SonicWALL TZ 190 DSCP Marking and Mixed VPN Traffic

Firewall > QoS Mapping

474

SonicOS Enhanced 4.0 Administrator Guide

DSCP marking can be performed on traffic to/from any interface and to/from any zone type,

without exception. DSCP marking is controlled by Access Rules, from the QoS tab, and can be

used in conjunction with 802.1p marking, as well as with SonicOS’ internal bandwidth

management.

DSCP Marking and Mixed VPN Traffic

Among their many security measures and characteristics, IPsec VPNs employ anti-replay

mechanisms based upon monotonically incrementing sequence numbers added to the ESP

header. Packets with duplicate sequence numbers are dropped, as are packets that do not

adhere to sequence criteria. One such criterion governs the handling of out-of-order packets.

SonicOS Enhanced provides a replay window of 64 packets, i.e. if an ESP packet for a Security

Association (SA) is delayed by more than 64 packets, the packet will be dropped.

This should be considered when using DSCP marking to provide layer 3 QoS to traffic

traversing a VPN. If you have a VPN tunnel that is transporting a diversity of traffic, some that

is being DSCP tagged high priority (e.g. VoIP), and some that is DSCP tagged low-priority, or

untagged/best-effort (e.g. FTP), your service provider will prioritize the handling and delivery of

the high-priority ESP packets over the best-effort ESP packets. Under certain traffic conditions,

this can result in the best-effort packets being delayed for more than 64 packets, causing them

to be dropped by the receiving SonicWALL’s anti-replay defenses.

If symptoms of such a scenario emerge (e.g. excessive retransmissions of low-priority traffic),

it is recommended that you create a separate VPN policy for the high-priority and low-priority

classes of traffic. This is most easily accomplished by placing the high-priority hosts (e.g. the

VoIP network) on their own subnet.

26 Class 3, gold (AF31) 3 (Flash – 011) T

27 Class 3, silver (AF32) 3 (Flash – 011) D

30 Class 3, bronze (AF33) 3 (Flash – 011) D, T

32 Class 4 4 (Flash Override – 100) -

34 Class 4, gold (AF41) 4 (Flash Override – 100) T

36 Class 4, silver (AF42) 4 (Flash Override – 100) D

38 Class 4, bronze (AF43) 4 (Flash Override – 100) D, T

40 Express forwarding 5 (CRITIC/ECP – 101) -

46 Expedited forwarding (EF) 5 (CRITIC/ECP – 101) D, T

48 Control 6 (Internet Control – 110) -

56 Control 7 (Network Control – 111) -

DSCP DSCP Description Legacy IP Precedence Legacy IP ToS (D, T, R)