QoS for Microsoft Teams (Datacenter vGR + Branch z40)

Objective

Prioritize Microsoft Teams (Audio, Sharing, Signaling, Video) with DSCP and bandwidth guarantees so calls remain stable under load. This requires matching Teams traffic with IPSETs and classifying it into QoS classes.

Prerequisites

• Admin access to zWAN Director (or local UI) for both:
  • Datacenter node (vGR)
  • Branch node (z40)
• Known branch LAN subnet (example used below: 192.168.64.0/24)
• Interfaces used:
  • Datacenter (vGR):
    • WAN00 (used for OUT direction to Internet)
    • IPSECxx (used for IN direction from tunnel)
  • Branch (z40):
    • IPSECxx (tunnel interfaces)
• Teams IP ranges:
  • 52.112.0.0/14
  • 52.120.0.0/14

Port Map (Teams media)

Media	Port range	DSCP	Priority	Example Guaranteed	Example Max
Audio	50000–50019	ef	High	300 Mb/s	300 Mb/s
Video	50020–50039	af41	Medium	400 Mb/s	400 Mb/s
Sharing	50040–50059	af21	Low	200 Mb/s	200 Mb/s
Signaling	50070–50089	cs5	High	100 Mb/s	100 Mb/s

(Adjust bandwidths to your link capacity.)

Phase 1 — Common prep (do on both vGR and z40)

1. Create IPSET “Teams”
   • Navigate: Edge Controllers > [Device] > Network > IPSET
   • Click ADD IPSET → Name: Teams, Description: Teams
   • Open the new IPSET → ADD IPSET ENTRY:
     • Add 52.112.0.0/14 → click +
     • Add 52.120.0.0/14 → click +
     • Click ADD

Phase 2 — Datacenter node (vGR)

You’ll create IN and OUT variants of each class. The only “IN/OUT” distinction is in the class name and which interface(s) you assign the class to (there’s no separate IN/OUT concept in the class object itself).

2A) Create eight QoS classes (IN + OUT for the four media types)

Navigate: Edge Controllers > [vGR] > Network > QoS > CLASS MANAGER → NEW CLASS and create the following:

OUT classes (to apply on WAN00):

• OUT_Teams_Audio: DSCP ef, Priority High, Guaranteed 300 Mb/s, Max 300 Mb/s
• OUT_Teams_Video: DSCP af41, Priority Medium, Guaranteed 400 Mb/s, Max 400 Mb/s
• OUT_Teams_Sharing: DSCP af21, Priority Low, Guaranteed 200 Mb/s, Max 200 Mb/s
• OUT_Teams_Signaling: DSCP cs5, Priority High, Guaranteed 100 Mb/s, Max 100 Mb/s

IN classes (to apply on IPSECxx):

• IN_Teams_Audio: DSCP ef, Priority High, Guaranteed 300 Mb/s, Max 300 Mb/s
• IN_Teams_Video: DSCP af41, Priority Medium, Guaranteed 400 Mb/s, Max 400 Mb/s
• IN_Teams_Sharing: DSCP af21, Priority Low, Guaranteed 200 Mb/s, Max 200 Mb/s
• IN_Teams_Signaling: DSCP cs5, Priority High, Guaranteed 100 Mb/s, Max 100 Mb/s

Tip: Keep “Guaranteed” ≤ “Max” and in line with actual link capacity.

2B) Assign classes to interfaces

Navigate: QoS > INTERFACE MANAGER

• WAN00:
  • Click + next to the class list and add:
    OUT_Teams_Audio, OUT_Teams_Video, OUT_Teams_Sharing, OUT_Teams_Signaling
• IPSECxx (each IPSEC tunnel interface carrying branch traffic):
  • Click + and add:
    IN_Teams_Audio, IN_Teams_Video, IN_Teams_Sharing, IN_Teams_Signaling
• Click ACTIVATE CHANGES.

2C) Create sixteen classifiers (2 protocols × 4 media × 2 directions)

Navigate: QoS > CLASSIFIER → NEW RULE for each line below.
Use Apply To: Routed and Bridged Packets.

