L3 Networker


Hi Community,


I am having some queries about PA qos.

My requirment is for example, i need to control upload in following scenario

  • I have a 50 mbps link from isp
  • i have clear and tunnel traffic,
  • My tunnel traffic should not go beyond 25 mbps in any scenario (even if other traffic is not there).
  • Clear traffic shoul always preffered. ie if i have 45mbps clear and 30 mbps tunnel, all 45mbps clear should pass PA, but tunnel should reduce to 5mbps(eventhough he have a maximum value of 25mbps).

For achiving same ,


i created two qos profiles with class 4 ( default class for all traffic, i dont have any qos policy).

  1. for clear traffic with high priority ( my assumption is both clear and tunnel class 4 is going through same queue/bucket, so by priority configuration my clear traffic will be treated first- to achive 4th requirement mentioned above) - with egress max as 50mbps and guaranteed as 25 mbps
  2. for tunnel with less priority - with egress max as 25mbps and no guaranteed settings

Applied it on egress interface ( connecting to ISP).


  • Will this address my requirment?
  • Is clear and tunnel class 4 is same in action ?( ie is both uses same queue, so that i can take benefit of priority ?)
  • should i do with removing egress max in clear and configure 50 as guaranteed ?( will be option if the priority doesnt work)
  • in nutshell, is there a way i can prioritise clear traffic than tunnel traffic ?
L7 Applicator

Re: QoS


I'm pretty sure PA's implementation of QoS doesn't get this in depth to allow this fine of control; I could be wrong but I don't think this will work how you want it to. 

L7 Applicator

Re: QoS

You can control maximum and guarantee for both clear and tunneled, but if both are consuming more than is available in total, they will be treated equally and anything that falls outside of their guarantee will basically become 'first come first serve' (this is more nuanced as the individual classes and their priorities will still be applied, as you propose)


The individual priorities will only be applied when there is a complete saturation condition. As long as there is bandwidth available the packets will be processed fifo. You will want to give yourcleartext packets 'real-time' and the tunneled packets something lower as there liest the biggest difference the moment your bandwidth is fully consumed (the real-time queue has preference over all other priorities)


L3 Networker

Re: QoS

Thanks @reaper for your valuable input,


do i have any option to automatically reduce tunnel bandwidth if clear traffic is higher if there is no conjuction also?.

i am worried that even if i reduce the interface speed to 50 mbps(dont think so, because i am seeing 10/100/1G..options), hope it will only stops sending bits in every clock cycle instead it will send accordingly so that it can match speed. in this case also i cannot indirectly generate a conjuction.


Could you please advice if there is any option to achive the requirment?

L7 Applicator

Re: QoS

hi @Abdul_Razaq


no, both channels will use the bandwidth that is not in their guarantee

the 'shared' bandwithspace cannot be throttled to favor one channel over the other, you can only give one class a higher priority vs the other


you could try setting a lower maximum for the tunneled traffic so it is stopped from trying to take more than what is available in total which will allow for more room for cleartext to take up

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!