SonicOS 7.1 Objects

Technical Documentation>  QoS Marking>  Applying QoS Marking>  Bi-directional DSCP Tag Action>  Remote Site 1: Sample Access Rule or Security Rule Configuration
Table of Contents

Remote Site 1: Sample Access Rule or Security Rule Configuration

The Remote Site 1 network could have two Access Rules (Classic Mode) or Security Action Profiles (Policy Mode) configured as shown in the below table.

You can configure QoS on:

  • Classic Mode: OBJECT | Rules and Policies> Access Rule > Traffic Shaping
  • Policy Mode: OBJECT | Action Profiles > Security Action Profile > Bandwidth/QoS
Setting Access Rule or Security Action Profile 1 Access Rule or Security Action Profile 2
General View    
Action Allow Allow
From Zone LAN VPN
To Zone VPN LAN
Service VOIP VOIP
Source Lan Primary Subnet Main Site Subnets
Destination Main Site Subnets Lan Primary Subnet
Users Allowed All All
Schedule Always on Always on
Enable Logging Enabled Enabled
Allow Fragmented Packets Enabled Enabled
Qos View    
DSCP Marking Action Map Map
Allow 802.1p Marking to override DSCP values Enabled Enabled
802.1p Marking Action Map Map

The first Access Rule or Security Rule (governing LAN > VPN) would have the following effects:

  • VoIP traffic (as defined by the Service Group) from LAN Primary Subnet destined to be sent across the VPN to Main Site Subnets would be evaluated for both DSCP and 802.1p tags.
    • The combination of setting both DSCP and 802.1p marking actions to Map is described in QoS Marking Actions.
    • Sent traffic containing only an 802.1p tag (for example, CoS = 6) would have the VPN-bound inner (payload) packet DSCP tagged with a value of 48. The outer (ESP) packet would also be tagged with a value of 48.
    • Assuming returned traffic has been DSCP tagged (CoS = 48) by the firewall at the Main Site, the return traffic is 802.1p tagged with CoS = 6 on egress.
    • Sent traffic containing only a DSCP tag (for example, CoS = 48) would have the DSCP value preserved on both inner and outer packets.
    • Assuming returned traffic has been DSCP tagged (CoS = 48) by the firewall at the Main Site, the return traffic is 802.1p tagged with CoS = 6 on egress.
    • Sent traffic containing only both an 802.1p tag (for example, CoS = 6) and a DSCP tag (for example, CoS = 63) would give precedence to the 802.1p tag and would be mapped accordingly. The VPN-bound inner (payload) packet DSCP would be tagged with a value of 48. The outer (ESP) packet would also be tagged with a value of 48.

    To examine the effects of the second Access Rule (Classic Mode) or Security Action Profile (Policy Mode) (VPN > LAN), look at the Access Rule (Classic Mode) or Security Action Profile (Policy Mode) configured at main site, Main Site: Sample Access Rule or Security Rule Configurations.