Bandwith shaping on complete subnet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Bandwith shaping on complete subnet

L4 Transporter

Hey!

is it possible with a PA-3020 and OS 7.1.7 to set a bandwith limit for a complete subnet / Sub-Interface?

 

No matter which application etc.

 

Thanks!

15 REPLIES 15

Community Team Member

Hi @MPI-AE,

 

It is possible yes.  Please check the product info here :

https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-3020

 

The QoS section more specifically :

 

QoS
Number of QoS policies 1,000
Physical interfaces supporting QoS 6
Clear text nodes per physical interface 31
DSCP marking by policy Yes
Subinterfaces supported System limit

 

System limit means that there is no defined hard limit.  It is driven by system capacity.

 

Compared to a 5020 where it is NOT supported :

https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-5020

 

QoS
Number of QoS policies 1,000
Physical interfaces supporting QoS 12
Clear text nodes per physical interface 63
DSCP marking by policy Yes
Subinterfaces supported NA

 

Hope it helps !

-Kiwi

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

@kiwi

 

But when I want to add an interface under Network -> QoS, it only shows me my physical interfaces.

 

But that doesn't matter. I can switch the subinterfaces to physical interfaces.

 

The more important question is: Can I apply a maximum bandwith to all hosts in a subnet for all traffic?

 

For example guest users.

Community Team Member

Hi @MPI-AE,

 

QoS needs to be enabled per physical interface but you can define subinterfaces in the configuration :

 

sub-interfacesub-interface

Cheers,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi

 

will be very nice if you guide me through the configuration. That's very complex imo.

 

- Do I need a QOS profile with classes?

- Do I need a QOS Policy Rule where I define ssl and web-browsing and refer it to a class?

 

Questions over questions..

 

My subinterface is ae1.140  . That's the interface where all guest hosts are connected and I want to set a bandwith limit of 50Mbps to this subinterface for the complete internet download traffic.

 

Could you please help me with that?

Community Team Member

Hi @MPI-AE,

 

I suggest you start out here :

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Quality-of-Service/ta-p/68633

 

The above artice is an excellent resource explaining how to configure QoS.

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi

 

that means when I set up a Qos policy rule with the guest zone only and in the Qos interface rule I only mention ae1.140, the bandwith limitation is only applied to the ae1.140 subinterface?

 

Because there are 30 more subinterfaces beneath ae1.

 

That would be very dreadful if the limitation is applied to all ae1 subinterfaces.

 

And I'm afraid about the default profile:

qos.JPG

@MPI-AE,

The default profile is going to apply to the interface but unless you are actually utilizing QoS policies all traffic is just going to map to class4 which is the default on the Palo Alto.

If you are worried about effecting production traffic I would contact your SE and ask for a time to walk through this with him to make sure that you actually configure everything correctly and you aren't going to be applying bandwidth constraints where you don't want to. 

@BPry,

 

is the following configuration correct?

 

limit.JPGunlimit.JPGinterface1.JPGinterface2.JPG

@MPI-AE,

You would need to actually enable QoS on that interface but otherwise if your intention is to simply limit the egress bandwidth then this would function fine. 

@BPry

 

I enabled it on the interface, but unfortunately traffic from the guest  network isn't limited.

 

When I download a file, I have a download rate of 200Mbit/s.

 

But it want it to be 50 Mbit/s.

 

When I take a look on the QoS Interface Statistics, I observe that the download rate increases at the default-group, not in the guest group:

 

stats.JPG

 

What is wrong?

@MPI-AE,

Not knowing how your network is setup I just want to verify that we are talking about egress traffic here right. In this scenario where you are downloading a file this is ingress traffic right; because egress is traffic leaving the subinterface. Downloading a file is going to have the subinterface as the ingress interface. 

 

So say for example I look at this 1.1 gig file I just downloaded. The Egress interface is ethernet1/2 which is my untrust/outside interface, this means that my ingress interface is ae2 or my trust/inside network. The reason this isn't working is because you have egress max setup for the ingress interface when it comes to downloading. 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-assign-different-bandwidth-for-multipl...

 

That has a good explination of how to go about limiting downloads, although it's not the focus of the document you can get a good understanding of it from there. 

@BPry,

 

now I'm confused!

 

Please take a look at that link:

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/quality-of-service/qos-egress-interf...

 

My external interface is 1/20. My internal interface is ae1. The Guest Network is a subinterface of ae1. (-> ae1.140)

 

So when I download a file, the packets come in at 1/20, and leave the firewall at ae1.140 to my client.

 

So in my opinion, the egress interface is ae1.

 

"For example, in an enterprise network, if you are limiting employees’ download traffic from a specific website, the egress interface in the QoS configuration is the firewall’s internal interface, as the traffic flow is from the Internet, through the firewall, and to your company network. "

@MPI-AE,

Queary the traffic in your threat logs and see what the firewall itself is labeling as the Egress/Ingress interface. On the traffic log you can search '(addr in 10.191.16.61)  and ( bytes geq 180000000 )' replacing the IP address obviously with whatever the machines IP address was. This will catch the 200mb file you downloaded. 

In your column options you will need to likely check Egress I/F and Ingress I/F so that it's actually displayed. This will tell you exactly what your Ingress and Egress were recorded as. My guess would be that you'll see what I have laid out below, where your Ingress will be your subinterface and your Egress is going to be your 1/20 interface. 

 

Capture.PNG

 

 

  • 4867 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!