Quality of service
Quality of service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
QoS involves the following elements:
- Classification is the process of determining the priority of a packet. This can be as simple as trusting the QoS markings in the packet header when it is received and so accept the packet. Alternatively, it can hinge on criteria (such as incoming port, VLAN, or service) that are defined by the network administrator.
- Marking involves setting bits in the packet header to indicate the priority of this packet.
- Queuing involves defining priority queues to ensure that packets marked as high priority take precedence over those marked as lower priority. If network congestion becomes so severe that packet drops are inevitable, the queuing process will also select the packets to drop.
The FortiSwitch unit supports the following QoS configuration capabilities:
- Mapping the IEEE 802.1p and layer-3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
- Providing eight egress queues on each port.
- Policing the maximum data rate of egress traffic on the interface.
NOTE: There are some differences in QoS configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
- You can configure only one dot1p-map per switch.
- You can configure only one ip-dscp-map per switch.
- You cannot set
min-rate
,min-rate-percent
,drop-policy
, orwred-slope
under theconfig switch qos qos-policy
command. - Under the
config switch qos qos-policy
command, the switch rounds themax-rate
value to the nearest multiple of 16 internally. If the rounding result is 0,max-rate
is disabled internally. - You cannot configure priority tagging on outgoing frames (
egress-pri-tagging
) under theconfig switch qos dot1p-map
command. - You can configure only one QoS drop policy per switch. You can configure the QoS drop policy under the
config switch global
command. You can specify random early detection (RED) with theset qos-drop-policy random-early-detection
command. - You can set the QoS RED/WRED drop probability (
qos-red-probability
) under theconfig switch global
command. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent. - Adaptive or active RED (ARED) and robust RED (RRED) are not supported.
This chapter covers the following topics:
- Classification
- Marking
- Queuing
- Determining the egress queue
- Configuring FortiSwitch QoS
- Checking the QoS statistics
- Clearing and restoring QoS statistics
Classification
The IEEE 802.1p standard defines a class of service (CoS) value (ranging from 0-7) that is included in the Ethernet frame. The Internet Protocol defines the layer-3 QoS values that are carried in the IP packet (Differentiated Services, IP Precedence). The FortiSwitch unit provides configurable mappings from CoS or IP-DSCP values to egress queue values.
Fortinet recommends that you do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the switch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value. For details, refer to Determining the egress queue .
Marking
FortiSwitchOS supports two ways to indicate the priority of outgoing packets:
- CoS marking: The priority is set with the CoS value of the 802.1Q tag. The range of CoS values is 0-7.
- Differential service code point (DSCP) marking: The priority is set with the DSCP value in the IP header. The range of DSCP values is 0-63.
You can use one of these methods or both methods.
Whether the CoS or DSCP values of inbound packets are remarked is subject to the classification by ACL rules for the ingress interfaces. When CoS or DSCP marking take place, the outbound queuing is not impacted, meaning it is still based on trust maps and the original CoS or DSCP values, as described in Determining the egress queue .
The following example shows how to use the CLI to configure an ACL policy to mark the CoS and DSCP values of inbound packets to 4 and 48 on port1 when their CoS values are 2:
config switch acl ingress
edit 10
config action
set count enable
set remark-cos 4
set remark-dscp 48
end
config classifier
set cos 2
end
set ingress-interface "port1"
set status active
next
end
Queuing
Queuing determines how queued packets on an egress port are served. Each egress port supports eight queues, and three scheduling modes are available:
- Strict Scheduling: The queues are served in descending order (of queue number), so higher number queues receive higher priority. Queue7 has the highest priority, and queue0 has the lowest priority. The purpose of the strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface experiences congestion, the lower priority traffic could be starved.
- Simple Round Robin (RR): In round robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair access to the egress port bandwidth.
- Weighted Round Robin (WRR): Each of the eight egress queues is assigned a weight value ranging from 0 to 63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth, such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.
A drop policy determines what happens when a queue is full or exceeds a minimum threshold. Depending on your switch model, you can select from one of two drop policies:
- The tail-drop drop policy is the default and is available on all platforms. When a queue is full, additional incoming packets are dropped until there is space available in the queue.
- The random early detection (RED) drop policy is available on 124D, 2xx, and 4xxD models. When the queue size exceeds the minimum threshold, packets are dropped at a constant rate until the queue is full. Using the RED drop policy helps improve the throughput during network congestion.
- The weighted random early detection (WRED) drop policy is an advanced version of RED and is available on 4xxE, 5xx, 1xxx, and 3xxx models. When the queue size exceeds the threshold, the WRED slope controls the rate at which packets are dropped until the queue is full. The drop rate increases when the queue buffer usage increases. If you select
weighted-random-early-detection
in the CLI, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
Determining the egress queue
To determine the egress queue value for the packet, the FortiSwitch unit uses the configured trust values (and mappings) on the port and the QoS/CoS fields in the packet.
Packets with DSCP and CoS values
If the port is set to trust DSCP, the switch uses this value to find the queue assignment in the DSCP map for the port.
If the port is set to trust Dot1p and not to trust DSCP, the switch uses the packet’s CoS value to look up the queue assignment in the Dot1p map for the port.
If the port is not set to trust Dot1p, the switch uses the default queue 0.
Packets with a CoS value but no DSCP value
The switch ignores the trust DSCP value.
- If the port is set to trust Dot1p, the switch uses the packet’s CoS value to look up the queue assignment in the Dot1p map for the port.
- If the port is not set to trust Dot1p, the switch uses the default queue 0.
Packets with a DSCP value but no CoS value
If the port is set to trust DSCP, the switch uses the packet’s DSCP value to look up the queue assignment in the DSCP map for the port.
If the port is set to trust Dot1p but not to trust DSCP, the switch uses the default CoS value of the port to look up the queue assignment in the Dot1p map for the port.
If the port is not set to trust Dot1p, the switch uses the default queue 0.
Configuring FortiSwitch QoS
FortiSwitch uses “queue-7” for network control and critical management traffic. To avoid affecting critical network control and management traffic, do not oversubscribe queue-7 or avoid using queue-7 for data traffic when configuring QoS. |
This section provides procedures for the following configuration tasks:
- Configure an 802.1p map
- Configure a DSCP map
- Configure the QoS egress policy
- Configure the egress drop mode
- Configure the switch ports
- Configure QoS on trunks
- Configure QoS on VLANs
- Configure CoS and DSCP markings
Configure an 802.1p map
Using the GUI:
- Go to Switch > QoS > 802.1p.
- Select Add Map.
- Enter the name of your 802.1p map.
- Enter a description of your 802.1p map.
- Select the queue number for each priority.
- Select Add Map.
Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
Using the CLI:
You can configure an 802.1p map, which defines a mapping between IEEE 802.1p CoS values (from incoming packets on a trusted interface) and the egress queue values.
If you want to enable priority tagging on outgoing frames, enable the egress-pri-tagging
option. This option is disabled by default.
NOTE: “Priority tagging” refers to adding a VLAN tag to untagged traffic with with VLAN 0 and a valid priority value. If the port is configured to transmit packets with a valid VLAN, priority tagging is not applicable.
config switch qos dot1p-map
edit <dot1p map name>
set description <text>
set [priority-0|priority-1|priority-2|....priority-7] <queue number>
set egress-pri-tagging {disable | enable}
next
end
For example:
config switch qos dot1p-map
edit "test1"
set priority-0 queue-2
set priority-1 queue-0
set priority-2 queue-1
set priority-3 queue-3
set priority-4 queue-4
set priority-5 queue-5
set priority-6 queue-6
set priority-7 queue-7
set egress-pri-tagging enable
next
end
Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
Use the set default-cos
command to set a different default CoS value, ranging from 0 to 7:
config switch interface
edit port1
set default-cos <0-7>
NOTE: The set default-cos
command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.
Configure a DSCP map
A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values.
Using the GUI:
- Go to Switch > QoS > IP/DSCP.
- Select Add Map.
- Enter the name of your DCSP map.
- Enter a description of your DCSP map.
- Select which queue to configure.
- Select the differentiated services to use.
- Select the IP precedence to use.
- Enter the raw values to use.
- Select Add Map.
Using the CLI:
config switch qos ip-dscp-map
edit <ip-dscp map name>
set description <text>
config map
edit <entry-name1>
set diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]
set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]
set value <dscp raw value>
set cos-queue <queue number>
next
end
end
The following example defines a mapping for two of the DSCP values:
config switch qos ip-dscp-map
edit "m1"
config map
edit "e1"
set cos-queue 0
set ip-precedence Immediate
next
edit "e2"
set cos-queue 3
set value 13
next
end
next
end
Configure the QoS egress policy
In a QoS egress policy, you set the scheduling mode (Strict, Round Robin, or Weighted Round Robin) for the policy, and configure one or more CoS queues.
The QoS egress policy includes the following settings:
- min-rate (minimum rate in kbps) or min-rate-percent (minimum percentage)
- max-rate (maximum rate in kbps) or max-rate-percent (maximum percentage)
- drop policy: tail drop, RED, or WRED
- weight value (applicable if the policy schedule is weighted)
Using the GUI:
- Go to Switch > QoS > Egress Policy.
- Select Add Policy.
- Enter the name of your QoS egress policy.
- Select the scheduling mode to use.
- For each queue, enter a description, select the drop policy to use, and enter the minimum rate in kbps, maximum rate in kbps, weight value, and WRED slope.
- Select Add.
Using the CLI:
config switch qos qos-policy
edit <policy_name>
set rate-by {kbps | percent}
set schedule {strict | round-robin | weighted}
config cos-queue
edit [queue-0 ... queue-7]
set description <text>
set drop-policy {taildrop | weighted-random-early-detection}
set ecn {enable | disable}
set max-rate <rate kbps>
set min-rate <rate kbps>
set max-rate-percent <percentage>
set min-rate-percent <percentage>
set weight <value>
set wred-slope <value>
next
end
next
end
Configure the egress drop mode
NOTE: The egress-drop-mode command is available only for the 1024/1048/3032/5xx series.
When there are too many packets going through the same egress port, you can choose whether packets are dropped on ingress or egress.
Use the following commands to set the drop mode:
config switch physical-port
edit <port>
set egress-drop-mode <disabled | enabled>
end
Variable | Description |
---|---|
disabled | Drop packets on ingress. |
enabled | Drop packets on egress. |
NOTE: Because too many packets are going through the same egress port, you might want to use the pause frame for flow control on the ingress side. To see the pause frame on ingress, enable the flow control “tx” on the ingress interface and disable egress-drop-mode on the egress interface.
Configure the switch ports
You can configure the following QoS settings on a switch port or a trunk:
- trust dot1p values on ingress traffic and the dot1p map to use
- trust ip-dscp values on ingress traffic and the ip-dscp map to use. (NOTE: Trust the dot1p values or the ip-dscp values but not both.)
- an egress policy for the interface
- a default CoS value (for packets with no CoS value)
If neither of the trust policies is configured on a port, the ingress traffic is mapped to queue 0 on the egress port.
If no egress policy is configured on a port, the FortiSwitch unit applies the default scheduling mode (that is, round-robin).
Using the GUI:
- Go to Switch > Interface > Physical.
- Select the switch port to update and then select Edit.
- Select the QoS egress policy in the QoS Policy drop-down list.
- Select the 802.1p map in the Trust 802.1p drop-down list.
- Select the DSCP map in the Trust IP-DSCP drop-down list.
- Select OK.
Using the CLI:
config switch interface
edit <port>
set trust-dot1p-map <map-name>
set trust-ip-dscp-map <map-name>
set qos-policy < policy-name >
set default-cos <default cos value 0-7>
next
end
NOTE: The set default-cos
command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.
Configure QoS on trunks
Configuring QoS on trunk interface follows the same configuration steps as for a switch port (configure a Dot1p/DSCP map and an egress policy).
When you add a port to a trunk, the port inherits the QoS configuration of the trunk interface. A port member reverts to the default QoS configuration when it is removed from the trunk interface.
Using the GUI:
- Go to Switch > Interface > Trunk.
- Select the trunk to update and then select Edit.
- Select the QoS egress policy in the QoS Policy drop-down list.
- Select the 802.1p map in the Trust 802.1p drop-down list.
- Select the DSCP map in the Trust IP-DSCP drop-down list.
- Select OK.
Using the CLI:
The following example shows QoS configuration on a trunk interface:
config switch interface
edit "tr1"
set snmp-index 56
set trust-dot1p-map "dot1p_map1"
set default-cos 1
set qos-policy "p1"
next
end
When you configure an egress QoS policy with rate control on a trunk interface, that rate control value is applied to each port in the trunk interface. The FortiSwitch unit does not support an aggregate value for the whole trunk interface.
NOTE: The set default-cos
command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.
Configure QoS on VLANs
You can configure a CoS queue value for a VLAN by creating an ACL policy:
config switch acl ingress
edit 1
config action
set cos-queue 7
set count enable
end
config classifier
set vlan-id 200
end
set ingress-interface "port25"
set status active
end
Configure CoS and DSCP markings
You can classify a packet by matching the CoS value, DSCP value, or both CoS and DSCP values. You can also configure the action to set the CoS marking value, DSCP marking value, or both.
config switch acl ingress
edit <policy-id>
config classifier
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set remark-cos <0-7>
set remark-dscp <0-63>
end
For example:
config switch acl ingress
edit 1
config classifier
set src-mac 11:22:33:44:55:66
set cos 2
set dscp 10
end
config action
set count enable
set remark-cos 4
set remark-dscp 20
end
set ingress-interface port2
set status active
end
Checking the QoS statistics
To check the statistics for the QoS queues for all ports:
diagnose switch physical-ports qos-stats list
To check the statistics for the QoS queues for specific ports:
diagnose switch physical-ports qos-stats list <list_of_ports>
NOTE: The output differs depending on the FortiSwitch model.
To view the real-time egress QoS queue rates for specific ports:
diagnose switch physical-ports qos-rates list <list_of_ports>
To view the real-time egress QoS queue rates for all ports:
diagnose switch physical-ports qos-rates list
NOTE: To stop the output: press CTRL+c
.
Clearing and restoring QoS statistics
The diagnose switch physical-ports qos-stats clear
command is supported only for the 1xxxD, 3xxxD, and 5xxD FortiSwitch models. The diagnose switch physical-ports qos-stats clear
command is not available for the 4xxD, 4xxD-POE, 4xxD-FPOE, 2xxD, 2xxD-POE, or 2xxD-FPOE FortiSwitch models.
To clear the statistics for the QoS queues for all ports:
diagnose switch physical-ports qos-stats clear
To clear the statistics for the QoS queues for specified ports:
diagnose switch physical-ports qos-stats clear <list_of_ports>
To reset the QoS counters to zero (applies to all applications except SNMP) for the specified ports:
diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]
To restore the QoS counters to the hardware values for the specified ports:
diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]
For example:
diagnose switch physical-ports qos-stats clear 1,3,4-6
diagnose switch physical-ports qos-stats set-qos-counter-zero 2,4,7-9
diagnose switch physical-ports qos-stats set-qos-counter-revert 1,3-5,7