After egress max set in the following order ,
If 100 Mb is the internet speed and through the trust link (1 GB) traffic is going other than untrust ( internet zone ) ,
the below configuration is ok ? .
class 1 10
class 2 10
class 3 10
class 4 40
class 5 10
class 6 10
class 7 5
class 8 5
Sorry, I'm not understanding the question fully.
I think you are wondering about applying a QoS setting to trust that would perhaps limit traffic pre-maturely because the internet bandwidth is much more limited than your local one.
This would be a concern and you should have the internet QoS only applied to your untrust internet facing interface and NOT the trust interface.
Download traffic is also egress on the untrust side as well.
I guess I don't follow what limitations you are trying to support.
I was trying to limit download from the internet by the user who is sitting inside the campus network .
If I have internet bandwidth 100 Mbps, all the suers ( from class 1 - 8 ) should not send traffic to the service provider more than that ( I mean ISP should not have a chance to drop the traffic ) .
Hope I could clarify
QoS has to be applied to the interface where traffic will exit firewall.
For download traffic it has to be applied to trust interface.
Only be careful if you have multiple zones.
Assume you have 3 zones - internet, servers, users.
If you apply QoS on "users" zone then it means that download is limited from internet>users and also servers>users.
To avoid that you should tune QoS interface > Clear Text Traffic
Also same place is where you set your Egress Max 100Mbit.
It does not make sense to set Classes so that aggregate max is 100Mbit becase your traffic will never balance between classes to get full 100Mbit.
We should apply all the egress interface (inside and outside ) to limit the download and upload .
For example user a is trying to access website cnn.com from the internal host ,
the traffic is flowing from the internal network to internet and also in reverse direction .
let 's say if we have 100 Mbps internet bandwidth and if we have profile only to limit the download (on the inside interface)
the traffic will flow from the internal network to the internet ,So there is chance ISP drop this traffic(so the traffic does not exceed network capacity which is alotted by the ISP )
Please correct me if I am wrong
So we should have profile on both egress( internal and wan) .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!