Wednesday, 24 May 2017

Applying QoS on Tunnel Interfaces in Palo Alto

This article explains important considerations while setting up the QoS profile and relationship between different parameters in QoS profiles.

This article makes the following assumptions:

  • Maximum bandwidth of an interface (ethernet1/1) is 1000Mbps
  • Out of 1000Mbps, clear text traffic should have guaranteed bandwidth of 980Mbps
  • The rest should be assigned to tunneled traffic
  • Total number of tunnel interfaces on device is 16
  • Number of tunnels terminating on ethernet1/1 interface is 15

Details
There are 16 gateways i.e. 16 tunnels/tunnel interfaces on the device however, 15 of these tunnels terminate on interface ethernet1/1 and 1 tunnel on ethernet1/3:

Screen Shot 2016-11-07 at 8.59.09 AM.pngScreen Shot 2016-11-07 at 9.08.14 AM.png


















QoS setting on egress interface ethernet1/1 is as follows:

Screen Shot 2016-11-03 at 3.48.07 PM.png


1. Egress Max of Tunneled Traffic + Egress guaranteed of Clear(Regular) Text Traffic <= Egress Max of Interface

Egress Max of Interface = 1000Mbps
Egress guaranteed of clear text traffic = 980Mbps

Therefore, Egress Max of Tunneled Traffic = (1000-980)Mbps = 20Mbps

This means, "ClearText" profile applied to Clear Text of Interface could have Egress Max=1000Mbps and Egress Guaranteed = 980Mbps.  Also, "Tunnel" profile applied to Tunnel Interface could have Egress Max=20Mbps only

Screen Shot 2016-11-07 at 9.22.54 AM.png

We cannot specify Egress Max of Tunneled Traffic profile to be more than 20Mbps now. If we specify it to be more than 20Mbps, there would be a validation error as "Tunnel-traffic-group max bandwidth is smaller than tunnel.X (profile Tunnel) max bandwidth"

This error means tunnel traffic profile can be max of 20Mbps but in "Tunnel" Profile, we have specified Egress Max as more than 20Mbps. This error message would be listed for each of 15 tunnel interfaces on ethernet1/1 interface.

Screen Shot 2016-11-07 at 9.27.12 AM.png


Similarly, we cannot specify Tunnel Traffic Egress Max to be more than 20Mbps under Network > QoS also. Validation would give an error, "Max tunnel traffic bandwidth plus guaranteed regular traffic bandwidth cannot exceed interface bandwidth"


Screen Shot 2016-11-07 at 9.35.49 AM.png


2. Tunnel Traffic Egress Guaranteed <= Tunnel Egress Max / Number of tunnels on the physical interface

Tunnel Egress Max (as calculated above) = 20Mbps
Number of tunnels/tunnel Interaces that terminates on ethernet1/1 = 15

Therefore, in "Tunnel" profile applied to Tunnel interface, Egress Guaranteed bandwidth <= (20/15)Mbps ~ 1.3Mbps

If we specify Egress Guaranteed to be more than ~1.3Mbps, validation would give an error "tunnel-traffic-group max bandwidth is smaller than its guaranteed bandwidth"



Screen Shot 2016-11-07 at 9.58.11 AM.pngScreen Shot 2016-11-07 at 9.59.35 AM.png














3. Sum of Egress Guranteed bandwidth of classes in a profile <= Egress Guaranteed of the profile.

Egress guaranteed of Tunnel profile = 1.3 Mbps  (as calculated above)
Sum of Egress guaranteed bandwidth of all 8 classes in this Tunnel profile <= 1.3Mbps

If the sum is not <= Egress guaranteed of the profile, validation would fail with an error, "tunnel.X (profile Tunnel) guaranteed bandwidth is smaller than the sum of guaranteed bandwidth of its children"

This error message would be printed for each of the tunnel interface terminating on the egress physical interface.


Screen Shot 2016-11-07 at 10.12.27 AM.pngScreen Shot 2016-11-07 at 10.11.12 AM.png


No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...