Fortinet black logo

Quality of service

Copy Link
Copy Doc ID cf64849f-3ef9-11eb-96b9-00505692583a:609008
Download PDF

Quality of service

Quality of service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

QoS involves the following elements:

  • Classification is the process of determining the priority of a packet. This can be as simple as trusting the QoS markings in the packet header when it is received and so accept the packet. Alternatively, it can hinge on criteria (such as incoming port, VLAN, or service) that are defined by the network administrator.
  • Marking involves setting bits in the packet header to indicate the priority of this packet.
  • Queuing involves defining priority queues to ensure that packets marked as high priority take precedence over those marked as lower priority. If network congestion becomes so severe that packet drops are inevitable, the queuing process will also select the packets to drop.

The FortiSwitch unit supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and layer-3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port.
  • Policing the maximum data rate of egress traffic on the interface.

NOTE: There are some differences in QoS configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:

  • You can configure only one dot1p-map per switch.
  • You can configure only one ip-dscp-map per switch.
  • You cannot set min-rate, min-rate-percent, drop-policy, or wred-slope under the config switch qos qos-policy command.
  • Under the config switch qos qos-policy command, the switch rounds the max-rate value to the nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.
  • You cannot configure priority tagging on outgoing frames (egress-pri-tagging) under the config switch qos dot1p-map command.
  • You can configure only one QoS drop policy per switch. You can configure the QoS drop policy under the config switch global command. You can specify random early detection (RED) with the set qos-drop-policy random-early-detection command.
  • You can set the QoS RED/WRED drop probability (qos-red-probability) under the config switch global command. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.
  • Adaptive or active RED (ARED) and robust RED (RRED) are not supported.

This chapter covers the following topics:

Classification

The IEEE 802.1p standard defines a class of service (CoS) value (ranging from 0-7) that is included in the Ethernet frame. The Internet Protocol defines the layer-3 QoS values that are carried in the IP packet (Differentiated Services, IP Precedence). The FortiSwitch unit provides configurable mappings from CoS or IP-DSCP values to egress queue values.

Fortinet recommends that you do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the switch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value. For details, refer to Determining the egress queue .

Marking

FortiSwitchOS supports two ways to indicate the priority of outgoing packets:

  • CoS marking: The priority is set with the CoS value of the 802.1Q tag. The range of CoS values is 0-7.
  • Differential service code point (DSCP) marking: The priority is set with the DSCP value in the IP header. The range of DSCP values is 0-63.

You can use one of these methods or both methods.

Whether the CoS or DSCP values of inbound packets are remarked is subject to the classification by ACL rules for the ingress interfaces. When CoS or DSCP marking take place, the outbound queuing is not impacted, meaning it is still based on trust maps and the original CoS or DSCP values, as described in Determining the egress queue .

The following example shows how to use the CLI to configure an ACL policy to mark the CoS and DSCP values of inbound packets to 4 and 48 on port1 when their CoS values are 2:

config switch acl ingress

edit 10

config action

set count enable

set remark-cos 4

set remark-dscp 48

end

config classifier

set cos 2

end

set ingress-interface "port1"

set status active

next

end

Queuing

Queuing determines how queued packets on an egress port are served. Each egress port supports eight queues, and three scheduling modes are available:

  • Strict Scheduling: The queues are served in descending order (of queue number), so higher number queues receive higher priority. Queue7 has the highest priority, and queue0 has the lowest priority. The purpose of the strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface experiences congestion, the lower priority traffic could be starved.
  • Simple Round Robin (RR): In round robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair access to the egress port bandwidth.
  • Weighted Round Robin (WRR): Each of the eight egress queues is assigned a weight value ranging from 0 to 63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth, such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.

A drop policy determines what happens when a queue is full or exceeds a minimum threshold. Depending on your switch model, you can select from one of two drop policies:

  • The tail-drop drop policy is the default and is available on all platforms. When a queue is full, additional incoming packets are dropped until there is space available in the queue.
  • The random early detection (RED) drop policy is available on 124D, 2xx, and 4xxD models. When the queue size exceeds the minimum threshold, packets are dropped at a constant rate until the queue is full. Using the RED drop policy helps improve the throughput during network congestion.
  • The weighted random early detection (WRED) drop policy is an advanced version of RED and is available on 4xxE, 5xx, 1xxx, and 3xxx models. When the queue size exceeds the threshold, the WRED slope controls the rate at which packets are dropped until the queue is full. The drop rate increases when the queue buffer usage increases. If you select weighted-random-early-detection in the CLI, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occurring without just dropping packets.

