Configuring SonicWALL QoS

Quality of Service (QoS) adds the ability to recognize, map, modify, and generate the industry-standard 802.1p and Differentiated Services Code Points (DSCP) Class of Service (CoS) designators. When used in combination with a QoS capable network infrastructure, SonicOS QoS features provide predictability that is vital for certain types of applications, such as Voice over IP (VoIP), multimedia content, or business-critical applications such as credit card processing. To centrally manage the 802.1p-DSCP Mappings Table, GMS now provides a new configuration found under the path Policies > Firewalls > QoS Mapping.

Even the highest amounts of bandwidth ultimately are used to capacity at some point by users on the network. Being able to manage bandwidth to obtain the most efficient use from it is essential. Only QoS, when configured and implemented correctly, properly manages traffic and guarantees the desired levels of network service. Three concepts are central to the traffic management provided by QoS:

  • Classification

  • Marking

  • Conditioning

Each is described in the following sections.

Working with Classification

Classification is necessary as a first step to identify traffic that needs to be prioritized for optimal use. GMS uses access rules as the interface to classification of traffic. This provides fine control using combination of Address Object, Service Object, and Schedule Object elements, allowing for classification criteria as general as all HTTP traffic and as specific as SSH traffic from HostA to ServerB on Wednesdays at 2:12am.

GMS provides the ability to recognize, map, modify, and generate the industry-standard external CoS designators, DSCP and 802.1p protocols.

Once identified, or classified, it can be managed. Management can be performed internally by SonicWALL BWM, which is effective as long as the network is a fully contained autonomous system. Once external or intermediate elements are introduced, for example, foreign network infrastructures with unknown configurations, or other hosts contending for bandwidth (for example, the endpoints of the network and all entities in between are within your management. BWM works exactly as configured. Once external entities are introduced, the precision and efficacy of BWM configurations can begin to degrade.

Once GMS classifies the traffic, it then tags it to communicate this classification to certain external systems that are capable of abiding by CoS tags. The external systems then can participate in providing QoS to traffic passing through them.

Note: Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most network equipment with standard configurations will not be able to recognize 802.1p tags, and could drop tagged traffic.

Note: If you wish to use 802.1p or DSCP marking on your network or your service provider’s network, you must first establish that these methods are supported. Verify that your internal network equipment can support CoS priority marking, and that it is correctly configured to do so. Check with your service provider – some offer fee-based support for QoS using these CoS methods.

Working with Marking

Once the traffic has been classified, if it is to be handled by QoS capable external systems, it must be tagged to enable external systems to make use of the classification, and provide correct handling and Per Hop Behaviors (PHB). An example of a QoS capable external system is a CoS-aware switch or router that might be available on a premium service provider’s infrastructure, or on a private WAN.

Originally, this was attempted at the IP layer (layer 3) with RFC 791’s three precedence bits and RFC 1394 ToS (type of service) field, but this was not widely used. Its successor, RFC 2474, introduced the more widely used DSCP (Differentiated Services Code Point) which offers up to 64 classifications, in addition to user-definable classes. DSCP was further enhanced by RFC 2598 (Expedited Forwarding, intended to provide leased-line behaviors) and RFC 2697 (Assured Forwarding levels within classes, also known as Gold, Silver, and Bronze levels).

DSCP is a safe marking method for traffic that traverses public networks because there is no risk of incompatibility. At the very worst, a hop along the path might disregard or strip the DSCP tag, but it will rarely mistreat or discard the packet.

The other prevalent method of CoS marking is IEEE 802.1p occurs at the MAC layer (layer 3) and is closely related to IEEE 802.1Q VLAN marking, sharing the same 16-bit field, although it is actually defined in the IEEE 802.1D standard. Unlike DSCP, 802.1p will only work with 802.1p capable equipment, and is not universally interoperable. Additionally, 802.1p, because of its different packet structure, can rarely traverse wide area networks, even private WANs. Nonetheless, 802.1p is gaining wide support among Voice and Video over IP vendors, so a solution for supporting 802.1p across network boundaries (i.e., WAN links) was introduced in the form of 802.1p to DSCP mapping.

802.1p to DSCP mapping allows 802.1p tags from one LAN to be mapped to DSCP values by GMS, allowing the packets to safely traverse WAN links. When the packets arrive on the other side of the WAN or VPN, the receiving GMS appliance can then map the DSCP tags back to 802.1p tags for use on that LAN.

Working with Conditioning

Finally, the traffic can be conditioned or managed using any of the many policing, queueing, and shaping methods available. GMS provides internal conditioning capabilities with its Egress and Ingress Bandwidth Management (BWM). SonicWALL BWM is a perfectly effective solution for fully autonomous private networks with sufficient bandwidth, but can become somewhat less effective as more unknown external network elements and bandwidth, but can become somewhat less effective as more unknown external network elements and bandwidth contention are introduced.

