Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

QoS and interfaces - some conception advice needed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

QoS and interfaces - some conception advice needed

L4 Transporter

Hello

 

I will migrate fom PA200 to PA500. I have some local networks (DMZ, Wifi for students, Wifi for stuff, LANs)

I need to use QoS but I need some advice with that.

 

I know that I can controll only on outgoing interfaces but I have no idea how to get it working with one condition: I wouldnt limit traffic from/to my local servers in DMZ.

 

Now I have all my lans as a subinterfaces of ethernet1/4

Should I separate my lans ir: DMZ to ethernet 1/2, WIfi to 1/3, LAN_1 to 1/4 and so on?

I assume that ISP is on ethernet 1/1 as an Untrust zone.

 

How to _not_ limit traffc to ie. Wifi from DMZ?

 

I will be grateful for any suggestions

 

Regards

SLawek

6 REPLIES 6

L4 Transporter

no one ?

Hi,

 

You cannot apply QoS on subinterfaces, so you don't really have a choice here. Each network will need his own physical interface. You can apply multiple QoS profiles on an interface, based on the source interface or subnet, so you could have different limits depending on the source of the traffic.

 

Benjamin

Hi,

 

100% agree with Baudy, QoS can't be configured on sub-interface.

QoS only impact outcomming traffic. Mean if you want to limit donwload / Streaming traffic from wifi, you need to configure QoS rule not on your ISP interface but on your physical wifi interface.

 

link: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/quality-of-service/configure-qos

 

Make sense ?

 

V.

Let's say you have an interface for untrust zone, another for trust zone, a third for wifi, and a fourth for DMZ.  Seems you want to be able to use QoS on all interfaces but not mess with DMZ.  The process is to setup QoS on each interface with no limitations, so it functions as a monitor.  Then use the QoS levels as buckets to hold your apps (see below).  Finally, apply the actual caps to the QoS profile.

 

There are a couple very good articles describing in detail how to setup QoS.  Here is a quick summary of what I would do in your situation:

 

First define QoS profiles for each zone, with a max set to 1000, and define the levels such that each has a guaranteed min of .01 & max of 1000.  This setup allows you to begin monitoring the traffic on each interface.  Once you apply each named policy to each interface (Trust-profile to Trust interface, etc.), you'll notice that all the traffic is in the default level 4.  The next step is to actually control the traffic. So set levels 1-3 as bogus stuff, and levels 5 & above as time-sensitive and critical.  Leave Level 4 alone, since that is your normal business traffic and catch all. For example, level 1 can be reserved for "games" and the highest level for "VoIP" - Using just this simple Q0S profile example, apply it to the Trust Interface and monitor QoS in the Network tab.  You'll see the actual usage of these apps that you defined for each level.  Once you understand what bandwidth the applications are actually using, go back to the profile and in the coresponding level, set a max limit for the bandwidth.  

 

By defining separate QoS profiles for each interface, you can monitor them all, with minimal configuration. Customize the profile assigned to the interface you want to manage, and you can actually control the traffic.

Hello

 

Thx for your replays. I had a lot of work with migration and network rearranging...

 

I used all my phisical interfaces.

But I still ned advice ..

 

I have 50Mbit link from ISP. I'd like to share on ethernet1/2 10Mbit max but when this bandwith is not used on this interface I would to consume that bandwitch on other interfaces.

How to get it working?

 

I know article https://live.paloaltonetworks.com/t5/Configuration-Articles/Incorrect-QoS-Configuration-Caused-Netwo... and other

But I cant find exact examples with ISP speed and limitation on interfaces like in my example.

 

Regards

SLawek

Hi Slawek

 

there is no configuration that would allow you to share 'leftover' bandwidth from one interface with another interface

 

could you illustrate the scenario you're trying to achieve? maybe there's  different solution

 

right now you can simply divy up available bandwidth on a single interface in terms of maximum allowed usage or minimum guaranteed bandwidth. on a policy where only a guarantee is defined, any 'leftover' bandwidth on that same interface will be used up until another guarantee is enforced. if no sessions exist for a guaranteed policy, that bandwidth will also be available to other policies

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2895 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!