03-04-2009 11:19 AM
I have here a company network with a main site and several remote offices. The setup is a route-based VPN in a hub-and-spoke configuration. All traffic from remote office (eg. default route) is to the main office, with a central breakout to the Internet at the central site.
The situation has now arisen that I have to implement QoS (DiffServ). My problem is that Juniper SSG's apparently can't do traffic shaping in intra-zone policies.
For the remote office firewalls I bypassed that problem by creating two security zones, "intranet" and "intranet-tunnel", route the default gateway in their virtual-router into the tunnel and have several policies with different DSCP tagging and priority queues (plus guaranteed and max bandwidth) into the intranet-tunnel security zone.
I now need an idea how to do it with the central firewall. Right now the internal network as well as the tunnel interfaces are in the trust zone. I need to police/shape traffic from the main site to the remote offices, as well as from one remote office to another (as it's a hub-and-spoke). For example, one remote office has a 6mbit connection, another only 2mbit. So I need to police or prioritize traffic at the central site to not congest the slower links.
Creating different zones for each tunnel interface would mean that I have to duplicate and adapt all rules for each and every possible combination of zones, plus all rules from each tunnel to the Internet, so this approach is rather not feasible.
Another idea I had was to stick with only one internal security zone and implement the shaping policy on a Cisco router that sits in front of the central firewall (as the DSCP of pre-marked traffic gets copied to the VPN outer header) and do nothing at all on the firewall. But then I could not use the priority queuing on the SSG, which might be critical for some real-time traffic.
I'd be very happy to know how others have solved this.
Cheers & many thanks
03-04-2009 12:37 PM
03-05-2009 07:11 AM
from experience so far. In the Web UI, for intrazone policies (eg. trust->trust), on the advanced tab, there is no option to configure traffic shaping.
I can create intrazone policies on NSM, but it fails when trying to upload it to the device (as it's goes as an unkown CLI command trying to set traffic shaping on an intrazone policy).
It works fine for me for inter-zone policies.
The only thing I've found so far is this KB article http://kb.juniper.net/KB6409 but of course 5.3.0 is a really old release.
I'm experiencing it on SSG5's and SSG520M's, with firmwares 6.1r4 and 6.2r1.
03-05-2009 07:27 AM
You're right! Also on my SSG5. So we need to think about a workaround. Just thinking out loud now:
Could we do somthing with a loop back int in another zone/VR using source or sourceinterfacebased routing to the traffic to go there and route back with normal destination routing? Your passing zones twice this way so interzone policies should be there. Might work don't you think?!