Traffic Shaping

DiffServ Codepoint Marking: Click the checkbox to enable DSCP. Differentiated Services (DiffServ) is a system for tagging (or "marking") traffic at a position within a hierarchy of priority. Selecting this option maps the eight ScreenOS priority levels (IP Precedence) to the DiffServ system. The highest priority (priority 0) maps to 111 in the DS byte (see RFC 2474) or TOS byte (see RFC 1349) in the IP packet header and the lowest priority (priority 8) maps to 000.

DSCP marking is supported on all platforms and can be configured with traffic shaping or independently. The following tables show how DSCP marking works with the various platforms.

• DSCP Marking for Clear-Text Traffic

  Description	Hardware Security ClientNetScreen-5XT, NetScreen-5GT, NetScreen 25/50, NetScreen-204/208, NetScreen 500	NetScreen-5000 series, ISG 1000, ISG 2000
  Clear packet with no marking on the policy.	No marking.	No marking.
  Clear packet with marking on the policy.	The packet is marked based on the policy.	The packet is marked based on the policy.
  Pre-marked packet with no marking on the policy.	Retain marking in the packet.	Retain marking in the packet.
  Pre-marked packet with marking on the policy.	Overwrite marking in the packet based on the policy.	Overwrite marking in the packet based on the policy.

• DSCP Marking for Policy-Based VPNs

  Description	Hardware Security ClientNetScreen-5XT, NetScreen-5GT, NetScreen 25/50, NetScreen-204/208, NetScreen 500	NetScreen-5000 series, ISG 1000, ISG 2000
  Clear packet into policy-based VPN with no marking on the policy.	No marking.	No marking.
  Clear packet into policy-based VPN with marking on the policy	Only the ESP header is marked, based on the policy.	Mark both the inner packet and the ESP header based on the policy..
  Pre-marked packet into policy-based VPN with no marking on the policy.	The ESP header is not marked, retain marking in the inner packet.	Mark the inner packet based on the policy and copy the inner packet marking to the ESP header.
  Pre-marked packet into policy-based VPN with marking on the policy.	The ESP header is marked, based on the policy, retain marking in the inner packet.	Overwrite the marking in the inner packet based on the policy, and copy the inner packet marking to the ESP header.

• DSCP Marking for Route-Based VPNs

  Description	Hardware Security ClientNetScreen-5XT, NetScreen-5GT, NetScreen 25/50, NetScreen-204/208, NetScreen 500	NetScreen-5000 series, ISG 1000, ISG 2000
  Clear packet into route-based VPN with no marking on the policy.	No marking.	No marking.
  Clear packet into route-based VPN with marking on the policy.	The inner packet and ESP header are both marked, based on the policy.	The inner packet is marked, based on the policy. The ESP header is not marked.
  Pre-marked packet into route-based VPN with no marking on the policy.	Copy the inner packet marking to the ESP header, retain marking in the inner packet.	The ESP header is not marked, retain marking in the inner packet.
  Pre-marked packet into route-based VPN with marking on the policy.	Overwrite the marking in the inner packet based on the policy, and copy the inner packet marking to the ESP header.	Overwrite marking in the inner packet, based on the policy. The ESP header is not marked.

IP Precedence: Traffic with higher priority will be passed first, and lower priority traffic is passed only if there is no other higher priority traffic for a certain period of time. There are eight priority levels.

Mode: Select a traffic shaping mode. The default mode is Auto. In Auto mode, shaping will be enabled automatically only when there is a policy that has either ingress policing or traffic shaping enabled. Mode On means shaping is enabled regardless of the presence of a policy that has ingress policing or shaping enabled. Mode Off means shaping is not enabled even if there is a policy that has either ingress policing or traffic shaping enabled.

To enable DiffServ Codepoint Marking and turn on traffic shaping: