Fortinet black logo

Administration Guide

DSCP tag-based traffic steering in SD-WAN

DSCP tag-based traffic steering in SD-WAN

Differentiated Services Code Point (DSCP) tags can be used to categorize traffic for quality of service (QoS). SD-WAN traffic steering on an edge device can be provided based on the DSCP tags.

This section provides an example of using DSCP tag-based traffic steering using secure SD-WAN. Traffic from the customer service and marketing departments at a headquarters are marked with separate DSCP tags by the core switch and passed to the edge FortiGate. The edge FortiGate reads the tags, then steers traffic to the preferred interfaces based on the defined SD-WAN rules.

VoIP and social media traffic are steered. VoIP traffic from the customer service department is more important than social media traffic. The edge FortiGate identifies the tagged traffic based on SD-WAN rules then steers the traffic:

  • VoIP traffic is marked with DSCP tag 011100 and steered to the VPN overlay with the lowest jitter, to provide the best quality voice communication with the remote PBX server.

  • Social media traffic is marked with the DSCP tag 001100 and steered to the internet connection with the lowest cost.

The following is assumed to be already configured:

  • Two IPsec tunnels (IPsec VPNs):

    • Branch-HQ-A on Internet_A (port 1)

    • Branch-HQ-B on Internet_B (port 5)

  • Four SD-WAN members in two zones (Configuring the SD-WAN interface):

    • Overlay zone includes members Branch-HQ-A and Branch-HQ-B

    • virtual-wan-link zone includes members Internet_A and Internet_B

      Internet_A has a cost of 0 and Internet_B has a cost of 10. When using the lowest cost strategy, Internet_A will be preferred. Both members are participants in the Default_DNS performance SLA.

  • A static route that points to the SD-WAN interface (Adding a static route).

  • Two firewall policies:

    Name

    SD-WAN-OUT

    Overlay-OUT

    From

    port3

    port3

    To

    virtual-wan-link

    Overlay

    Source

    all

    all

    Destination

    all

    all

    Schedule

    always

    always

    Service

    all

    all

    Action

    Accept

    Accept

    NAT

    enabled

    enabled

After the topology is configured, you can proceed with the configuration of the edge FortiGate:

DSCP tag-based traffic steering in SD-WAN

Differentiated Services Code Point (DSCP) tags can be used to categorize traffic for quality of service (QoS). SD-WAN traffic steering on an edge device can be provided based on the DSCP tags.

This section provides an example of using DSCP tag-based traffic steering using secure SD-WAN. Traffic from the customer service and marketing departments at a headquarters are marked with separate DSCP tags by the core switch and passed to the edge FortiGate. The edge FortiGate reads the tags, then steers traffic to the preferred interfaces based on the defined SD-WAN rules.

VoIP and social media traffic are steered. VoIP traffic from the customer service department is more important than social media traffic. The edge FortiGate identifies the tagged traffic based on SD-WAN rules then steers the traffic:

  • VoIP traffic is marked with DSCP tag 011100 and steered to the VPN overlay with the lowest jitter, to provide the best quality voice communication with the remote PBX server.

  • Social media traffic is marked with the DSCP tag 001100 and steered to the internet connection with the lowest cost.

The following is assumed to be already configured:

  • Two IPsec tunnels (IPsec VPNs):

    • Branch-HQ-A on Internet_A (port 1)

    • Branch-HQ-B on Internet_B (port 5)

  • Four SD-WAN members in two zones (Configuring the SD-WAN interface):

    • Overlay zone includes members Branch-HQ-A and Branch-HQ-B

    • virtual-wan-link zone includes members Internet_A and Internet_B

      Internet_A has a cost of 0 and Internet_B has a cost of 10. When using the lowest cost strategy, Internet_A will be preferred. Both members are participants in the Default_DNS performance SLA.

  • A static route that points to the SD-WAN interface (Adding a static route).

  • Two firewall policies:

    Name

    SD-WAN-OUT

    Overlay-OUT

    From

    port3

    port3

    To

    virtual-wan-link

    Overlay

    Source

    all

    all

    Destination

    all

    all

    Schedule

    always

    always

    Service

    all

    all

    Action

    Accept

    Accept

    NAT

    enabled

    enabled

After the topology is configured, you can proceed with the configuration of the edge FortiGate: