This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

QoS cleartext match issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

QoS cleartext match issue

Go to solution
raji_toor
L4 Transporter

‎01-31-2023 10:27 PM

We have setup similar to as below
image.png

 

I created/applied default QoS profiles on AE1 and AE5. However in order to be more granular I want to apply on individual subnets.

As in this example we want to use separate QoS profile for 10.129.0.0/16 subnet for traffic going to internet. I have tried to add subnet under cleartext on both AE1 and AE5, with and without source interface of ae1.3, with/without destination interface of AE5.100, but the traffic still matches the regular traffic and not cleartext policy. How do I make this work,

image.png

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎02-01-2023 12:27 AM

QoS is applied on the ingress of a packet, so if you want to limit upload you need to add the profile on AE1, if you want to limit download you need toi add the profile to AE5 (and if you want to control both you'll need a profile on both the interfaces)

 

this also means if you want to set up subnets in the cleartext section, you'll need to account for both direction: on AE3 you'll use source 10.129.0.0/16, on AE5 you need to set that as destination. On the download you are only able to set a destination interface, not subnet, so you'll need to ensure your QoS policy only triggers for that subnet and then apply a class (ie. 😎 thats not used for any other subnet so you dont limit download for other networks

 

hope that makes sense

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
reaper
Cyber Elite
Cyber Elite

‎02-01-2023 12:27 AM

QoS is applied on the ingress of a packet, so if you want to limit upload you need to add the profile on AE1, if you want to limit download you need toi add the profile to AE5 (and if you want to control both you'll need a profile on both the interfaces)

 

this also means if you want to set up subnets in the cleartext section, you'll need to account for both direction: on AE3 you'll use source 10.129.0.0/16, on AE5 you need to set that as destination. On the download you are only able to set a destination interface, not subnet, so you'll need to ensure your QoS policy only triggers for that subnet and then apply a class (ie. 😎 thats not used for any other subnet so you dont limit download for other networks

 

hope that makes sense

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
raji_toor
L4 Transporter
In response to reaper

‎02-02-2023 11:40 AM

@reaper Thank you for your insight. I was not taking into direction and where QoS will be applied. 

 

Also for someone else's help. if you are using multiple virtual systems. Source and destination both need to be specified or the QoS policy won't match on external interface for downloads.

 

image.png

And unless class is changed from default to 4, all traffic still shows as matching to default-group when you look under statics, i observed.

0 Likes Likes
  • 1 accepted solution
  • 1882 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks