QoS Best Practices - complete concept/configuration - big picture for QoS

sebastian — Fri, 25 Jul 2014 17:02:05 GMT

Hi there,

I already read the QoS in PAN-OS 4.1 document and the QoS section in the Panorama Administrator's Guide 6.0 (English).

But there a still big question marks hovering over my head. :smileyconfused:

The examples show only one use case/qos-profile at one time: "QoS for a Single User" or "QoS for Voice and Video Applications" or "restrict downloads to 15 Mbps".

But I dont see a configuration where all these use cases are combined together.

Maybe someone can provide me with proper screenshots of their qos configuration?

So lets say:

ethernet1/1 - zone untrust = 300MBit internet link

ethernet1/22 with different sub-interfaces = 10GBit = development clients

ethernet1/23 with different sub-interfaces = 10GBit = server infrastructure

ethernet1/24 with different sub-interfaces = 10GBit = clients also different wireless clients/interfaces

At first I didn't understand the need to setup the Egress Max (Mbps) on the physical interface.

Ok at ethernet1/1 this is the only place where it makes sense, I have a 300MBit internet link. (Physical connected to 1GB)

But it's only the egress traffic (uploading to the internet).

But what should I do with the ingress traffic from the internet?

I can't limit the egress max on the physical interface for ethernet1/22-24 to 300MBit (as seen in other discussions) because there is a lot of other traffic not only from/to the internet.

And also different interfaces connects to the internet (ethernet1/1)

To classify the traffic is easy-peasy but then?

To start with:

a) I want all salesforce traffic to be in class3 (prio high) and a "Egress Guaranteed" with 30MBit

b) I want all video application to be in class1 (prio real-time) and a "Egress Guaranteed" with 20MBit

c) normal web-browsing to be in class5 (prio medium) and a "Egress Guaranteed" with 20MBit but should not have an effect when I browse to an internal server (standing in ethernet1/23)

I should not create a single QoS-Profile for salesforce and video application and web-browsing?

Should i create a QoS-Profile incoming-untrust and outgoing-untrust?

Where is the right place to set the egress maximum for the ethernet1/1 (ingress/downloading)?

On the QoS-Interface it would affect all traffic not only the traffic that is coming from ethernet1/1 is'nt it?

So I have to do that on the QoS Profile?

Seems that correct to you?

And what happends to all the other traffic?
Goes than untouched bypass-traffic?

Phew!

Sebastian

Re: QoS Best Practices - complete concept/configuration - big picture for QoS

hyadavalli — Fri, 25 Jul 2014 22:14:26 GMT

Hello Sebastian,

Lemme clarify this, QoS policy is session based. So if you have a QoS policy for outbound traffic then all the return traffic will also follow the QoS policy and bandwidth limiting is done based on the QoS profile applied to inside interface.

Please take a look at below screenshots and let me know if that makes sense to you.

In below screenshots ethernet1/1(Untrust-L3) is outside interface and ethernet1/2(trust-L3) is inside interface.

Regards,

Hari Yadavalli

topic QoS Best Practices - complete concept/configuration - big picture for QoS in General Topics

QoS Best Practices - complete concept/configuration - big picture for QoS

Re: QoS Best Practices - complete concept/configuration - big picture for QoS