Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Palo alto traffic shaping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo alto traffic shaping

L4 Transporter

Hi,

 

I have the below topology .   video conference device is connected in distribution .

All the devices are cisco . Actually I want to prioritize and  reserve  10 mb for  the vc .

Marking  the vc network as real time will help . I have never seen the dataplane  going high in palo alto . 

The real congestion is facing at internet router .In that case what I can do ?

Please help 

Thanks

 

 

 

 

Traffic Shapping.png

9 REPLIES 9

L7 Applicator

Based on your description, I think setting up QoS egress bandwidth guarantee would help on the PA side.

 

naturally once the traffic hits the internet no one can help further, but at least the PA bandwidth would be reserved.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/quality-of-service/qos-concepts/qos-...

 

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi,

Thanks for the reply . 

If I classify the  traffic  on the internet router based on the PA marking (Like cisco )   , would it be helpful ? 

Or it's not possible ? 

Thanks

 

 

 

Generally classification is not read or honored on internet path routers.  So there is not real advantage to marking traffic as it enters the internet.  Really does not matter what brand you have.  On the public internet we don't honor client traffic markings at all.

 

This QoS bandwidth reservation will keep your own internal traffic from crowding out the traffic type.  This you can control.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi,

Thanks for the reply . The internet router which I mentioned in the diagram is located in premise. 

If I do classification  on the router , atleast can I control the congestion happening on the  interface which is connected to the ISP ? 

Maybe a dumb question 🙂

Thanks

Yes, that all will work as per the standards for both the PA and the routers you control.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi,

Thanks for the reply.

In that case , To classify on internet facing router , Can i get the required marking from the PA or it hast be done on the distribution ?

Thanks

Best practice is to mark the dscp code as close to ingress as practical then have all devices in the path honor the classifications.

 

As a practical matter of course it only comes into play when you have congested links.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi,

In between internet router , there is cisco firewall and switch between . 

What actually I found switch cpu is going very high and found some drops on the interface ,

In that case do I need to apply qos on the switch also ?

Thanks 

@simsim,

High CPU on a switch isn't necissary an issue. If you run 'show processes cpu history' in EXEC and see what your CPU utilization history is. Is the CPU constantly busy or is it just spiking? Are the spikes lining up with a known event or activity pattern? Are you having any larger issues within Layer2 that could be causing higher CPU utilization across the board? If your substained CPU baseline is higher than 60% I would say this could be causing issues on a broader scope. 

As far as the drops go, QoS helps with conjested links. So you won't get rid of the interface drops, you'll simply ensure that traffic you care about has a higher chance of getting processed through the queue before a drop takes place. If you have a highly conjested link on a switch struggling to process traffic in a timely manner you could still see drops with QoS in place if it can't process the traffic in the queue. 

 

Also as @pulukas already pointed out; if you are applying QoS it should be applied across the entire path. 

  • 4681 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!