To provide end-to-end QoS, business-class service providers are increasingly offering traffic conditioning services on their IP networks. These services typically depend on the customer premise equipment to classify and tag the traffic, generally using a standard marking method such as DSCP. GMS has the ability to DSCP mark traffic after classification, as well as the ability to map 802.1p tags to DSCP tags for external network traversal and CoS preservation. For VPN traffic, GMS can DSCP mark not only the internal (payload) packets, but the external (encapsulating) packets as well so that QoS capable service providers can offer QoS even on encrypted VPN traffic.

The actual conditioning method employed by service providers varies from one to the next, but it generally involves a class-based queueing method such as Weighted Fair Queuing for prioritizing traffic, in addition to a congestion avoidance method, such as tail-drop or Random Early Detection.

Working with 802.1p and DSCP QoS

The following sections detail the 802.1p standards and DSCP QoS.

Enabling 802.1P

GMS supports layer 2 and layer 3 CoS methods for broad interoperability with external systems participating in QoS enabled environments. The layer 2 method is the IEEE 802.1p standard wherein 3 bits of an additional 16 bits. inserted into the header of the Ethernet frame can be used to designate the priority of the fame, as illustrated in the following figure.

  • TPID: Tag Protocol Identifier begins at byte 12 (after the 6-byte destination and source fields), is 2 bytes long, and has an Ethertype of 0x8100 for tagged traffic.

  • 802.1p: The first three bits of the TCI (Tag Control Information – beginning at byte 14, and spanning 2 bytes) define user priority, giving eight (2^3) priority levels. IEEE 802.1p defines the operation for these 3 user priority bits.

  • CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to an untagged port.

  • VLAN ID: VLAN ID (starts at bit 5 of byte 14) is the identification of the VLAN. It has 12 bits and allows for the identification of 4,096 (2^12) unique VLAN IDs. Of the 4,096 possible IDs, an ID of 0 is used to identify priority frames, and an ID of 4,095 (FFF) is reserved, so the maximum possible VLAN configurations are 4,094.

802.1p support begins by enabling 802.1p marking on the interfaces which you wish to have process 802.1p tags. 802.1p can be enabled on any Ethernet interface on any SonicWALL appliance including the TZ 170 Series, PRO 2040, PRO 3060, PRO 4060, and PRO 5060.

Note: 802.1p tagging is not currently supported on the PRO 1260.

Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces on the PRO 4060 and PRO 5060, the 802.1q tags of VLAN subinterfaces. The behavior of the 802.1p field within these tags can be controlled by access rules. The default 802.1p capable network Access Rule action of None resets existing 802.1p tags to 0, unless otherwise configured.

Enabling 802.1p marking allows the target interface to recognize incoming 802.1p tags generated by 802.1p capable network devices, and will also allow the target interface to generate 802.1p tags, as controlled by Access Rules. Frames that have 802.1p tags inserted by GMS will bear VLAN ID 0.

802.1p tags will only be inserted according to access rules, so enabling 802.1p marking on an interface will not, at its default setting, disrupt communications with 802.1p-incapable devices.

802.1p requires the specific support by the networking devices with which you wish to use this method of prioritization. Many voice and video over IP devices provide support for 802.1p, but the feature must be enabled. Check your equipment’s documentation for information on 802.1p support if you are unsure. Similarly, many server and host network cards (NICs) have the ability to support 802.1p, but the feature is usually disabled by default.

Working with DSCP Marking

DSCP (Differentiated Services Code Point) marking uses six bits of the eight bit ToS field in the IP header to provide up to 64 classes (or code points) for traffic. Since DSCP is a layer 3 marking method, there is no concern about compatibility as there is with 802.1p marking. Devices that do not support DSCP will simply ignore the tags, or at worst, they reset the tag value to 0.

The above diagram depicts an IP packet, with a close-up on the ToS portion of the header. The ToS bits were originally used for Precedence and ToS (delay, throughput, reliability, and cost) settings, but were later reused by the RFC 2474 for the more versatile DSCP settings. The following table shows the commonly used code point as well as their mapping to the legacy Precedence and ToS settings.



