Applying QoS on Tunnel Interfaces

Applying QoS on Tunnel Interfaces

94197
Created On 09/25/18 17:18 PM - Last Modified 06/07/23 08:33 AM


Symptom


This article explains important considerations while setting up the QoS profile and relationship between different parameters in QoS profiles.

This article makes the following assumptions:
  • Maximum bandwidth of an interface (ethernet1/1) is 1000Mbps
  • Out of 1000Mbps, clear text traffic should have guaranteed bandwidth of 980Mbps
  • The rest should be assigned to tunneled traffic
  • Total number of tunnel interfaces on device is 16
  • Number of tunnels terminating on ethernet1/1 interface is 15

Resolution


There are 16 gateways i.e. 16 tunnels/tunnel interfaces on the device however, 15 of these tunnels terminate on interface ethernet1/1 and 1 tunnel on ethernet1/3:
 
User-added image     User-added image
 
QoS setting on egress interface ethernet1/1 is as follows:

User-added image
 

  1. Egress Max of Tunneled Traffic + Egress guaranteed of Clear(Regular) Text Traffic <= Egress Max of Interface

Egress Max of Interface = 1000Mbps
Egress guaranteed of clear text traffic = 980Mbps

Therefore, Egress Max of Tunneled Traffic = (1000-980)Mbps = 20Mbps

This means, "ClearText" profile applied to Clear Text of Interface could have Egress Max=1000Mbps and Egress Guaranteed = 980Mbps.  Also, "Tunnel" profile applied to Tunnel Interface could have Egress Max=20Mbps only

User-added image

We cannot specify Egress Max of Tunneled Traffic profile to be more than 20Mbps now. If we specify it to be more than 20Mbps, there would be a validation error as "Tunnel-traffic-group max bandwidth is smaller than tunnel.X (profile Tunnel) max bandwidth"

This error means tunnel traffic profile can be max of 20Mbps but in "Tunnel" Profile, we have specified Egress Max as more than 20Mbps. This error message would be listed for each of 15 tunnel interfaces on ethernet1/1 interface.

User-added image

Similarly, we cannot specify Tunnel Traffic Egress Max to be more than 20Mbps under Network > QoS also. Validation would give an error, "Max tunnel traffic bandwidth plus guaranteed regular traffic bandwidth cannot exceed interface bandwidth"

User-added image

 

  1. Tunnel Traffic Egress Guaranteed <= Tunnel Egress Max / Number of tunnels on the physical interface
Tunnel Egress Max (as calculated above) = 20Mbps
Number of tunnels/tunnel Interfaces that terminates on ethernet1/1 = 15

Therefore, in "Tunnel" profile applied to Tunnel interface, Egress Guaranteed bandwidth <= (20/15)Mbps ~ 1.3Mbps

If we specify Egress Guaranteed to be more than ~1.3Mbps, validation would give an error "tunnel-traffic-group max bandwidth is smaller than its guaranteed bandwidth"

User-added image     User-added image
  1. Sum of Egress Guaranteed bandwidth of classes in a profile <= Egress Guaranteed of the profile.
Egress guaranteed of Tunnel profile = 1.3 Mbps  (as calculated above)
Sum of Egress guaranteed bandwidth of all 8 classes in this Tunnel profile <= 1.3Mbps

If the sum is not <= Egress guaranteed of the profile, validation would fail with an error, "tunnel.X (profile Tunnel) guaranteed bandwidth is smaller than the sum of guaranteed bandwidth of its children"

This error message would be printed for each of the tunnel interface terminating on the egress physical interface.

User-added image     User-added image
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEfCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language