Determining the egress queue

To determine the egress queue value for the packet, the FortiSwitch unit uses the configured trust values (and mappings) on the port and the QoS/CoS fields in the packet.

Packets with DSCP and CoS values

If the port is set to trust DSCP, the switch uses this value to find the queue assignment in the DSCP map for the port.

If the port is set to trust Dot1p and not to trust DSCP, the switch uses the packet’s CoS value to look up the queue assignment in the Dot1p map for the port.

If the port is not set to trust Dot1p, the switch uses the default queue 0.

Packets with a CoS value but no DSCP value

The switch ignores the trust DSCP value.

  • If the port is set to trust Dot1p, the switch uses the packet’s CoS value to look up the queue assignment in the Dot1p map for the port.
  • If the port is not set to trust Dot1p, the switch uses the default queue 0.

Packets with a DSCP value but no CoS value

If the port is set to trust DSCP, the switch uses the packet’s DSCP value to look up the queue assignment in the DSCP map for the port.

If the port is set to trust Dot1p but not to trust DSCP, the switch uses the default CoS value of the port to look up the queue assignment in the Dot1p map for the port.

If the port is not set to trust Dot1p, the switch uses the default queue 0.

Configuring FortiSwitch QoS

note icon FortiSwitch uses “queue-7” for network control and critical management traffic. To avoid affecting critical network control and management traffic, do not oversubscribe queue-7 or avoid using queue-7 for data traffic when configuring QoS.

This section provides procedures for the following configuration tasks:

Configure an 802.1p map

Using the GUI:
  1. Go to Switch > QoS > 802.1p.
  2. Select Add Map.
  3. Enter the name of your 802.1p map.
  4. Enter a description of your 802.1p map.
  5. Select the queue number for each priority.
  6. Select Add Map.

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

Using the CLI:

You can configure an 802.1p map, which defines a mapping between IEEE 802.1p CoS values (from incoming packets on a trusted interface) and the egress queue values.

If you want to enable priority tagging on outgoing frames, enable the egress-pri-tagging option. This option is disabled by default.

NOTE: “Priority tagging” refers to adding a VLAN tag to untagged traffic with with VLAN 0 and a valid priority value. If the port is configured to transmit packets with a valid VLAN, priority tagging is not applicable.

config switch qos dot1p-map

edit <dot1p map name>

set description <text>

set [priority-0|priority-1|priority-2|....priority-7] <queue number>

set egress-pri-tagging {disable | enable}

next

end

For example:

config switch qos dot1p-map

edit "test1"

set priority-0 queue-2

set priority-1 queue-0

set priority-2 queue-1

set priority-3 queue-3

set priority-4 queue-4

set priority-5 queue-5

set priority-6 queue-6

set priority-7 queue-7

set egress-pri-tagging enable

next

end

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

Use the set default-cos command to set a different default CoS value, ranging from 0 to 7:

config switch interface

edit port1

set default-cos <0-7>

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure a DSCP map

A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values.

Using the GUI:
  1. Go to Switch > QoS > IP/DSCP.
  2. Select Add Map.
  3. Enter the name of your DCSP map.
  4. Enter a description of your DCSP map.
  5. Select which queue to configure.
  6. Select the differentiated services to use.
  7. Select the IP precedence to use.
  8. Enter the raw values to use.
  9. Select Add Map.
Using the CLI:

config switch qos ip-dscp-map

edit <ip-dscp map name>

set description <text>

config map

edit <entry-name1>

set diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

set value <dscp raw value>

set cos-queue <queue number>

next

end

end

The following example defines a mapping for two of the DSCP values:

config switch qos ip-dscp-map

edit "m1"

config map

edit "e1"

set cos-queue 0

set ip-precedence Immediate

next

edit "e2"

set cos-queue 3

set value 13

next

end

next

end

Configure the QoS egress policy

In a QoS egress policy, you set the scheduling mode (Strict, Round Robin, or Weighted Round Robin) for the policy, and configure one or more CoS queues.

