QoS issues on dual-ISP setup with differing circuit speeds.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

QoS issues on dual-ISP setup with differing circuit speeds.

L2 Linker

Hi-

 

We have dual connections and have our Palo Alto set up similar to described in this article:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

Our primary connection is 100Mbps whilst 2nd is only 10Mbps. Presumably this should involve 2 QoS profiles, one with an "egress max" set to 100, and the other with "egress max" set to 8.

 

However, although we have dual outbound connections to the ISPs, we only have the single inbound connection from our LAN, and as QoS needs to applied at the ingress , it seems that we can only apply a single QoS profile.

 

Is there any way we can change QoS profile dependent on which circuit is in use?

 

At the moment, if we have set "egress max" to 100 and we fail over to the slower circuit, then voice quality seriously degrades (presumably because the Palo Alto still thinks there is plenty of bandwidth to service non-prioritised traffic).

1 accepted solution

Accepted Solutions

on your Ingress packets (egressing on the LAN side) you can set 2 (or more) QoS profiles that apply a different limitations based on the source interface

this way you can limit isp1 to max 100, isp2 to 10

 

QoS source interface.png

 

any additional source interfaces (dmz, wan ,...) that are not defined will simply use the base profile on the interface

 

qos.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

Does your ISP send you or honor QoS tagging? Most ISP do not since its just the internet access and the rest of the internet will not honor those tags. We QoS over our WAN links and internally, but once our traffic hits the internet its the wild west.

 

Regards,

 

L7 Applicator

On your descripton I assume you currently have the QoS egress max profile assigned to the lan interface?

 

I think you would want two profiles as you note and apply them to the respective ISP interfaces instead.

 

Or is the topology different and we are not talking about internet VOIP?

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

on your Ingress packets (egressing on the LAN side) you can set 2 (or more) QoS profiles that apply a different limitations based on the source interface

this way you can limit isp1 to max 100, isp2 to 10

 

QoS source interface.png

 

any additional source interfaces (dmz, wan ,...) that are not defined will simply use the base profile on the interface

 

qos.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for all responses.

 

Reaper. I very much appreciate your detailed explanation, together with screenshots. I wasn't aware you could override the default clear-text profile on a QoS Interface object to differentiate depending on the source interface.

 

That was exactly what I was trying to do, and I think this will work well for us.

 

To the other posters:

 

Otakar - I don't believe our ISP does support QoS tagging.

Steve- I think you're describing the same solution Reaper has suggested.

 

Thanks all!

  • 1 accepted solution
  • 2950 Views
  • 4 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!