06-28-2021 03:20 PM
Good afternoon, please support, I need to configure and limit the bandwidth of the Internet output of a pair of networks coming from a LAN Trust interface.
-Interface 1/1 is the outgoing WAN interface to the Internet.
-The segments 10.79.25.0/24 and 10.79.26.0/24 come from the Trust interface, LAN 1/13.
-Internet access must be limited by securing the bandwidth in relation to the following criteria:
-Segments 10.79.25.0/24 and 10.79.26.0/24 must have a guaranteed minimum bandwidth of 100MB for all the outgoing traffic to the Internet.
And I must apply this to other networks.
I've been looking at the documentation but I still can't find what I'm looking for.
Please support me.
I remain attentive, thank you all
06-28-2021 04:05 PM
By default everything is classified as class 4. So first you need a QoS policy that classifies the traffic for the 2 networks to something else than class 4. At least for this example I use class 3. After the classification you need to tell the firewall how to process this traffic - specially when there is a situation with high bandwidth usage. For this you create a QoS profile where you add class 3 and configure a guaranteed value of 100 Mbit. In addition to that you add class 4 without any values - except if you maybe also want to set a maximum value for example for the rest of the traffic you could do this here too. This QoS profild now needs to be added to the actual QoS interface config. So you add a QoS config for ethernet1/1 and set the maximum egress value to the upload value of your internet connection. In this simple example you add the QoS profile you have just created as default profile for clear text traffic and thats ir already. Commit the configuration and after that you have reserved 100 Mbit for the 2 networks. (As long as class 3 does not use this guaranteed bandwith it can also be used by other traffic from the default class 4).
06-28-2021 05:52 PM
Thank you very much for your response.
One question?, this guarantees the bandwidth for the aforementioned networks, both upstream and downstream, that is to say they will ensure the bandwidth, in this case the 100 MB for such traffic.
Summary, create the policy and its classification, then generate the profile with example class 3 or class8, apply to the interface and that's it.
If I want to secure a different bandwidth, from other networks, is the same procedure done?What if I have more than 8 networks and there are only 8 traffic classes? How do you ensure in that case the bandwidth ?
Thank you very much.
06-29-2021 07:42 AM
Hi @Metgatz ,
Few points to remember when working with QoS on PAN FW.
- QoS is applied in egress interface. Which means if you apply QoS profile on WAN interface you will shape only upload. If you want to shape the download traffic (most likely) you need to apply QoS profile on the LAN interface (the egress interface towards the clients). Usually you should apply the same QoS profile on both interfaces.
- QoS profile is defining bandwidth reservations for each class. Traffic classification (say which traffic what class to be assigned) is configured with QoS policy (under the policy tab in GUI). The rule is matching the direction in which traffic is initiated, but the class is applied for the entire session - which return traffic will have the same class.
- Class 4 is default class, meaning that if there is traffic passing over interface on which QoS is enabled, but it is not classified, FW will consider it as class4 (something like native vlan).
- Single QoS profile can have up to eight classes. Different networks with same class are sharing the allocated bandwidth. If you need to allocated more than eight separated queues you can but with not very easy....
--- Under QoS interface > Clear Text Traffic tab you can configure "mathing rules" and apply different QoS profile for different traffic. Total number of rules depens on your device. Remember one "rule" apply different profile, while single profile have eight classes.
--- The problem is that these "matching rules" only allows you to match traffic based on source and destination interface and source subnet. So basically for each source interface/sub-interface you can different profile with eight classes.
--- The bigger problem is with the source subnet. If you apply NAT on this FW, the source in this "matching rule" must be the IP after the NAT. If all networks are comming from same source interface, you can apply different source hide NAT and separate them this way. But. if you remember, to shape the download you need QoS profile on inside interface, but there since this is return traffic you cannot apply different profiles based on source subnet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!