The QoS egress policy includes the following settings:

  • min-rate (minimum rate in kbps) or min-rate-percent (minimum percentage)
  • max-rate (maximum rate in kbps) or max-rate-percent (maximum percentage)
  • drop policy: tail drop, RED, or WRED
  • weight value (applicable if the policy schedule is weighted)
Using the GUI:
  1. Go to Switch > QoS > Egress Policy.
  2. Select Add Policy.
  3. Enter the name of your QoS egress policy.
  4. Select the scheduling mode to use.
  5. For each queue, enter a description, select the drop policy to use, and enter the minimum rate in kbps, maximum rate in kbps, weight value, and WRED slope.
  6. Select Add.
Using the CLI:

config switch qos qos-policy

edit <policy_name>

set rate-by {kbps | percent}

set schedule {strict | round-robin | weighted}

config cos-queue

edit [queue-0 ... queue-7]

set description <text>

set drop-policy {taildrop | weighted-random-early-detection}

set ecn {enable | disable}

set max-rate <rate kbps>

set min-rate <rate kbps>

set max-rate-percent <percentage>

set min-rate-percent <percentage>

set weight <value>

set wred-slope <value>

next

end

next

end

Configure the egress drop mode

NOTE: The egress-drop-mode command is available only for the 1024/1048/3032/5xx series.

When there are too many packets going through the same egress port, you can choose whether packets are dropped on ingress or egress.

Use the following commands to set the drop mode:

config switch physical-port

edit <port>

set egress-drop-mode <disabled | enabled>

end

Variable Description
disabled Drop packets on ingress.
enabled Drop packets on egress.

NOTE: Because too many packets are going through the same egress port, you might want to use the pause frame for flow control on the ingress side. To see the pause frame on ingress, enable the flow control “tx” on the ingress interface and disable egress-drop-mode on the egress interface.

Configure the switch ports

You can configure the following QoS settings on a switch port or a trunk:

  • trust dot1p values on ingress traffic and the dot1p map to use
  • trust ip-dscp values on ingress traffic and the ip-dscp map to use. (NOTE: Trust the dot1p values or the ip-dscp values but not both.)
  • an egress policy for the interface
  • a default CoS value (for packets with no CoS value)

If neither of the trust policies is configured on a port, the ingress traffic is mapped to queue 0 on the egress port.

If no egress policy is configured on a port, the FortiSwitch unit applies the default scheduling mode (that is, round-robin).

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select the switch port to update and then select Edit.
  3. Select the QoS egress policy in the QoS Policy drop-down list.
  4. Select the 802.1p map in the Trust 802.1p drop-down list.
  5. Select the DSCP map in the Trust IP-DSCP drop-down list.
  6. Select OK.
Using the CLI:

config switch interface

edit <port>

set trust-dot1p-map <map-name>

set trust-ip-dscp-map <map-name>

set qos-policy < policy-name >

set default-cos <default cos value 0-7>

next

end

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure QoS on trunks

Configuring QoS on trunk interface follows the same configuration steps as for a switch port (configure a Dot1p/DSCP map and an egress policy).

When you add a port to a trunk, the port inherits the QoS configuration of the trunk interface. A port member reverts to the default QoS configuration when it is removed from the trunk interface.

Using the GUI:
  1. Go to Switch > Interface > Trunk.
  2. Select the trunk to update and then select Edit.
  3. Select the QoS egress policy in the QoS Policy drop-down list.
  4. Select the 802.1p map in the Trust 802.1p drop-down list.
  5. Select the DSCP map in the Trust IP-DSCP drop-down list.
  6. Select OK.
Using the CLI:

The following example shows QoS configuration on a trunk interface:

config switch interface

edit "tr1"

set snmp-index 56

set trust-dot1p-map "dot1p_map1"

set default-cos 1

set qos-policy "p1"

next

end

When you configure an egress QoS policy with rate control on a trunk interface, that rate control value is applied to each port in the trunk interface. The FortiSwitch unit does not support an aggregate value for the whole trunk interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure QoS on VLANs

You can configure a CoS queue value for a VLAN by creating an ACL policy:

config switch acl ingress

edit 1

config action

set cos-queue 7

set count enable

end

config classifier

set vlan-id 200

end

set ingress-interface "port25"

set status active

end

Configure CoS and DSCP markings

You can classify a packet by matching the CoS value, DSCP value, or both CoS and DSCP values. You can also configure the action to set the CoS marking value, DSCP marking value, or both.

config switch acl ingress

edit <policy-id>

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set remark-cos <0-7>

set remark-dscp <0-63>

end

For example:

config switch acl ingress

edit 1

config classifier

set src-mac 11:22:33:44:55:66

set cos 2

set dscp 10

end

config action

set count enable

set remark-cos 4

set remark-dscp 20

end

set ingress-interface port2

set status active

end

Checking the QoS statistics

To check the statistics for the QoS queues for all ports:

diagnose switch physical-ports qos-stats list

To check the statistics for the QoS queues for specific ports:

diagnose switch physical-ports qos-stats list <list_of_ports>

NOTE: The output differs depending on the FortiSwitch model.

To view the real-time egress QoS queue rates for specific ports:

diagnose switch physical-ports qos-rates list <list_of_ports>

To view the real-time egress QoS queue rates for all ports:

diagnose switch physical-ports qos-rates list

NOTE: To stop the output: press CTRL+c.

Clearing and restoring QoS statistics

The diagnose switch physical-ports qos-stats clear command is supported only for the 1xxxD, 3xxxD, and 5xxD FortiSwitch models. The diagnose switch physical-ports qos-stats clear command is not available for the 4xxD, 4xxD-POE, 4xxD-FPOE, 2xxD, 2xxD-POE, or 2xxD-FPOE FortiSwitch models.

To clear the statistics for the QoS queues for all ports:

diagnose switch physical-ports qos-stats clear

To clear the statistics for the QoS queues for specified ports:

diagnose switch physical-ports qos-stats clear <list_of_ports>

To reset the QoS counters to zero (applies to all applications except SNMP) for the specified ports:

diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]

To restore the QoS counters to the hardware values for the specified ports:

diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]

For example:

diagnose switch physical-ports qos-stats clear 1,3,4-6

diagnose switch physical-ports qos-stats set-qos-counter-zero 2,4,7-9

diagnose switch physical-ports qos-stats set-qos-counter-revert 1,3-5,7

Quality of service

Quality of service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

QoS involves the following elements:

  • Classification is the process of determining the priority of a packet. This can be as simple as trusting the QoS markings in the packet header when it is received and so accept the packet. Alternatively, it can hinge on criteria (such as incoming port, VLAN, or service) that are defined by the network administrator.
  • Marking involves setting bits in the packet header to indicate the priority of this packet.
  • Queuing involves defining priority queues to ensure that packets marked as high priority take precedence over those marked as lower priority. If network congestion becomes so severe that packet drops are inevitable, the queuing process will also select the packets to drop.

The FortiSwitch unit supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and layer-3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port.
  • Policing the maximum data rate of egress traffic on the interface.

NOTE: There are some differences in QoS configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:

  • You can configure only one dot1p-map per switch.
  • You can configure only one ip-dscp-map per switch.
  • You cannot set min-rate, min-rate-percent, drop-policy, or wred-slope under the config switch qos qos-policy command.
  • Under the config switch qos qos-policy command, the switch rounds the max-rate value to the nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.
  • You cannot configure priority tagging on outgoing frames (egress-pri-tagging) under the config switch qos dot1p-map command.
  • You can configure only one QoS drop policy per switch. You can configure the QoS drop policy under the config switch global command. You can specify random early detection (RED) with the set qos-drop-policy random-early-detection command.
  • You can set the QoS RED/WRED drop probability (qos-red-probability) under the config switch global command. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.
  • Adaptive or active RED (ARED) and robust RED (RRED) are not supported.

This chapter covers the following topics:

Classification

The IEEE 802.1p standard defines a class of service (CoS) value (ranging from 0-7) that is included in the Ethernet frame. The Internet Protocol defines the layer-3 QoS values that are carried in the IP packet (Differentiated Services, IP Precedence). The FortiSwitch unit provides configurable mappings from CoS or IP-DSCP values to egress queue values.

Fortinet recommends that you do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the switch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value. For details, refer to Determining the egress queue .

