Routing

Hi Experts

I want to configure Traffic shaping on SRX 650. Below is my requirement and scenario:

1- The leased line on the SRX is 4mb

2- I want my mail traffic should use 2mb gurantted bandwidth

3- Browsing traffic should use 1mb gurrantted bandwidth

Could any one give me the high level steps how to do this?

Other question is that how apply these bandwidth restrictions in upload and download direction?

Thanks

Hi

For example you have the following scheme

LAN --- SRX --- uplink

First, you should classify traffic on your internal (LAN) interface. You can
do it with input firewall filter. For example,

lab@jsrxA-1# show firewall family inet
filter classify {
    term 10 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then forwarding-class assured-forwarding;
    }
    term 20 {
        from {
            protocol tcp;
            destination-port [ imap smtp pop3 ];
        }
        then forwarding-class expedited-forwarding;
    }
    term 30 {
        then {
            forwarding-class best-effort;
            accept;
        }
    }
}

Apply the filter to the interface as an input.

Then you create schedulers and scheduler-map, e.g.

lab@jsrxA-1# show class-of-service
scheduler-maps {
    my-scheduler-map {
        forwarding-class assured-forwarding scheduler web;
        forwarding-class expedited-forwarding scheduler mail;
        forwarding-class best-effort scheduler other;
    }
}
schedulers {
    web {
        transmit-rate 1m;
        priority low;
    }
    mail {
        transmit-rate 2m;
        priority low;
    }
    other {
        transmit-rate 1m;
        priority low;                  
    }
}

Then apply scheduler-map to _external_ interface (uplink)

lab@jsrxA-1# show class-of-service
interfaces {
    ge-0/0/3 {
        scheduler-map my-scheduler-map;
    }

This config applies to the traffic going in the upload (to the internet) direction.

You can not affect incoming traffic very much, unless you have control over a next-hop router.
You can apply policers on the incoming interface, or do classification/shaping in the
download direction (similar to how I showed it for uplink direction). Both will have little
sense because when traffic arrived to SRX from the internet, it already passed the "bottleneck"
which is your uplink/ISP.

Hope this helps.

Thanks for the solution.

1- Could you please tell me, http and pop/imap are download traffic or upload traffic? Sorry for this silly question but just to clear my mind 🙂

2- If my scenario is like this, my branch srx210 is connected via 4mbps line with the HQ srx650. Users in the branch are accessing voice, critical application and emails then If I want to provide the class of service to these traffic then where I have to make CoS configuration and which direction? I mean on srx210 OR srx650? and also on LAN interface or WAN interface

Thanks

Hi

Shaping and prioritezation are always for outbound traffic (from the perspective of SRX box).

In my example, CoS affects traffic in the upload direction only. However, the real traffic
is always bedirectional, and you can not affect the return traffic with CoS (unless you
have access to a next-hop router; you can also do some policing on the incoming traffic,
but not shaping).

In the example with 2 boxes,

LAN1 --- SRX1 -- SRX2 --- LAN2

you can do CoS on both boxes. So in this case you affect traffic entering SRX1 by doing CoS
on SRX2, and vice versa. On SRX1, you do it on interface connecting to SRX2, and it will
affect traffic from LAN1 to LAN2.

On SRX2, you configure CoS on interface connecting to SRX1, and it affects traffic from LAN2
to LAN1.

On interfaces connected to LANs, you do classification of the incoming traffic (put all packets
in the forwarding-class/queue you want).

Hi Peter

Thanks a lot for the great explaination. Just in the scenario I described in my last post. If one branch is connected to HO and accessing the services then if I want:

1- Oracle application should take 1mbps

2- Email traffic should take 512kbps

3- Others should take rest of the BW

Then I have to do the CoS on both SRX right? But what about configuring the firewall filter for classification, say for example email traffic.  From branch side, we wil match destination-port pop/imap (for retrieving the emails) and destination-port smpt (send the email) then forwarding class would be like any thing. But how we configure the firewall filter on the HO SRX? We will match the same ports on source-port?

Thanks for the help

Hi

Yes, on both. And match on source ports for HO SRX, right.

Hi peter

Thanks for the help. Last question that how to verify that each traffic is taking the right bandwidth and not exceeding the maximum bandwidth allocated?

Hi

show interfaces queue <outgoing-interface>

will show the pps and bps for each forwarding-calss.

Note that with such a configuration,

schedulers {
    web1M {
        transmit-rate 1m;
        priority low;
    }
}

traffic going to that forwarding-class/queue will get 1M guaranteed bandwidth, but
it can exceed that bandwith if there is some free throughput left on an interface.

You can set 'transmit-rate 1m exact' if you want a hard limit (queue can't use
excessive bandwidth).

Thanks

Hi!

We have a very similar requirement - only citrix (ica; tcp 1494) needs to get a guaranteed bandwidths of 1Mbps on a 2 Mpbs-link. LAN inteface is vlan.0, WAN is fe-0/0/0.

Currently Citrix connection suffer miserably, if print jobs (outside ica) are started.

I tried to adapt your example on our SRX100 which resulted in the following config-sniplet:

set firewall family inet filter classify term 10 from protocol tcp
set firewall family inet filter classify term 10 from destination-port 1494
set firewall family inet filter classify term 10 then forwarding-class expedited-forwarding
set firewall family inet filter classify term 30 then forwarding-class best-effort

set interfaces vlan unit 0 family inet filter input classify

set class-of-service interfaces fe-0/0/0 scheduler-map my-scheduler-map
set class-of-service scheduler-maps my-scheduler-map forwarding-class expedited-forwarding scheduler ica
set class-of-service scheduler-maps my-scheduler-map forwarding-class best-effort scheduler other

set class-of-service schedulers ica transmit-rate 1m
set class-of-service schedulers ica priority high
set class-of-service schedulers other transmit-rate 1m
set class-of-service schedulers other priority low

Unfortunatly, the config has no effect in our situation: udp printing traffic is squeezing out tcp traffic.

