I need to configure a dual-ISP failover setup as described in the following article:
However, I have a couple of additional requirements and am unsure as to how I can do this on the Palo Alto platform.
Firstly, I need incoming QoS, in that I need to reserve a set amount of incoming bandwidth for video-messaging.
Secondly, my 2 ISP circuits are different speeds: primary is 100Mb download, backup is 10Mb download; how can I reserve differing amounts of bandwidth for incoming video-messaging, depending on which ISP circuit is in use?
Class bandwidth-limits are assigned in QoS Profiles.
QoS Profiles are associated with Physical Interfaces in a QoS Interface object.
However. it appears that each Physical Interface can be associated with only one QoS interface (and therefore only one QoS Profile), so how can I apply differing QoS profiles to my incoming Internet traffic, depending on which ISP I am currently connected to?
Thanks for any suggestions!
to follow on: logically, I would expect to create a 3 virtual router system, with VR1 and VR2 associated with ISP1 and ISP2, with both having static routes pointing trusted internal traffic to a 3rd internal VR.
I would then expect to be able to attach different QoS profiles to the internal-facing interfaces of VR1 and VR2, allowing me to enable different QoS behaviour dependent on which circuit packets came in on.
But since it appears you can only apply QoS profiles to physical interfaces, this does not appear to be an option.
So again, question is how can I apply differing QoS profiles to my incoming Internet traffic, depending on which ISP I am currently connected to?
My initial question was a little sensless. It would matter if you have both internet connections on the same port but different subinterfaces on you PA...
Anyway, when you create the QoS configuration on your internal interface, in the clear text tab you can create different rules with different QoS profiles based on the source interface (or the source IP) of the incoming traffic.
Thank you for your response.
I wasn't aware of being able to specify source interface on the QoS Interface Clear-Text Traffic tab, and I think this will enable me to do just what I am trying to do.
(I've found an image URL showing this tab, showing differing profiles being applied dependent on source interface/subnet and pasted below if anyone wants to check.
When I get back to work, I'll try this out and update here.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!