Hi all
I have here a company network with a main site and several remote offices. The setup is a route-based VPN in a hub-and-spoke configuration. All traffic from remote office (eg. default route) is to the main office, with a central breakout to the Internet at the central site.
The situation has now arisen that I have to implement QoS (DiffServ). My problem is that Juniper SSG's apparently can't do traffic shaping in intra-zone policies.
For the remote office firewalls I bypassed that problem by creating two security zones, "intranet" and "intranet-tunnel", route the default gateway in their virtual-router into the tunnel and have several policies with different DSCP tagging and priority queues (plus guaranteed and max bandwidth) into the intranet-tunnel security zone.
I now need an idea how to do it with the central firewall. Right now the internal network as well as the tunnel interfaces are in the trust zone. I need to police/shape traffic from the main site to the remote offices, as well as from one remote office to another (as it's a hub-and-spoke). For example, one remote office has a 6mbit connection, another only 2mbit. So I need to police or prioritize traffic at the central site to not congest the slower links.
Creating different zones for each tunnel interface would mean that I have to duplicate and adapt all rules for each and every possible combination of zones, plus all rules from each tunnel to the Internet, so this approach is rather not feasible.
Another idea I had was to stick with only one internal security zone and implement the shaping policy on a Cisco router that sits in front of the central firewall (as the DSCP of pre-marked traffic gets copied to the VPN outer header) and do nothing at all on the firewall. But then I could not use the priority queuing on the SSG, which might be critical for some real-time traffic.
I'd be very happy to know how others have solved this.
Cheers & many thanks
Lukas
