QoS Implementation for Voice Traffic

Reply
Highlighted
L2 Linker

QoS Implementation for Voice Traffic

We are looking to implement QoS on our Palo Alto device for our voice traffic. We are currently tagging voice traffic with DSCP 46(ef). This is done at the source using Windows group policy to tag all traffic that originates from application "lync.exe". We can see the traffic is definitely being tagged by performing a pcap at different points in the network. We want to make sure that the Palo Alto firewall is honoring this DSCP marking and prioritizing the traffic over everything else. So a few questions to that end are: 1) Setting the DSCP marking in a security policy, is this only marking the traffic? Is it mandatory for QoS to function since we are already marking the traffic using Windows GPO? I think this isnt required. 2) Does the Palo Alto firewall ONLY prioritize traffic that traverses from one zone to another? 3) Can I use the default QoS profile? Thanks all.
Tags (2)
Highlighted
L3 Networker

I can do my best to answer some of your questions, but a bit more information such as private or public networking, existing QoS policies, etc. would help.

 

1) You dont have to set DSCP within the Palo Alto QoS policy in order to honor it.  Typical, DSCP marking is done as close to the host as possible, either at the host itself or the closest northbound switch or router.  You may also want to make sure you are marking any control traffic as well (CS3 typically) at the host.

 

2) QoS on the Palo Alto is handled on the egress side, per interface.  For example, you may have a QoS policy that is on the egress of your outside Untrusted link, towards your WAN/Internet which you would setup to prioritize and shape traffic.  If you wanted to also remark incoming traffic (say inbound voice originating from an external host on the Internet), you could do so my creating a QoS policy on the LAN (trusted) egress side of your network.  Remember DSCP values are only good on those networks that honor them.

 

3) You could start with the Default copy, however I would clone it and build a policy to better fit your company’s needs.  Typically I separate my policies into the traffic types Voice (DSCP EF), Video (DSCP AF41/42), Control/Management (CS3), Transactional (AF21), and Best Effort.  It's usually a best practice to leave 25% traffic for Best Effort Traffic.  If you are only worried about Lync and its control traffic, you may just want to create Voice and Control and carve their bandwidth percentages accordingly.  

 

Hope this helps,

 

- Matt

Highlighted
L2 Linker

Hi there!  Thanks for your response I really appreciate.  So we are only concerned with call quality of a Lync call.  We would like to priortise this traffic over eveything else for now.  Currently we are using the DSCP (ef) marking.  In our switching core we are prioritising voice and then everything else goes into best effort.

 

It gets complicated tho as our Lync (or Skype for Business I should say) implementation touches a few zones/vlans.  Do I need to setup a QoS profile for each interface then?  voice traffic in our network could source from our Trust zone or our voice zone or our dmz internal and dmz external zone.  

 

Can you maybe give me an example o how you have implemented voice priority QoS on Palo Alto?

 

Many thanks once again.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!