topic Re: Qos profile in General Topics

Qos profile

sib2017 — Tue, 28 Mar 2017 15:28:20 GMT

Hi ,

In the above which class will get high priority ?

Thanks

Re: Qos profile

BPry — Tue, 28 Mar 2017 18:57:21 GMT

@sib2017 The priority is listed in the far right column. Class 2 traffic being real-time will be given the highest priority and everything but class4 is being assigned high priority. Keep in mind that everything by default is class4 on the PA., you need to enable QoS on the interface level, and it looks like whoever setup the Maximum egress didn't really care about anything but the default class4 traffic.

I would look at some of the QoS articles on live; most of them do a really good job of explaining things but setting up QoS on the PA can be seen as weird from someone used to primarly working with switches and routers.

Re: Qos profile

sib2017 — Wed, 29 Mar 2017 01:51:55 GMT

Hi,

Thank you for the reply , I am using class 2 for skype and skype probe , the issue is sometimes the audio is lagging than video

Thanks

Re: Qos profile

sib2017 — Wed, 29 Mar 2017 02:37:29 GMT

Hi,

Is it necessary to mark qos in the switch level ( from the access layer or distribution layer ), if we are enabling qos on PA ?.

pa will mark qos on the packet if we are sennding to the upstream router ?

Thanks

Re: Qos profile

reaper — Wed, 29 Mar 2017 07:17:46 GMT

Hi @sib2017

the PANW QoS is going to apply limits/make reservations and prioritize sessions on the system but will not mark packets

marking is supported on the security policies, but then an external device becomes responsible for enforcing QoS:

if you want to prevent the audio/video from lagging, it may also be a good idea to set a reservation for bandwidth, so you don't run out.

even with the priority set to realtime (which will assign top priority queueing in a dedicated queue) there may still be a bandwidth issue preventing you from achieving lossless audio/video

Re: Qos profile

sib2017 — Wed, 29 Mar 2017 08:10:42 GMT

Hi reaper ,

Usually the enforcing device must be the upstream device ( router or firewall ) ? .

I have deployed pa in vw mode. my upstream device is asa fw and then router

Thanks

Re: Qos profile

reaper — Wed, 29 Mar 2017 08:17:55 GMT

if you use the 'QoS marking' option, then yes, an upstream device needs to do the shaping

if you configure QoS on the PANW, it will apply shaping just fine and you wont need external devices

Re: Qos profile

sib2017 — Wed, 29 Mar 2017 09:01:58 GMT

Hi,

If we configure the qos on PANOS and the packet reached on upstream asa or router , How the asa will treat this packet if there is no qos related service enabled ( policy )

Thanks

Re: Qos profile

reaper — Wed, 29 Mar 2017 09:45:07 GMT

sensing much confusion, I am

😉

ok ok lemme start fresh

1) there are QoS policies and QoS profiled on the panw firewall which allow you to set maximum throughput or guaranteed throughput for certain classes of traffic. you can also set a priority which, in case the firewall is starved for resources (high DP load) can prioritize the IO of certain sessions. all this is achieved on the firewall without the outside being aware something is being limited or prioritized

2) QoS marking through a security policy: the firewall adds a QoS 'color' to the packets in a session (DSCP codepoint, like a flag in tcp header) so external devices can pick up on these colored packets (upstream loadbalancers or other firewalls/routers) and prioritize/deprioritize based on the 'color' of the packet, IF they understand DSCP codepoints

Re: Qos profile

BPry — Wed, 29 Mar 2017 13:29:26 GMT

@sib2017 if you're putting the time and effort to do QOS mappings on your ASA and PA then you really should enable it on the access layer. When setting up QOS you pretty much want to have it on the full stream if possible, but usually most people would do QOS on the access and distribution layer and then would have the firewall scaled to the point they don't have to worry about doing QOS on it as much, as most ISPs won't listen to DSCP codepoints.

I would really recommend that you work on creating QOS statements on your access layer before you worry to much about working with QOS on your firewall unless your dataplane is constantly starved for resources. It is far more likely that the access or distribution layer is dropping packets in the queue than your firewall dropping them, unless of course your ASA or PA is not scaled for your network properly.

Also yes if you have the PA set to do DSCP codepoints you also need to tell your ASA what to do with them so that it prioritizes things properly. It's important to note that QOS simply tells the device how it should be processing the traffic; so if the traffic can all be processed almost instantly and not build up in the queue then you really never take advantage of your QOS statements, but if the queue starts to fill up then the device uses the QOS statements to know what you want to prioritize and actually process first, second, third, and so on.

Re: Qos profile

sib2017 — Wed, 29 Mar 2017 17:33:10 GMT

Hi,

" would really recommend that you work on creating QOS statements on your access layer before you worry to much about working with QOS on your firewall unless your dataplane is constantly starved for resources."

Is it ok setting qos for skype through gpo on end user's pc

http://blogs.perficient.com/microsoft/2014/12/configuring-quality-of-service-for-lync-online/

or is it must we need to do on access switches or in distribution switches

Thanks

Re: Qos profile

BenjAudy.MTL — Wed, 29 Mar 2017 17:44:59 GMT

Hi,

Did you verify how much class 2 traffic goes through your firewall when you test Skype? Does it constantly cap at 25 Mbps? You can see the real-time statistics under the Network tab, then QoS and click on Statistics for the desired interface.

Benjamin

Re: Qos profile

BPry — Wed, 29 Mar 2017 18:35:12 GMT

@sib2017 end-user qos is usually done more so for simplified QOS markings; basically so that you know what DSCP value will come across so that you can quickly build the QOS statements on your switches. Once the traffic is tagged with DSCP 46 you still need to tell the switch how to actually process the DSCP 46 traffic and what priority it should actually get that traffic out of the outbound/inbound queue.

It sounds like what you should do is

1) Build the GPO so that you know what DSCP value is going to be marked

2) Build out the qos statements on your switches (no idea what brand you are using for this, I could provide a Cisco example if that is what you are using). Depending on the brand it may default to standard QOS statements, but likely qos isn't enabled out of the box.

3) If it's still choppy then start looking at QOS on the PA; likely though you are running into issues before you reach the firewall.

Re: Qos profile

sib2017 — Thu, 30 Mar 2017 05:17:46 GMT

Hi,

yes I am using cisco 3850 at access layer

Thanks