QoS cleartext match issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

QoS cleartext match issue

L4 Transporter

We have setup similar to as below
image.png

 

I created/applied default QoS profiles on AE1 and AE5. However in order to be more granular I want to apply on individual subnets.

As in this example we want to use separate QoS profile for 10.129.0.0/16 subnet for traffic going to internet. I have tried to add subnet under cleartext on both AE1 and AE5, with and without source interface of ae1.3, with/without destination interface of AE5.100, but the traffic still matches the regular traffic and not cleartext policy. How do I make this work,

image.png

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

QoS is applied on the ingress of a packet, so if you want to limit upload you need to add the profile on AE1, if you want to limit download you need toi add the profile to AE5 (and if you want to control both you'll need a profile on both the interfaces)

 

this also means if you want to set up subnets in the cleartext section, you'll need to account for both direction: on AE3 you'll use source 10.129.0.0/16, on AE5 you need to set that as destination. On the download you are only able to set a destination interface, not subnet, so you'll need to ensure your QoS policy only triggers for that subnet and then apply a class (ie. 😎 thats not used for any other subnet so you dont limit download for other networks

 

hope that makes sense

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

QoS is applied on the ingress of a packet, so if you want to limit upload you need to add the profile on AE1, if you want to limit download you need toi add the profile to AE5 (and if you want to control both you'll need a profile on both the interfaces)

 

this also means if you want to set up subnets in the cleartext section, you'll need to account for both direction: on AE3 you'll use source 10.129.0.0/16, on AE5 you need to set that as destination. On the download you are only able to set a destination interface, not subnet, so you'll need to ensure your QoS policy only triggers for that subnet and then apply a class (ie. 😎 thats not used for any other subnet so you dont limit download for other networks

 

hope that makes sense

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper Thank you for your insight. I was not taking into direction and where QoS will be applied. 

 

Also for someone else's help. if you are using multiple virtual systems. Source and destination both need to be specified or the QoS policy won't match on external interface for downloads.

 

image.png

And unless class is changed from default to 4, all traffic still shows as matching to default-group when you look under statics, i observed.

  • 1 accepted solution
  • 1912 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!