QoS issues on dual-ISP setup with differing circuit speeds.

TomMeadows · ‎01-19-2018

Hi-

We have dual connections and have our Palo Alto set up similar to described in this article:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

Our primary connection is 100Mbps whilst 2nd is only 10Mbps. Presumably this should involve 2 QoS profiles, one with an "egress max" set to 100, and the other with "egress max" set to 8.

However, although we have dual outbound connections to the ISPs, we only have the single inbound connection from our LAN, and as QoS needs to applied at the ingress , it seems that we can only apply a single QoS profile.

Is there any way we can change QoS profile dependent on which circuit is in use?

At the moment, if we have set "egress max" to 100 and we fail over to the slower circuit, then voice quality seriously degrades (presumably because the Palo Alto still thinks there is plenty of bandwidth to service non-prioritised traffic).

reaper · ‎01-22-2018

on your Ingress packets (egressing on the LAN side) you can set 2 (or more) QoS profiles that apply a different limitations based on the source interface

this way you can limit isp1 to max 100, isp2 to 10

any additional source interfaces (dmz, wan ,...) that are not defined will simply use the base profile on the interface

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

View solution in original post

OtakarKlier · ‎01-19-2018

Hello,

Does your ISP send you or honor QoS tagging? Most ISP do not since its just the internet access and the rest of the internet will not honor those tags. We QoS over our WAN links and internally, but once our traffic hits the internet its the wild west.

Regards,

pulukas · ‎01-20-2018

On your descripton I assume you currently have the QoS egress max profile assigned to the lan interface?

I think you would want two profiles as you note and apply them to the respective ISP interfaces instead.

Or is the topology different and we are not talking about internet VOIP?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

reaper · ‎01-22-2018

on your Ingress packets (egressing on the LAN side) you can set 2 (or more) QoS profiles that apply a different limitations based on the source interface

this way you can limit isp1 to max 100, isp2 to 10

any additional source interfaces (dmz, wan ,...) that are not defined will simply use the base profile on the interface

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

TomMeadows · ‎01-22-2018

Thanks for all responses.

Reaper. I very much appreciate your detailed explanation, together with screenshots. I wasn't aware you could override the default clear-text profile on a QoS Interface object to differentiate depending on the source interface.

That was exactly what I was trying to do, and I think this will work well for us.

To the other posters:

Otakar - I don't believe our ISP does support QoS tagging.

Steve- I think you're describing the same solution Reaper has suggested.

Thanks all!

QoS issues on dual-ISP setup with differing circuit speeds.

QoS issues on dual-ISP setup with differing circuit speeds.

Show your appreciation!