DiffServ Codepoint Marking: Click the checkbox to enable DSCP. Differentiated Services (DiffServ) is a system for tagging (or "marking") traffic at a position within a hierarchy of priority. Selecting this option maps the eight ScreenOS priority levels (IP Precedence) to the DiffServ system. The highest priority (priority 0) maps to 111 in the DS byte (see RFC 2474) or TOS byte (see RFC 1349) in the IP packet header and the lowest priority (priority 8) maps to 000.
Some devices require that you explicitly enable DSCP marking by setting a system-wide environmental variable. Refer to your hardware manual to find out if your device requires that you explicitly enable DSCP marking before using it in policies. If your device requires it, use the following CLI command to enable DSCP marking system wide: set envar ipsec-dscp-mark=yes. This variable cannot be set using the WebUI. Use the unset envar ipsec-dscp-mark to disable DSCP marking system wide.
Warning: Please note that this feature is CPU intensive and under certain high traffic volume conditions can cause high CPU utilization.
DSCP marking is supported on all platforms and can be configured with traffic shaping or independently. The following tables describe how DSCP marking works in all scenarios.
DSCP Marking for Clear-Text Traffic
Description |
Action |
Clear packet with no marking on the policy. |
No marking. |
Clear packet with marking on the policy. |
The packet is marked based on the policy. |
Pre-marked packet with no marking on the policy. |
Retain marking in the packet. |
Pre-marked packet with marking on the policy. |
Overwrite marking in the packet based on the policy. |
DSCP Marking for Policy-Based VPNs
Description |
Action |
Clear packet into policy-based VPN with no marking on the policy. |
No marking. |
Clear packet into policy-based VPN with marking on the policy |
The inner packet and ESP header are both marked, based on the policy. |
Pre-marked packet into policy-based VPN with no marking on the policy. |
Copy the inner packet marking to the ESP header, retain marking in the inner packet. |
Pre-marked packet into policy-based VPN with marking on the policy. |
Overwrite the marking in the inner packet based on the policy, and copy the inner packet marking to the ESP header. |
DSCP Marking for Route-Based VPNs
Description |
Action |
Clear packet into route-based VPN with no marking on the policy. |
No marking. |
Clear packet into route-based VPN with marking on the policy. |
The inner packet and ESP header are both marked, based on the policy. |
Pre-marked packet into route-based VPN with no marking on the policy. |
Copy the inner packet marking to the ESP header, retain marking in the inner packet. |
Pre-marked packet into route-based VPN with marking on the policy. |
Overwrite the marking in the inner packet based on the policy, and copy the inner packet marking to the ESP header. |
IP Precedence: Traffic with higher priority will be passed first, and lower priority traffic is passed only if there is no other higher priority traffic for a certain period of time. There are eight priority levels.
Mode: Select a traffic shaping mode. The default mode is Auto. In Auto mode, shaping will be enabled automatically only when there is a policy that has either ingress policing or traffic shaping enabled. Mode On means shaping is enabled regardless of the presence of a policy that has ingress policing or shaping enabled. Mode Off means shaping is not enabled even if there is a policy that has either ingress policing or traffic shaping enabled.
Check the DSCP Class Selector checkbox.
Set IP Precedence values.
Set Mode to On.
Click Apply.