Configure Application Based QoS DSCP Rewrite

What are your feelings
Updated on March 22, 2023

Configuring Application Based QoS Rewrite

This article explains how to configure Application-based QoS DSCP Rewrite on Versa Secure SD-WAN.

QoS DSCP rewrite is used to replace the CoS values on packets received from the customer LAN or host network with values expected by other devices – typically a service provider underlay network.

CoS values on the outbound packets are established by the rewrite rules that add forwarding class and loss priority information. It is essential to apply the rewrite rules on the appropriate interfaces.

App QoS Policy has three components

QoS ProfileQoS profiles define how to police ingress traffic, they assign the ingress traffic to a forwarding class, and they define whether to rewrite the DSCP or 802.1p header bits.
Rewrite RulesRewrite rules modify the DSCP and 802.1p bits in the headers of outbound traffic.
App QoS PolicyApplication QoS policies define how to process ingress traffic based on the application or URL from which the traffic originated. 

High Level Toplogy

In this use case we have a LAN user who is accessing the Internet. The default traffic class is CS0/BE. We will match all traffic going towards Facebook and rewrite the CoS value as EF. Rest of the traffic will have no change in the CoS mapping.


A. Define a QoS Profile with Best Effort (BE) class
B. Configure a Rewrite rule to change DSCP CS0/BE marking with DSCP EF marking
C. Configure an App QoS Rule and match traffic going towards Facebook from the LAN Zone.

The Class Of Service configuration is under the Networking Tab on the Versa Director.

Step 1: Configure a QoS Profile. 
Identify and match all traffic with Forwarding Class BE and select 'DSCP Rewrite'. 
Step 2: Configure a Rewrite rule to rewrite DSCP CS0/BE marking with DSCP EF marking. 
Step 3: Create an App-QoS Rule and match the applicaitons of interest. 
In this case Facebook Traffic and apply the QoS Profile 'FB_Profile' to it. 
Step 4: Associat the Rewrite rule with a transport interface under the 'Associate Interface/Networks'.


To verify this QoS rewrite we need to run a packet capture on the LAN interface and then on the WAN interface.

Initiate traffic from a host on the LAN towards Facebook.

admin@Hub-Twitter-cli> show orgs org twitter sessions nat brief
                                                                                                                                                                                                                                                      NAT                        NAT         NAT
VSN  VSN   SESS                               DESTINATION        SOURCE  DESTINATION                                                                                    NAT SOURCE   DESTINATION     SOURCE   DESTINATION
ID      VID    ID          SOURCE IP     IP                             PORT        PORT                PROTOCOL  NATTED  SDWAN  APPLICATION    IP                       IP                            PORT       PORT
0        2        52139           51182      443                   6                    Yes           No          facebook      54733   443
0        2        52145           51184      443                   6                    Yes           No          facebook      57072   443
[ok][2019-07-05 12:34:30]

For capturing the logs, you can use the inbuilt packet capture on the VOS.

Packet capture on the LAN interface show that packet from LAN to Facebook originated with DSCP: CS0.

Packet capture on the WAN interface show the packets being re-marked with DSCP EF as defined in the rewrite rules.


In this article, we saw how to configure Application Based DSCP rewrite. In addition to the pre-defined applications which the VOS recognizes, we can create custom user-defined applications based on an Enterprise need and match it in the App QoS. Thus giving the end-user ease of applying QoS for homegrown applications as well.