 set service "ALL" set schedule "always" set dstintf "hub-phase1" set class-id 3 set srcaddr "all" set dstaddr "all" next endIn this example, all traffic through the hub-phase1 interface is put into class ID 3. Class IDs an be assigned based on your traffic requirements.
-
At the schedules time, the speed test will start for the hub-phase1 interface from the hub to the spokes. The speed test results can then be dynamically applied on individual child tunnels as egress traffic shaping, and the class ID percentage based QoS settings is applicable on them as templates.
# diagnose vpn tunnel list ------------------------------------------------------ name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1 ... egress traffic control: bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3 class-id=2 allocated-bandwidth=73720(kbps) guaranteed-bandwidth=73720(kbps) max-bandwidth=73720(kbps) current-bandwidth=0(kbps) priority=low forwarded_bytes=52 dropped_packets=0 dropped_bytes=0 class-id=3 allocated-bandwidth=221163(kbps) guaranteed-bandwidth=221162(kbps) max-bandwidth=294883(kbps) current-bandwidth=0(kbps) priority=medium forwarded_bytes=0 dropped_packets=0 dropped_bytes=0 class-id=4 allocated-bandwidth=442325(kbps) guaranteed-bandwidth=147441(kbps) max-bandwidth=442325(kbps) current-bandwidth=0(kbps) priority=high forwarded_bytes=0 dropped_packets=0 dropped_bytes=0 ------------------------------------------------------ name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1 ... egress traffic control: bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3 class-id=2 allocated-bandwidth=72681(kbps) guaranteed-bandwidth=72681(kbps) max-bandwidth=72681(kbps) current-bandwidth=0(kbps) priority=low forwarded_bytes=123 dropped_packets=0 dropped_bytes=0 class-id=3 allocated-bandwidth=218044(kbps) guaranteed-bandwidth=218043(kbps) max-bandwidth=290725(kbps) current-bandwidth=0(kbps) priority=medium forwarded_bytes=0 dropped_packets=0 dropped_bytes=0 class-id=4 allocated-bandwidth=436087(kbps) guaranteed-bandwidth=145362(kbps) max-bandwidth=436087(kbps) current-bandwidth=0(kbps) priority=high forwarded_bytes=0 dropped_packets=0 dropped_bytes=0The guaranteed and maximum bandwidths equal 10% of the speed test result, as expected.