I simulated this with two iperf connections going thru the SRX: first tcp 1494, second udp  631

at t=0s I start tcp connection and get around  2Mpbs.

at t=10s, I start udp connection, while tcp is still running. udp hogs up almost 2Mbps while tcp goes down to about 200Kbps.

at t=20s, udp connection is stopped and tcp then goes back up to 2 Mbps.

Checking the queues on the outgoing I/Fas you suggested, we can actually see that the expedited forwarding is only 1/10the of the best efford:

root@conhIT-srx# run show interfaces queue fe-0/0/0    
:
Queue: 0, Forwarding classes: best-effort
  Queued:
    Packets              :                 17216                   170 pps
    Bytes                :              18767113               2060304 bps
  Transmitted:
    Packets              :                 17216                    170 pps
    Bytes                :              18767113               2060304 bps
:
Queue: 1, Forwarding classes: expedited-forwarding
  Queued:
    Packets              :                  4904                    23 pps
    Bytes                :               6957752                272232 bps
 Transmitted:
    Packets              :                  4904                     23 pps
    Bytes                :               6957752                272232 bps
:

What am I doing wrong?

Of course I could limit 'other' to 1Mbps, but that would wast precious bandwidths, if ICA doesn't use up the guaranteed 1Mbps, right?

Cheers,

Kai

N.B.: I think. I got it.

I applied:

set interfaces fe-0/0/0 per-unit-scheduler

and modified the interface-stanza underneath the CoS to rate:

set class-of-service interfaces fe-0/0/0 scheduler-map my-scheduler-map
set class-of-service interfaces fe-0/0/0 unit 0 scheduler-map my-scheduler-map
set class-of-service interfaces fe-0/0/0 unit 0 shaping-rate 2m

Running the iperf now, the tcp is reduced to 1mbps, once the upd starts, which is the expected behaviour.

Running the iperf tests seperately, both use up 2Mbps - QED

Mmh - this is becomming a never ending story. Customer doesn't want to change routing etc. , so I switched SRX to transparent mode (luckily enough, this is now supported on SRX 100 too).

...BUT...

I can't configure the Cos, I used to since the interfaces are now family bridge, hence the trust interface doesn't find the firewall filter anymore to classify incoming traffic since this is defined as family inet.

But trying to create the same filter in family bridge, it won't let me since destination-port isn't valid under family bridge.

How do I adopt the above example to transparent mode?

TIA,

Kai

May i confirm that this configure only impact the uploading not downloading?

i mean if our internal user download something via HTTP or HTTPS, the downloading will not be impacted by this setting.

if yes, the other issue is how can i shape or restrict the speed from downloading?

My network is LAN---SRX550---Uplink.

Hi

Basically yes, that my example was for traffic coming from internal LAN to uplink.

Downloading is not affected (if not take into account a relatively small amount 

of TCP ACKs coming in the reverse direction...)

If you want to constrain the downloading bandwidth for some/all users you can

create a policer + firewall filter and apply on external interface as input.

Something like this - very scematically:

peter@SRX# show | compare                                                        
[edit interfaces ge-0/0/0]
+    unit 0 {
+        family inet {
+            filter {
+                input limit-user;
+            }
+        }
+    }
[edit firewall family inet]
+     filter limit-user {
+         term 10 {
+             from {
+                 destination-address {
+                     192.168.100.1/32;
+                 }
+             }
+             then policer p1M;
+         }
+         term else {
+             then accept;
+         }
+     }
[edit firewall]
+   policer p1M {
+       if-exceeding {
+           bandwidth-limit 1m;
+           burst-size-limit 15k;
+       }
+       then discard;
+   }

Hi,

Thanks for replay.

after setting as per your instruction, the end user still can downlaod up to 400KB/sec.
Below is my example:
 
Interal user with IP:192.168.1.20/32 will go and download via my external port: ge-0/0/6.0.
Refer to below code that i have set in my SRX550.

Please advise.
Thanks a lot.

[edit firewall policer p1M]
root@SRX550# show
if-exceeding {
    bandwidth-limit 1m;
    burst-size-limit 15k;
}
then discard;

[edit firewall family inet]
root@SRX550# show filter limit-user
term 10 {
    from {
        destination-address {
            192.168.1.20/32;
        }
    }
    then policer p1M;
}
term else {
    then accept;
}

[edit interfaces ge-0/0/6]
root@SRX550# show
per-unit-scheduler;
unit 0 {
    family inet {
        filter {
            input limit-user;
        }
        address Hidden Here;
    }
}

Hi

As we discussed in PM, the reason it does not work is that firewall filters match

on pre-NAT address... Please create a separate topic if you have other questions.

Hello All,

Please I'm new to SRX650, heres my scenario:

I have an SRX650 and internet comes in via ge-0/0/0 interface....ge-0/0/1 is trunked, I want to limit the bandwidth usage for download and uploads to 10kbps on subnet 10.10.90.0/32 which goes out logical interface ge-0/0/1.90....Please can somebody help me with the detail step by step configuration in achieving this...thanks