- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-29-2017 04:12 PM
Hi-
I need to configure a dual-ISP failover setup as described in the following article:
However, I have a couple of additional requirements and am unsure as to how I can do this on the Palo Alto platform.
Firstly, I need incoming QoS, in that I need to reserve a set amount of incoming bandwidth for video-messaging.
Secondly, my 2 ISP circuits are different speeds: primary is 100Mb download, backup is 10Mb download; how can I reserve differing amounts of bandwidth for incoming video-messaging, depending on which ISP circuit is in use?
Class bandwidth-limits are assigned in QoS Profiles.
QoS Profiles are associated with Physical Interfaces in a QoS Interface object.
However. it appears that each Physical Interface can be associated with only one QoS interface (and therefore only one QoS Profile), so how can I apply differing QoS profiles to my incoming Internet traffic, depending on which ISP I am currently connected to?
Thanks for any suggestions!
T
07-29-2017 04:23 PM
to follow on: logically, I would expect to create a 3 virtual router system, with VR1 and VR2 associated with ISP1 and ISP2, with both having static routes pointing trusted internal traffic to a 3rd internal VR.
I would then expect to be able to attach different QoS profiles to the internal-facing interfaces of VR1 and VR2, allowing me to enable different QoS behaviour dependent on which circuit packets came in on.
But since it appears you can only apply QoS profiles to physical interfaces, this does not appear to be an option.
So again, question is how can I apply differing QoS profiles to my incoming Internet traffic, depending on which ISP I am currently connected to?
Thanks!
T
07-29-2017 06:06 PM
everything from PAN-220s upwards.
Furthermore, all instances are going to be HA clusters,
Ideally I'd like a template I could use for all satellite offices.
T
07-29-2017 11:17 PM
Hi @en26bq
My initial question was a little sensless. It would matter if you have both internet connections on the same port but different subinterfaces on you PA...
Anyway, when you create the QoS configuration on your internal interface, in the clear text tab you can create different rules with different QoS profiles based on the source interface (or the source IP) of the incoming traffic.
07-30-2017 03:26 AM
Hi vsys_remo.
Thank you for your response.
I wasn't aware of being able to specify source interface on the QoS Interface Clear-Text Traffic tab, and I think this will enable me to do just what I am trying to do.
(I've found an image URL showing this tab, showing differing profiles being applied dependent on source interface/subnet and pasted below if anyone wants to check.
/t5/image/serverpage/image-id/5848i490BA4F2D5AE9010?v=1.0
When I get back to work, I'll try this out and update here.
T
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!