topic Re: QoS and interfaces - some conception advice needed in General Topics

QoS and interfaces - some conception advice needed

_slv_ — Thu, 04 Aug 2016 15:12:36 GMT

Hello

I will migrate fom PA200 to PA500. I have some local networks (DMZ, Wifi for students, Wifi for stuff, LANs)

I need to use QoS but I need some advice with that.

I know that I can controll only on outgoing interfaces but I have no idea how to get it working with one condition: I wouldnt limit traffic from/to my local servers in DMZ.

Now I have all my lans as a subinterfaces of ethernet1/4

Should I separate my lans ir: DMZ to ethernet 1/2, WIfi to 1/3, LAN_1 to 1/4 and so on?

I assume that ISP is on ethernet 1/1 as an Untrust zone.

How to _not_ limit traffc to ie. Wifi from DMZ?

I will be grateful for any suggestions

Regards

SLawek

Re: QoS and interfaces - some conception advice needed

_slv_ — Fri, 05 Aug 2016 14:30:49 GMT

no one ?

Re: QoS and interfaces - some conception advice needed

BenjAudy.MTL — Fri, 05 Aug 2016 18:38:31 GMT

Hi,

You cannot apply QoS on subinterfaces, so you don't really have a choice here. Each network will need his own physical interface. You can apply multiple QoS profiles on an interface, based on the source interface or subnet, so you could have different limits depending on the source of the traffic.

Benjamin

Re: QoS and interfaces - some conception advice needed

VinceM — Mon, 08 Aug 2016 14:02:07 GMT

Hi,

100% agree with Baudy, QoS can't be configured on sub-interface.

QoS only impact outcomming traffic. Mean if you want to limit donwload / Streaming traffic from wifi, you need to configure QoS rule not on your ISP interface but on your physical wifi interface.

link: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/quality-of-service/configure-qos

Make sense ?

Re: QoS and interfaces - some conception advice needed

rabolfathi — Fri, 12 Aug 2016 06:58:14 GMT

Let's say you have an interface for untrust zone, another for trust zone, a third for wifi, and a fourth for DMZ. Seems you want to be able to use QoS on all interfaces but not mess with DMZ. The process is to setup QoS on each interface with no limitations, so it functions as a monitor. Then use the QoS levels as buckets to hold your apps (see below). Finally, apply the actual caps to the QoS profile.

There are a couple very good articles describing in detail how to setup QoS. Here is a quick summary of what I would do in your situation:

First define QoS profiles for each zone, with a max set to 1000, and define the levels such that each has a guaranteed min of .01 & max of 1000. This setup allows you to begin monitoring the traffic on each interface. Once you apply each named policy to each interface (Trust-profile to Trust interface, etc.), you'll notice that all the traffic is in the default level 4. The next step is to actually control the traffic. So set levels 1-3 as bogus stuff, and levels 5 & above as time-sensitive and critical. Leave Level 4 alone, since that is your normal business traffic and catch all. For example, level 1 can be reserved for "games" and the highest level for "VoIP" - Using just this simple Q0S profile example, apply it to the Trust Interface and monitor QoS in the Network tab. You'll see the actual usage of these apps that you defined for each level. Once you understand what bandwidth the applications are actually using, go back to the profile and in the coresponding level, set a max limit for the bandwidth.

By defining separate QoS profiles for each interface, you can monitor them all, with minimal configuration. Customize the profile assigned to the interface you want to manage, and you can actually control the traffic.

Re: QoS and interfaces - some conception advice needed

_slv_ — Mon, 15 Aug 2016 11:14:23 GMT

Hello

Thx for your replays. I had a lot of work with migration and network rearranging...

I used all my phisical interfaces.

But I still ned advice ..

I have 50Mbit link from ISP. I'd like to share on ethernet1/2 10Mbit max but when this bandwith is not used on this interface I would to consume that bandwitch on other interfaces.

How to get it working?

I know article https://live.paloaltonetworks.com/t5/Configuration-Articles/Incorrect-QoS-Configuration-Caused-Network-Traffic-Outage/ta-p/62576 and other

But I cant find exact examples with ISP speed and limitation on interfaces like in my example.

Regards

SLawek

Re: QoS and interfaces - some conception advice needed

reaper — Tue, 16 Aug 2016 09:54:45 GMT

Hi Slawek

there is no configuration that would allow you to share 'leftover' bandwidth from one interface with another interface

could you illustrate the scenario you're trying to achieve? maybe there's different solution

right now you can simply divy up available bandwidth on a single interface in terms of maximum allowed usage or minimum guaranteed bandwidth. on a policy where only a guarantee is defined, any 'leftover' bandwidth on that same interface will be used up until another guarantee is enforced. if no sessions exist for a guaranteed policy, that bandwidth will also be available to other policies