OUT direction (Branch → Internet; class targets OUT_*; source ports used)

For each UDP and TCP:

• Audio OUT (50000–50019)
  • Packet Matching:
    • Source Address: Branch LAN subnet (e.g., 192.168.64.0/24)
    • Destination IPSET: Teams
  • Protocol Matching: UDP (repeat for TCP)
    • Source Port: 50000:50019
  • Target Class: OUT_Teams_Audio
• Video OUT (50020–50039) → same pattern, Source Port 50020:50039, Class OUT_Teams_Video
• Sharing OUT (50040–50059) → Source Port 50040:50059, Class OUT_Teams_Sharing
• Signaling OUT (50070–50089) → Source Port 50070:50089, Class OUT_Teams_Signaling

That’s 8 rules (4 media × 2 protocols).

IN direction (Internet → Branch; class targets IN_*; destination ports used)

For each UDP and TCP:

• Audio IN (50000–50019)
  • Packet Matching:
    • Source IPSET: Teams
    • Destination Address: Branch LAN subnet (e.g., 192.168.64.0/24)
  • Protocol Matching: UDP (repeat for TCP)
    • Destination Port: 50000:50019
  • Target Class: IN_Teams_Audio
• Video IN (50020–50039) → Destination Port 50020:50039, Class IN_Teams_Video
• Sharing IN (50040–50059) → Destination Port 50040:50059, Class IN_Teams_Sharing
• Signaling IN (50070–50089) → Destination Port 50070:50089, Class IN_Teams_Signaling

Another 8 rules. Total at DC = 16 classifiers.

Phase 3 — Branch node (z40)

On the branch, you don’t create separate IN/OUT class variants. You’ll create four classes and assign them to IPSECxx. You’ll create eight classifiers (2 protocols × 4 media).

3A) Create four QoS classes

Navigate: Edge Controllers > [z40] > Network > QoS > CLASS MANAGER → NEW CLASS:

• Teams_Audio: DSCP ef, Priority High, Guaranteed 300 Mb/s, Max 300 Mb/s
• Teams_Video: DSCP af41, Priority Medium, Guaranteed 400 Mb/s, Max 400 Mb/s
• Teams_Sharing: DSCP af21, Priority Low, Guaranteed 200 Mb/s, Max 200 Mb/s
• Teams_Signaling: DSCP cs5, Priority High, Guaranteed 100 Mb/s, Max 100 Mb/s

3B) Assign classes to IPSECxx interfaces

Navigate: QoS > INTERFACE MANAGER → select each IPSECxx that carries branch traffic → + add:
Teams_Audio, Teams_Video, Teams_Sharing, Teams_Signaling
→ ACTIVATE CHANGES.

3C) Create eight classifiers (2 protocols × 4 media)

Navigate: QoS > CLASSIFIER → NEW RULE for each line below.
Use Apply To: Routed and Bridged Packets.

Per your guidance, destination IPSET = Teams and source ports match the media ranges.

For each UDP and TCP:

• Audio (50000–50019)
  • Packet Matching:
    • Destination IPSET: Teams
  • Protocol Matching: UDP (repeat for TCP)
    • Source Port: 50000:50019
  • Target Class: Teams_Audio
• Video (50020–50039) → Source Port 50020:50039, Class Teams_Video
• Sharing (50040–50059) → Source Port 50040:50059, Class Teams_Sharing
• Signaling (50070–50089) → Source Port 50070:50089, Class Teams_Signaling

Total at branch = 8 classifiers.

Phase 4 — Validation

1. Generate Teams traffic
   • Place/receive a Teams call and screen share to drive Audio/Video/Sharing flows.
2. Monitor QoS
   • Navigate: Edge Controllers > [Device] > Dashboard > QoS By Interface Class
   • On vGR:
     • WAN00 should show utilization by OUT_Teams_* classes.
     • IPSECxx should show utilization by IN_Teams_* classes.
   • On z40:
     • IPSECxx should show utilization by Teams_* classes.
   • Optionally verify DSCP with a packet capture (if needed).
3. Expected results
   • Active classes reflect traffic (counters rise).
   • DSCP marks present per class settings.
   • Audio gets higher priority/guaranteed bandwidth; no drops/jitter during contention.

Quick recap of counts & placements

• Datacenter (vGR)
  • Classes: 8 (OUT_* on WAN00, IN_* on IPSECxx)
  • Classifiers: 16 (UDP+TCP × 4 media × IN/OUT)
• Branch (z40)
  • Classes: 4 (Teams_* on IPSECxx)
  • Classifiers: 8 (UDP+TCP × 4 media)

Was this article helpful?

0 out Of 5 Stars

5 Stars		0%
4 Stars		0%
3 Stars		0%
2 Stars		0%
1 Stars		0%

5 Submit

How can we improve this article?

Please submit the reason for your vote so that we can improve the article.

Submit