DSCP Description

Legacy IP Precedence

Legacy IP ToS (D, T, R)


Best Effort

0 (Routine – 000)


Class 1

1 (Priority – 001)


Class 1, Gold AF11

1 (Priority – 001)



Class 1, Silver AF12

1 (Priority – 001)



Class 1, Bronze AF13

1 (Priority – 001)

D, T


Class 2

2 (Immediate – 010)


Class 2, Gold AF21

2 (Immediate – 010)



Class 2, Silver AF22

2 (Immediate – 010)



Class 2, Bronze AF23

2 (Immediate – 010)

D, T


Class 3

3 (Flash – 011)


Class 3, Gold AF31

3 (Flash – 011)



Class 3, Silver AF32

3 (Flash – 011)



Class 3, Bronze AF33

3 (Flash – 011)

D, T


Class 4

4 (Flash Override – 100)


Class 4, Gold AF41

4 (Flash Override – 100)



Class 4, Silver AF42

4 (Flash Override – 100)



Class 4, Bronze AF43

4 (Flash Override – 100)

D, T


Express Forwarding

5 (CRITIC/ECP – 101)


Expedited Forwarding (EF)

5 (CRITIC/ECP – 101)

D, T



6 (Internet Control – 110)



7 (Internet Control – 111)

DSCP marking can be performed on traffic to and from any interface and to and from any zone type, without exception. DSCP marking is controlled by Access Rules, from the QoS tab, and can be used in conjunction with 802.1p marking, as well as with SonicOS internal bandwidth management.

DSCP Marking and Mixed VPN Traffic

Among the security measures and characteristics pertaining to them, IPSec VPNs employ anti-replay mechanisms based upon monotonically incrementing sequence numbers added to the ESP header. Packets with duplicate sequence numbers are dropped, as are packets that do not adhere to sequence criteria. One criterion governs the handling of out-of-order packets. GMS provides a replay window of 64 packets, i.e., if an ESP packet for a Security Association (SA) is delayed by more than 64 packets, the packet will be dropped.

This should be considered when using DSCP marking to provide layer 3 QoS to traffic traversing a VPN. If you have a VPN tunnel transporting a variety of traffic, some that is being DSCP tagged high priority (for example, VoIP), and some that is DSCP tagged low-priority, or untagged/best-effort packets over the best-effort ESP packets. Under certain traffic conditions, this can result in the best-effort packets being delayed for more than 64 packets, causing them to be dropped by the receiving SonicWALL’s anti-replay defenses.

If symptoms of such a scenario emerge (for example, excessive retransmissions of low-priority traffic), it is recommended that you create a separate VPN policy for the high-priority and low-priority classes of traffic. This is most easily accomplished by placing the high-priority hosts (for example, the VoIP network) on their own subnet.

Configuring QoS

You need to perform the following tasks to configure QoS:

  • Enable 802.1p tagging.

  • Create a QoS rule.

  • Configure QoS settings.

Enabling 802.1p Tagging

Before you begin to perform any QoS configuration tasks, you first need to enable your device to accept QoS values. To do that you have to enable the IEEE 802.1p tagging protocol. You enable protocols at the WAN interface level. To enable 802.1p tagging, perform the following steps:

  • Click on the Interfaces option in the Network menu. GMS displays the Interfaces list.

  • Click on the Configuration icon for the WAN interface. GMS displays the Edit Interface dialog box.

  • Click on the Advanced Tab. GMS displays the Advanced Tab.

  • Click on the Enable 802.1p tagging checkbox to place a check mark in the checkbox.

  • Click Update. GMS updates the WAN interface, allowing it to accept 802.1p tagging.

Creating a QoS Rule

The next step you must perform is you need to create a QoS rule for the WAN interface in the Access Rules dialog box. To configure a QoS rule, perform the following steps:

  • From the Firewall menu, click on the Access Rules option. GMS displays the Access Rules dialog box that contains various interfaces for which you can create an access rule.

  • Note the LAN > WAN rule bar.

  • Click Add Rule. GMS displays the Add Rule dialog box.

  • Click the QoS Tab.

  • In the DSCP Marking Settings region, click the DSCP Marking Action list box and select the Map option.

  • In the 802.1p Marking Settings region, click the 802.1p Marking Action list box and select the Map option.

  • Click Ok. GMS configures your WAN interface to accept traffic shaping values.

Configuring QoS Settings

Now that you have enabled the 802.1p protocol and created a specific QoS rule, you can create your QoS settings. To create QoS settings, perform the following steps:

  • Click on the QoS Settings option in the Firewall menu. GMS displays the QoS Mapping dialog box:

  • Click on the Configuration icon for any of the 802.1p Class of Service objects. GMS displays the class of service Edit QoS Mapping dialog box.

  • Select the following values from each list box in the dialog box.

    List Box


    L2 CoS

    Layer 2 Class of Service. If there’s a packet with a QoS bit set to 0, then you need to map it to the value in the To DSCP list box. The CoS

    To DSCP

    Indicates the value of the DSCP marking value that indicates the priority of the traffic.

    From DSCP Begin

    The lower limit of the range of values for marking that indicates the priority assigned to a packet traveling across the network.

    From DSCP End

    The upper limit of the range of values for marking that indicates the priority assigned to a packet traveling across the network.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s