This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

QoS issues on dual-ISP setup with differing circuit speeds.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

QoS issues on dual-ISP setup with differing circuit speeds.

Go to solution
TomMeadows
L2 Linker

‎01-19-2018 08:18 AM

Hi-

 

We have dual connections and have our Palo Alto set up similar to described in this article:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

Our primary connection is 100Mbps whilst 2nd is only 10Mbps. Presumably this should involve 2 QoS profiles, one with an "egress max" set to 100, and the other with "egress max" set to 8.

 

However, although we have dual outbound connections to the ISPs, we only have the single inbound connection from our LAN, and as QoS needs to applied at the ingress , it seems that we can only apply a single QoS profile.

 

Is there any way we can change QoS profile dependent on which circuit is in use?

 

At the moment, if we have set "egress max" to 100 and we fail over to the slower circuit, then voice quality seriously degrades (presumably because the Palo Alto still thinks there is plenty of bandwidth to service non-prioritised traffic).

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to pulukas

‎01-22-2018 12:20 AM

on your Ingress packets (egressing on the LAN side) you can set 2 (or more) QoS profiles that apply a different limitations based on the source interface

this way you can limit isp1 to max 100, isp2 to 10

 

QoS source interface.png

 

any additional source interfaces (dmz, wan ,...) that are not defined will simply use the base profile on the interface

 

qos.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎01-19-2018 11:28 AM

Hello,

Does your ISP send you or honor QoS tagging? Most ISP do not since its just the internet access and the rest of the internet will not honor those tags. We QoS over our WAN links and internally, but once our traffic hits the internet its the wild west.

 

Regards,

 

0 Likes Likes

Go to solution
pulukas
L7 Applicator

‎01-20-2018 05:59 AM

On your descripton I assume you currently have the QoS egress max profile assigned to the lan interface?

 

I think you would want two profiles as you note and apply them to the respective ISP interfaces instead.

 

Or is the topology different and we are not talking about internet VOIP?

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to pulukas

‎01-22-2018 12:20 AM

on your Ingress packets (egressing on the LAN side) you can set 2 (or more) QoS profiles that apply a different limitations based on the source interface

this way you can limit isp1 to max 100, isp2 to 10

 

QoS source interface.png

 

any additional source interfaces (dmz, wan ,...) that are not defined will simply use the base profile on the interface

 

qos.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
TomMeadows
L2 Linker
In response to reaper

‎01-22-2018 03:22 AM

Thanks for all responses.

 

Reaper. I very much appreciate your detailed explanation, together with screenshots. I wasn't aware you could override the default clear-text profile on a QoS Interface object to differentiate depending on the source interface.

 

That was exactly what I was trying to do, and I think this will work well for us.

 

To the other posters:

 

Otakar - I don't believe our ISP does support QoS tagging.

Steve- I think you're describing the same solution Reaper has suggested.

 

Thanks all!

0 Likes Likes
  • 1 accepted solution
  • 2812 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks