PDA

View Full Version : Tips for applying QOS on Checkpoint R75.20



Satish .J
2013-06-17, 23:25
Hi,

Please help me someone how to apply QOS for a particular node/network

Regards,
Satish

mcnallym
2013-06-18, 07:46
QoS Policy has a Source / Destination / Service / Action

If you want QoS for a specific node / network then use the Source and Destination as appropriate in the rules

That way then the rule is applied to that specific node / network as you want.

If that isn't what you are asking for then please give more detail as to what you are looking for.

santoshkumarrnavi
2015-01-30, 17:32
Hello I want to use weights to assign qos please help me

EricAnderson
2015-01-31, 00:11
Hello I want to use weights to assign qos please help me

Wights are kinda funny. I've explained it many times, with varying success. Here's goes:

Weights are per-rule. All active connections using the rule share whatever bandwidth is allocated based on the rule's weight.
A weight will basically give a rule a fraction of the overall bandwidth. The denominator of that fraction (high-school math coming back to me) will vary based on what rules have active connections.

- To calculate the assigned bandwidth you'll need to add up the weights of all active rules.
- Inactive rules change the entire fraction
- Example:

Bandwidth = 10Gb
Rule 1 weight = 10
Rule 2 weight = 40
Rule 3 weight = 50 (default/final rule)
Aassuming all active rules have traffic that will fully utilize their allocated bandwidth....
- If all rules have active connections, Rule 1 gets 10/100 (1Gb), Rule 2 gets 40/100 (4Gb), rule 3 gets 50/100 (5Gb)
- If all connections through rule 3 terminate, leaving only 1 & 2 active, Rule 1 gets 10/50 (2Gb) and rule 2 gets 40/50 (8Gb)

Does that help or confuse?

Please note that limits and guarantees can give much more granular/correct control. In Traditional QoS polices you can even make those limits and guarantees effective per-connection.

Also, prior to R77.10, deploying QoS will preclude/disable acceleration technologies (SecureXL and CoreXL). This can have a major impact on gateways that depend on the performance gains. Even after R77.10 you'll have to follow SK98229 (ttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98229) to enable acceleration technology support for QoS.

It's all pretty well documented in the QoS Admin Guide (https://sc1.checkpoint.com/documents/R77.10/CP_R77.10_QoS_WebAdminGuide/html_frameset.htm).

Let me know if you have more specific questions.

-E

ShadowPeak.com
2015-01-31, 00:57
Wights are kinda funny. I've explained it many times, with varying success. Here's goes:

Weights are per-rule. All active connections using the rule share whatever bandwidth is allocated based on the rule's weight.
A weight will basically give a rule a fraction of the overall bandwidth. The denominator of that fraction (high-school math coming back to me) will vary based on what rules have active connections.

- To calculate the assigned bandwidth you'll need to add up the weights of all active rules.
- Inactive rules change the entire fraction
- Example:

Bandwidth = 10Gb
Rule 1 weight = 10
Rule 2 weight = 40
Rule 3 weight = 50 (default/final rule)
- If all rules have active connections, Rule 1 gets 10/100 (1Gb), Rule 2 gets 40/100 (4Gb), rule 3 gets 50/100 (5Gb)
- If all connections through rule 3 terminate, leaving only 1 & 2 active, Rule 1 gets 10/50 (2Gb) and rule 2 gets 40/50 (8Gb)

Does that help or confuse?

Please note that limits and guarantees can give much more granular/correct control. In Traditional QoS polices you can even make those limits and guarantees effective per-connection.

Also, prior to R77.10, deploying QoS will preclude/disable acceleration technologies (SecureXL and CoreXL). This can have a major impact on gateways that depend on the performance gains. Even after R77.10 you'll have to follow SK98229 (ttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98229) to enable acceleration technology support for QoS.

It's all pretty well documented in the QoS Admin Guide (https://sc1.checkpoint.com/documents/R77.10/CP_R77.10_QoS_WebAdminGuide/html_frameset.htm).

Let me know if you have more specific questions.

-E

One other peculiarity with weights is the following:

- Suppose Rule 1 is using its entire allocated 1Gbps but is pushing for more
- Suppose Rule 2 is only using 2Gbps of the 4Gbps allocated by weight
- Suppose Rule 3 is only using 1Gbps of the 5Gbps allocated by weight

At least temporarily, Rule 1 is allowed to consume more than its assigned 1Gbps because the other rules are not using all of their assigned bandwidth. Should Rules 2 and 3 suddenly start consuming all of their allocated bandwidth Rule 1 will be crammed back into its assigned 1Gbps via selective dropping of its packets to make the sending TCP stacks matching Rule 1 slow back down. So the bandwidth assigned by weights is really only being used exactly that way if all matching rules are using absolutely all of their assigned bandwidth; a great feature of using just weights is that if there is idle bandwidth somewhere and some connection wants it, bandwidth is never wasted. However now suppose a Limit of 500Mbps is added to Rule 1 in addition to its 10 weight. Rule 1 may use less than 500Mbps, but under no circumstances may it ever go above 500Mbps even if there is idle bandwidth available. With limits imposed idle bandwidth can most definitely go to waste. Guarantees can also waste bandwidth since when they are active no other rule may ever intrude into that guaranteed bandwidth even if very little of it is actually being used.

EricAnderson
2015-01-31, 01:19
Yes. I guess I simplified a bit too much. I should have mentioned (and will add now) that my examples assume that each active rule is vying for more bandwidth than is available. QoS will not leave bandwidth unused simply because an underutilized rule is "overweighted" (I love making up words).

And yes, incorrect/excessive use of limits can leave bandwidth un-utilized, and guarantees can leave you oversubscribed (sometimes resulting in verification failures).

It's a very tricky (but interesting) topic. Thanks for filling in the gaps.

-E