I can do my best to answer some of your questions, but a bit more information such as private or public networking, existing QoS policies, etc. would help.
1) You dont have to set DSCP within the Palo Alto QoS policy in order to honor it. Typical, DSCP marking is done as close to the host as possible, either at the host itself or the closest northbound switch or router. You may also want to make sure you are marking any control traffic as well (CS3 typically) at the host.
2) QoS on the Palo Alto is handled on the egress side, per interface. For example, you may have a QoS policy that is on the egress of your outside Untrusted link, towards your WAN/Internet which you would setup to prioritize and shape traffic. If you wanted to also remark incoming traffic (say inbound voice originating from an external host on the Internet), you could do so my creating a QoS policy on the LAN (trusted) egress side of your network. Remember DSCP values are only good on those networks that honor them.
3) You could start with the Default copy, however I would clone it and build a policy to better fit your company’s needs. Typically I separate my policies into the traffic types Voice (DSCP EF), Video (DSCP AF41/42), Control/Management (CS3), Transactional (AF21), and Best Effort. It's usually a best practice to leave 25% traffic for Best Effort Traffic. If you are only worried about Lync and its control traffic, you may just want to create Voice and Control and carve their bandwidth percentages accordingly.
Hope this helps,
Hi there! Thanks for your response I really appreciate. So we are only concerned with call quality of a Lync call. We would like to priortise this traffic over eveything else for now. Currently we are using the DSCP (ef) marking. In our switching core we are prioritising voice and then everything else goes into best effort.
It gets complicated tho as our Lync (or Skype for Business I should say) implementation touches a few zones/vlans. Do I need to setup a QoS profile for each interface then? voice traffic in our network could source from our Trust zone or our voice zone or our dmz internal and dmz external zone.
Can you maybe give me an example o how you have implemented voice priority QoS on Palo Alto?
Many thanks once again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!