So, I'm trying to get a clear understanding of QoS on the PA's. Any feedback / answers would be appreciated:
Maximum Egress - Straight forward - the maximum amount of traffic you are allowing out.
Guaranteed Egress - This one I'm foggy on. Is it only applied during congestion? Or does it literally "carve out" that much of the pipe for that class?
The different classes - Do these funcion only to map traffic to priority queues or are classes serviced in order? As in, if I have class 2, 5 and 7 mapped to "High" will the PA service class 2 before 5? Or are priority queues just handled FIFO within themselves (as in if packes from Class 2 and 7 hit the egress queue at the same time, it's whichever packet hit first).
I guess you have already read QoS in PAN-OS 4.1?
The guaranteed egress is applied at all times but the setting is of course how much bandwidth should the specific class get during congestion/overload of the interface.
However im not sure if guaranteed bandwidth also means that the same amount of bandwidth cannot be used by the other classes - perhaps someone from PA could enlighten us? 🙂
And that is the big caveat about guaranteed bandwidth. After talking with my SE it would seem that the guaranteed egress is NOT automatically carved out. So, if I give YouTube 5Mb of guaranteed bandwidth and there isn't any YouTube traffic, that 5Mb should be availbe for other traffic. But if YouTube hits the stream, it should start using that 5Mb for that traffic...
...unless YouTube is set to the Medium queue and some High-Priority traffic hits the scheduler?
I'm probably making this more difficult than it really is.
The queues are not absolute such that High Priority traffic when congested would prevent any Medium Priority from flowing. From the command line, if you run "show qos counter" you will see that each class has the base (guaranteed) and max bandwidth you supplied. These two settings along with the priority help generate an amount of "shares" that the class has. Here is a shot of what mine looks like:
QoS counter for interface ethernet1/2:
number of queued packets: 5
Parent Qid node base-bw ldshare max-bw pass-pak drop-pak time-out delay vtime qlen qlmt
1 0 default-group 90000 0 90000 0 0 0 0 0 150
-Class 1 2000 38000 40000 521 0 0 0 16 0 150
-Class 2 8000 32000 40000 233882 0 0 1 2228 0 150
-Class 3 9000 31000 40000 28091 63 0 0 10 0 150
-Class 4 11000 14750 70000 527197 190 0 0 0 0 150
-Class 5 7000 13250 60000 75099 7 0 0 0 0 150
-Class 6 4000 6500 30000 19273 0 0 0 523 0 150
-Class 7 10000 4375 80000 1061396 133 0 1 14701 2 150
-Class 8 10000 4375 80000 895142 1149 0 0 0 0 150
4 1 regular-traffic 90000 0 90000 0 0 0 0 0 150
4 2 tunnel-traffic 1 89999 90000 0 0 0 0 0 150
4 3 bypass-traffic 90000 0 90000 0 0 0 0 0 150
* -Class 4 90000 0 90000 330 0 0 0 0 0 150
-1 4 ethernet1/2 90000 0 90000 0 0 0 0 0 150
I'd like to continue this thread cause I've got some doubts as well
1) In the doc "QoS in PAN-OS 4.1" they mention:
3) Configure QoS on the interface
b) The sum of the “Egress Max” bandwidth on clear text tab and tunnel traffic tab should be less or equal to the interfaces egress max bandwidth.
It doesn't make sense for me cause if there is no tunnel traffic I want my clear traffic to use the max available bandwidth of the int, however it makes sense for me that the sum of Guaranteed Egress (10 + 10) should be less or equal the max egrees of the int.
2) considering these settings
Qos-profile (G: 2Mbps, Max: 2Mbps)
class 1 (G: 1Mbps, Max: 2Mbps) - priority high
class 2 (G: 1Mbps, Max: 2Mbps) - priority medium
class 3 (G: 0 - so unlimited?, Max: 2Mbps) priority realtime
if there is a congestion and both traffic of class1, class2 and 3 hits the PA accordingly
class3 - 1,5Mbps
class2 - 1Mbps
class1 - 1Mbps
what will the result be?
I guess that class3 and 1 would not prevent the class2 from flowing but the share for this one would be minimum?
3) Default QoS profile and its classes 6,7,8 have low priority.
If there is a congestion and traffic hits all of the classes will it be shared equeally?
4) in situation when traffic enteres PA form source int 1/1 and 1/2.110 but uses the same egress int 1/10
considering that both QoS profiles has the same parameters for class 2 (the same priority) and there is only class 2 traffic (from both src int) should the bandwidth be shared equally when using egress int 1/10?
For Basic QoS.....
Eth1-------[ PA Virt Router ]------- Eth2
Max BW : If you have a limit like 30Mbps, set this to 30. Otherwise set it to the Negotiated speed (1000). The older code used to assume the negotiated speed is the MAX in the event that this was left empty.
Guaranteed BW: Leave this blank
QoS Profile: select the default profile. There are no MAX or Guarantee values configured. Leave it this way.
QoS Policy: Pick and application or group or a filter (All VOIP Apps) and assign this class 1. All undefined apps default to class 4. You can specify zones and addresses but why bother?
Configuring QoS on Eth2 will limit how much traffic (my example was 30M) gets sent to the internet.
Configure QoS on Eth1 will limit traffic from internet to user to 30M.
This is Weighted Fair Queueing. You have 8 buckets. Application packets are placed in a Queue. Real Time ques are emptied more often than the other queues. You can click on the statistics link in the NETWORK tab and the QoS panel on the left edge. This will display a nice graph and stats for each class.
If you choose to use values in the QoS profile, all of the classes added together need to match the total value used in MAX Egress and Guarantee Egress. Guarantee Egress is a method to reserve a certain minimum BW for certain types of traffic. If the basic method fails to provide the performance you need. then test the guarantees.
One down side to this is if you have Multiple LAN side interfaces and you limit all of them to 30M, even traffic from LAN1 to LAN2 will be limited to 30M.
One method around this would be to create a VRouter just for rate limitting, or a virtual-wire, and a second VR for security policies. User to User traffic would be unlimited in this case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!