Marking

FortiSwitchOS supports two ways to indicate the priority of outgoing packets:

  • CoS marking: The priority is set with the CoS value of the 802.1Q tag. The range of CoS values is 0-7.
  • Differential service code point (DSCP) marking: The priority is set with the DSCP value in the IP header. The range of DSCP values is 0-63.

You can use one of these methods or both methods.

Whether the CoS or DSCP values of inbound packets are remarked is subject to the classification by ACL rules for the ingress interfaces. When CoS or DSCP marking take place, the outbound queuing is not impacted, meaning it is still based on trust maps and the original CoS or DSCP values, as described in Determining the egress queue .

The following example shows how to use the CLI to configure an ACL policy to mark the CoS and DSCP values of inbound packets to 4 and 48 on port1 when their CoS values are 2:

config switch acl ingress

edit 10

config action

set count enable

set remark-cos 4

set remark-dscp 48

end

config classifier

set cos 2

end

set ingress-interface "port1"

set status active

next

end

Queuing

Queuing determines how queued packets on an egress port are served. Each egress port supports eight queues, and three scheduling modes are available:

  • Strict Scheduling: The queues are served in descending order (of queue number), so higher number queues receive higher priority. Queue7 has the highest priority, and queue0 has the lowest priority. The purpose of the strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface experiences congestion, the lower priority traffic could be starved.
  • Simple Round Robin (RR): In round robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair access to the egress port bandwidth.
  • Weighted Round Robin (WRR): Each of the eight egress queues is assigned a weight value ranging from 0 to 63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth, such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.

A drop policy determines what happens when a queue is full or exceeds a minimum threshold. Depending on your switch model, you can select from one of two drop policies:

  • The tail-drop drop policy is the default and is available on all platforms. When a queue is full, additional incoming packets are dropped until there is space available in the queue.
  • The random early detection (RED) drop policy is available on 124D, 2xx, and 4xxD models. When the queue size exceeds the minimum threshold, packets are dropped at a constant rate until the queue is full. Using the RED drop policy helps improve the throughput during network congestion.
  • The weighted random early detection (WRED) drop policy is an advanced version of RED and is available on 4xxE, 5xx, 1xxx, and 3xxx models. When the queue size exceeds the threshold, the WRED slope controls the rate at which packets are dropped until the queue is full. The drop rate increases when the queue buffer usage increases. If you select weighted-random-early-detection in the CLI, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occurring without just dropping packets.

Determining the egress queue

To determine the egress queue value for the packet, the FortiSwitch unit uses the configured trust values (and mappings) on the port and the QoS/CoS fields in the packet.

Packets with DSCP and CoS values

If the port is set to trust DSCP, the switch uses this value to find the queue assignment in the DSCP map for the port.

If the port is set to trust Dot1p and not to trust DSCP, the switch uses the packet’s CoS value to look up the queue assignment in the Dot1p map for the port.

If the port is not set to trust Dot1p, the switch uses the default queue 0.

Packets with a CoS value but no DSCP value

The switch ignores the trust DSCP value.

  • If the port is set to trust Dot1p, the switch uses the packet’s CoS value to look up the queue assignment in the Dot1p map for the port.
  • If the port is not set to trust Dot1p, the switch uses the default queue 0.

Packets with a DSCP value but no CoS value

If the port is set to trust DSCP, the switch uses the packet’s DSCP value to look up the queue assignment in the DSCP map for the port.

If the port is set to trust Dot1p but not to trust DSCP, the switch uses the default CoS value of the port to look up the queue assignment in the Dot1p map for the port.

If the port is not set to trust Dot1p, the switch uses the default queue 0.

Configuring FortiSwitch QoS

note icon FortiSwitch uses “queue-7” for network control and critical management traffic. To avoid affecting critical network control and management traffic, do not oversubscribe queue-7 or avoid using queue-7 for data traffic when configuring QoS.

This section provides procedures for the following configuration tasks:

Configure an 802.1p map

Using the GUI:
  1. Go to Switch > QoS > 802.1p.
  2. Select Add Map.
  3. Enter the name of your 802.1p map.
  4. Enter a description of your 802.1p map.
  5. Select the queue number for each priority.
  6. Select Add Map.

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

Using the CLI:

You can configure an 802.1p map, which defines a mapping between IEEE 802.1p CoS values (from incoming packets on a trusted interface) and the egress queue values.

