An Edge classifies a traffic flow based on the first packets in the flow. You can create business policies with application based on Differentiated Service Code Point (DSCP) and with different DSCP markings to determine the flow treatment.
By default, an Edge classifies a flow based on the first few packets received in the flow. Business Policy and QoS marking determine the flow treatment. Once the flow is classified, an entry with five tuple information of the flow is created in the flow cache table. Subsequent packets in the flow will use the five-tuple lookup against the flow cache table.
For network topologies with Layer 3 network devices doing encapsulation and/or encryption before the traffic arrives at the Edge, this creates a challenge for the Edge to forward traffic based on the Business Policy. The traffic from the end users is multiplexed into single flow with the same source and destination IP addresses, and protocols by the Layer 3 encapsulation/encryption device, as illustrated in the following image.
The impact of multiplexing end user flows into a single tunnel creates polarization of flow forwarding using the five tuples of flow cache table, which results in WAN links not being utilized.
The Path Calculation with Multiple DSCP Labels per Flow allows the DSCP value to be included, in addition to the five tuples, as part of the flow cache table lookup. Use the path calculation with multiple DSCP tags when the original user traffic is encapsulated in another tunnel like GRE or IPsec, and DSCP labels are preserved in the new IP header. This option enables path calculation for a single flow with multiple DSCP labels, which consists of same source and destination IP addresses, and offers path differentiations based on the DSCP labels in the flow.
When you enable the Multiple-DSCP tags per Flow Path Calculation, the Edges can differentiate the traffic flows based on the DSCP marked labels.
To enable Multiple-DSCP tags per Flow Path Calculation:
- In the Operator portal, click System Properties.
- Click New System Property.
- In the New System Property window, create a system property with the following parameters:
- Name: session.options.enableFlowParametersConfig
- Data Type: Boolean
- Value: True
- Click Save.
- In the Operator portal, navigate to Manage Customers.
- Select a customer and click or click the link to the customer.
- In the Enterprise portal, click .
- In the Customer Configuration page, navigate to the Multiple-DSCP tags per Flow Path Calculation section, and select the Include DSCP value as part of flow lookup checkbox.
Note: This option is available only when the system property session.options.enableFlowParametersConfig is set to True.
- Click Save Changes.
- In the Edges, different flows are created based on different DSCP labels.
- In the Enterprise portal, click .
- Select an Edge, and click the Business Policy tab.
- Click New Rule or .
- In the Configure Rule window, click Define for Application and select an application from the list. Choose a DSCP label from the drop-down list.
- Choose the relevant actions as required in the Action area.
- Click OK.
When traffic arrives at the Edge, if the traffic flow matches with the selected application and DSCP tag, then the corresponding action is performed.
You can create more business policies with different DSCP labels to match with different traffic flows and apply different treatments for those flows. For more information on business policies, see the VMware SD-WAN Administration Guide.
The path calculation with multiple DSCP labels per Flow is not applicable for the SD-WAN Gateways. You can enable this option only for Edge-to-Edge tunnels, where Edge-to-Edge can be any of the following:
- Edge-to-Edge through Hub
- Dynamic Branch-to-Branch
- The path calculation with multiple DSCP labels per Flow is intended only for GRE or IPSec traffic. The direct Internet traffic does not carry multiple DSCP labels within a single flow.
- After you enable the path calculation option, when the traffic flow consists of packets with same five-tuple information but different DSCP markings, LAN side NAT might not work as expected.