Controling Traffic: Quality of Service

CONTROLING TRAFFIC
Quality of Service
• Policing and shaping
EDU-210 Version A
PAN-OS® 9.0
Agenda
After you complete this module,
you should be able to:
• Policing and shaping

• Classification and Bandwidth Limitation
• Forwarding class, priority queues and schedulers
• Packet marking
2 | © 2019 Palo Alto Networks, Inc.

Policing Versus Shaping
 Traffic policing propagates bursts. When the traffic rate reaches the configured maximum rate, excess traffic is
dropped (or remarked). The result is an output rate that appears as a saw-tooth with crests and troughs.
 In contrast to policing, traffic shaping retains excess packets in a queue and then schedules the excess for later
transmission over increments of time. The result of traffic shaping is a smoothed packet output rate.
Why QoS
• Bandwidth is finite and certain types of traffic can be sensitive to latency or packet loss, or can be bandwidth
intensive or critical to internal business operations. QoS is a useful tool for optimizing the performance of
various applications in your network.
• While QoS is a basic feature of any networking/security device, PAN-OS extends this feature to provide QoS;
not just to a network or a subnet, but also for a selected application/users.
• For example, a company might want to guarantee bandwidth to revenue producing traffic, such as E--
Commerce traffic. Organizations need to ensure that transactions can be completed and the customers do
not experience service delays and interruptions. At the same time the company may need to ensure low
latency for voice over IP (VoIP) traffic used by sales and support and limit the amount of bandwidth used by
non-business critical and bandwidth intensive applications such as Hulu, YouTube and other streaming
media services.
Classification
• Classification is the act of associating received packets with a defined QoS class. Classification is a critical
aspect of QoS functionality. In Palo Alto Networks devices, packets will be assigned to a QoS class after the
session is created and the application is determined.
• Devices classify packets based on IP precedence or DSCP markings, while this type of classification helps in
basic networking scenarios, it doesn’t provide richness to QoS from the standpoint of application classification
Packet Marking
PAN-OS QoS module is application centric and packets are forwarded to a class/queue based on the application,
user and the type of traffic, but not based on IP precedence or DSCP bits.
If an upstream device marks the DSCP bits, PAN-OS maintains those bits as is. PAN-OS provides the flexibility to
mark the DSCP or IP precedence bits in the packet to facilitate classification in downstream nodes.The configuration
of which is in the options settings of the security policy rule.
Priority Queues & Class
 Each class can be associated with a priority queue; PAN-OS support the following four priority queues:
• real-time
• high
• medium
• low
 There is also a built-in management traffic and protocol specific traffic (ARP, OSPF, BGP, etc.) is mapped to this
internal. This queue is not configurable by the user.
Schedulers
• A simple scheduler algorithm determines how often a queue is serviced. PAN-OS uses Hierarchical Fair Service
Curve (HFSC) algorithm for scheduling. The algorithm does a great job of keeping the latency low.
• QoS is implemented in software on certain platforms and is implemented in both software and hardware (hybrid)
in other platforms.
Congestion Management
• When a queue is filling faster than it can be emptied, the device has two choices as to where to drop traffic.
It can wait until the queue is full and simply drop packets as they arrive (tail dropping), or it can detect
incipient congestion and proactively begin to drop packets based on probability function that is tied to
average depth of the queue. This technique is called random early drop (RED). PAN-OS uses weighted
RED (WRED) algorithm.
Determining the Egress Interface
 QoS in the Palo Alto Networks firewalls is implemented on the egress interface only. In the below illustration the
user is performing two actions:
• Uploading project files to internet (in green)

• Downloading music and data from the internet (in red)
 When the user initiated upload (green) occurs, the

ingress interface is e2 and the egress is e1.
 However, when the user downloads music (red), the

packet hits e1 interface first, which is considered as
the ingress interface and e2 as the egress
interface.
Use Case
In this scenario we will demonstrate how to configure QoS, which will rate limit
download traffic from uploading.com. We will also show the output of QoS
statistics.
1.Configure QoS policy
Policies > QoS

2.Create a QoS profile
Network > Network Profiles > QoS profiles > Default

3.Configure QoS on interface
Network > QoS

QoS statistics
Network > QoS

Module Summary
Now that you have completed this module,
you should be able to:
• Configuration of QoS policies

• Classification and Bandwidth Limitation
• Forwarding class, priority queues and schedulers

Questions?

Controling Traffic: Quality of Service

Uploaded by

Copyright:

Available Formats

Controling Traffic: Quality of Service

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Controling Traffic: Quality of Service

Uploaded by

Copyright:

Available Formats

CONTROLING TRAFFIC

• Policing and shaping

2 | © 2019 Palo Alto Networks, Inc.

• Uploading project files to internet (in green)

 When the user initiated upload (green) occurs, the

 However, when the user downloads music (red), the

Policies > QoS

Network > Network Profiles > QoS profiles > Default

Network > QoS

Network > QoS

• Configuration of QoS policies

16 | © 2019 Palo Alto Networks, Inc.

17 | © 2019 Palo Alto Networks, Inc.

You might also like