If you want to enable priority tagging on outgoing frames, enable the egress-pri-tagging option. This option is disabled by default.

NOTE: “Priority tagging” refers to adding a VLAN tag to untagged traffic with with VLAN 0 and a valid priority value. If the port is configured to transmit packets with a valid VLAN, priority tagging is not applicable.

config switch qos dot1p-map

edit <dot1p map name>

set description <text>

set [priority-0|priority-1|priority-2|....priority-7] <queue number>

set egress-pri-tagging {disable | enable}

next

end

For example:

config switch qos dot1p-map

edit "test1"

set priority-0 queue-2

set priority-1 queue-0

set priority-2 queue-1

set priority-3 queue-3

set priority-4 queue-4

set priority-5 queue-5

set priority-6 queue-6

set priority-7 queue-7

set egress-pri-tagging enable

next

end

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

Use the set default-cos command to set a different default CoS value, ranging from 0 to 7:

config switch interface

edit port1

set default-cos <0-7>

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure a DSCP map

A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values.

Using the GUI:
  1. Go to Switch > QoS > IP/DSCP.
  2. Select Add Map.
  3. Enter the name of your DCSP map.
  4. Enter a description of your DCSP map.
  5. Select which queue to configure.
  6. Select the differentiated services to use.
  7. Select the IP precedence to use.
  8. Enter the raw values to use.
  9. Select Add Map.
Using the CLI:

config switch qos ip-dscp-map

edit <ip-dscp map name>

set description <text>

config map

edit <entry-name1>

set diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

set value <dscp raw value>

set cos-queue <queue number>

next

end

end

The following example defines a mapping for two of the DSCP values:

config switch qos ip-dscp-map

edit "m1"

config map

edit "e1"

set cos-queue 0

set ip-precedence Immediate

next

edit "e2"

set cos-queue 3

set value 13

next

end

next

end

Configure the QoS egress policy

In a QoS egress policy, you set the scheduling mode (Strict, Round Robin, or Weighted Round Robin) for the policy, and configure one or more CoS queues.

The QoS egress policy includes the following settings:

  • min-rate (minimum rate in kbps) or min-rate-percent (minimum percentage)
  • max-rate (maximum rate in kbps) or max-rate-percent (maximum percentage)
  • drop policy: tail drop, RED, or WRED
  • weight value (applicable if the policy schedule is weighted)
Using the GUI:
  1. Go to Switch > QoS > Egress Policy.
  2. Select Add Policy.
  3. Enter the name of your QoS egress policy.
  4. Select the scheduling mode to use.
  5. For each queue, enter a description, select the drop policy to use, and enter the minimum rate in kbps, maximum rate in kbps, weight value, and WRED slope.
  6. Select Add.
Using the CLI:

config switch qos qos-policy

edit <policy_name>

set rate-by {kbps | percent}

set schedule {strict | round-robin | weighted}

config cos-queue

edit [queue-0 ... queue-7]

set description <text>

set drop-policy {taildrop | weighted-random-early-detection}

set ecn {enable | disable}

set max-rate <rate kbps>

set min-rate <rate kbps>

set max-rate-percent <percentage>

set min-rate-percent <percentage>

set weight <value>

set wred-slope <value>

next

end

next

end

Configure the egress drop mode

NOTE: The egress-drop-mode command is available only for the 1024/1048/3032/5xx series.

When there are too many packets going through the same egress port, you can choose whether packets are dropped on ingress or egress.

Use the following commands to set the drop mode:

config switch physical-port

edit <port>

set egress-drop-mode <disabled | enabled>

end

Variable Description
disabled Drop packets on ingress.
enabled Drop packets on egress.

NOTE: Because too many packets are going through the same egress port, you might want to use the pause frame for flow control on the ingress side. To see the pause frame on ingress, enable the flow control “tx” on the ingress interface and disable egress-drop-mode on the egress interface.

Configure the switch ports

You can configure the following QoS settings on a switch port or a trunk:

  • trust dot1p values on ingress traffic and the dot1p map to use
  • trust ip-dscp values on ingress traffic and the ip-dscp map to use. (NOTE: Trust the dot1p values or the ip-dscp values but not both.)
  • an egress policy for the interface
  • a default CoS value (for packets with no CoS value)

If neither of the trust policies is configured on a port, the ingress traffic is mapped to queue 0 on the egress port.

