Bandwith shaping on complete subnet
Showing results for 
Search instead for 
Did you mean: 

Bandwith shaping on complete subnet

L4 Transporter


is it possible with a PA-3020 and OS 7.1.7 to set a bandwith limit for a complete subnet / Sub-Interface?


No matter which application etc.




Community Team Member



It is possible yes.  Please check the product info here :


The QoS section more specifically :


Number of QoS policies 1,000
Physical interfaces supporting QoS 6
Clear text nodes per physical interface 31
DSCP marking by policy Yes
Subinterfaces supported System limit


System limit means that there is no defined hard limit.  It is driven by system capacity.


Compared to a 5020 where it is NOT supported :


Number of QoS policies 1,000
Physical interfaces supporting QoS 12
Clear text nodes per physical interface 63
DSCP marking by policy Yes
Subinterfaces supported NA


Hope it helps !




But when I want to add an interface under Network -> QoS, it only shows me my physical interfaces.


But that doesn't matter. I can switch the subinterfaces to physical interfaces.


The more important question is: Can I apply a maximum bandwith to all hosts in a subnet for all traffic?


For example guest users.

Community Team Member



QoS needs to be enabled per physical interface but you can define subinterfaces in the configuration :





Hi @kiwi


will be very nice if you guide me through the configuration. That's very complex imo.


- Do I need a QOS profile with classes?

- Do I need a QOS Policy Rule where I define ssl and web-browsing and refer it to a class?


Questions over questions..


My subinterface is ae1.140  . That's the interface where all guest hosts are connected and I want to set a bandwith limit of 50Mbps to this subinterface for the complete internet download traffic.


Could you please help me with that?

Community Team Member



I suggest you start out here :


The above artice is an excellent resource explaining how to configure QoS.


Cheers !


Hi @kiwi


that means when I set up a Qos policy rule with the guest zone only and in the Qos interface rule I only mention ae1.140, the bandwith limitation is only applied to the ae1.140 subinterface?


Because there are 30 more subinterfaces beneath ae1.


That would be very dreadful if the limitation is applied to all ae1 subinterfaces.


And I'm afraid about the default profile:



The default profile is going to apply to the interface but unless you are actually utilizing QoS policies all traffic is just going to map to class4 which is the default on the Palo Alto.

If you are worried about effecting production traffic I would contact your SE and ask for a time to walk through this with him to make sure that you actually configure everything correctly and you aren't going to be applying bandwidth constraints where you don't want to. 



is the following configuration correct?




You would need to actually enable QoS on that interface but otherwise if your intention is to simply limit the egress bandwidth then this would function fine. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!