If no egress policy is configured on a port, the FortiSwitch unit applies the default scheduling mode (that is, round-robin).

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select the switch port to update and then select Edit.
  3. Select the QoS egress policy in the QoS Policy drop-down list.
  4. Select the 802.1p map in the Trust 802.1p drop-down list.
  5. Select the DSCP map in the Trust IP-DSCP drop-down list.
  6. Select OK.
Using the CLI:

config switch interface

edit <port>

set trust-dot1p-map <map-name>

set trust-ip-dscp-map <map-name>

set qos-policy < policy-name >

set default-cos <default cos value 0-7>

next

end

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure QoS on trunks

Configuring QoS on trunk interface follows the same configuration steps as for a switch port (configure a Dot1p/DSCP map and an egress policy).

When you add a port to a trunk, the port inherits the QoS configuration of the trunk interface. A port member reverts to the default QoS configuration when it is removed from the trunk interface.

Using the GUI:
  1. Go to Switch > Interface > Trunk.
  2. Select the trunk to update and then select Edit.
  3. Select the QoS egress policy in the QoS Policy drop-down list.
  4. Select the 802.1p map in the Trust 802.1p drop-down list.
  5. Select the DSCP map in the Trust IP-DSCP drop-down list.
  6. Select OK.
Using the CLI:

The following example shows QoS configuration on a trunk interface:

config switch interface

edit "tr1"

set snmp-index 56

set trust-dot1p-map "dot1p_map1"

set default-cos 1

set qos-policy "p1"

next

end

When you configure an egress QoS policy with rate control on a trunk interface, that rate control value is applied to each port in the trunk interface. The FortiSwitch unit does not support an aggregate value for the whole trunk interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure QoS on VLANs

You can configure a CoS queue value for a VLAN by creating an ACL policy:

config switch acl ingress

edit 1

config action

set cos-queue 7

set count enable

end

config classifier

set vlan-id 200

end

set ingress-interface "port25"

set status active

end

Configure CoS and DSCP markings

You can classify a packet by matching the CoS value, DSCP value, or both CoS and DSCP values. You can also configure the action to set the CoS marking value, DSCP marking value, or both.

config switch acl ingress

edit <policy-id>

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set remark-cos <0-7>

set remark-dscp <0-63>

end

For example:

config switch acl ingress

edit 1

config classifier

set src-mac 11:22:33:44:55:66

set cos 2

set dscp 10

end

config action

set count enable

set remark-cos 4

set remark-dscp 20

end

set ingress-interface port2

set status active

end

Checking the QoS statistics

To check the statistics for the QoS queues for all ports:

diagnose switch physical-ports qos-stats list

To check the statistics for the QoS queues for specific ports:

diagnose switch physical-ports qos-stats list <list_of_ports>

NOTE: The output differs depending on the FortiSwitch model.

To view the real-time egress QoS queue rates for specific ports:

diagnose switch physical-ports qos-rates list <list_of_ports>

To view the real-time egress QoS queue rates for all ports:

diagnose switch physical-ports qos-rates list

NOTE: To stop the output: press CTRL+c.

Clearing and restoring QoS statistics

The diagnose switch physical-ports qos-stats clear command is supported only for the 1xxxD, 3xxxD, and 5xxD FortiSwitch models. The diagnose switch physical-ports qos-stats clear command is not available for the 4xxD, 4xxD-POE, 4xxD-FPOE, 2xxD, 2xxD-POE, or 2xxD-FPOE FortiSwitch models.

To clear the statistics for the QoS queues for all ports:

diagnose switch physical-ports qos-stats clear

To clear the statistics for the QoS queues for specified ports:

diagnose switch physical-ports qos-stats clear <list_of_ports>

To reset the QoS counters to zero (applies to all applications except SNMP) for the specified ports:

diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]

To restore the QoS counters to the hardware values for the specified ports:

diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]

For example:

diagnose switch physical-ports qos-stats clear 1,3,4-6

diagnose switch physical-ports qos-stats set-qos-counter-zero 2,4,7-9

diagnose switch physical-ports qos-stats set-qos-counter-revert 1,3-5,7