ScreenOS Firewalls (NOT SRX)
Reply
ZTG
Visitor
ZTG
Posts: 3
Registered: ‎02-06-2009
0

Intra-company QoS

Hi all

 

I have here a company network with a main site and several remote offices. The setup is a route-based VPN in a hub-and-spoke configuration. All traffic from remote office (eg. default route) is to the main office, with a central breakout  to the Internet at the central site.

 The situation has now arisen that I have to implement QoS (DiffServ). My problem is that Juniper SSG's apparently can't do  traffic shaping in intra-zone policies.

For the remote office firewalls I bypassed that problem by creating two security zones, "intranet" and "intranet-tunnel", route the default gateway in their virtual-router into the tunnel and have several policies with different DSCP tagging and priority queues (plus guaranteed and max bandwidth) into the intranet-tunnel security zone.

I now need an idea how to do it with the central firewall. Right now the internal network as well as the tunnel interfaces are in the trust zone. I need to police/shape traffic from the main site to the remote offices, as well as from one remote office to another (as it's a hub-and-spoke). For example, one remote office has a 6mbit connection, another only 2mbit. So I need to police or prioritize traffic at the central site to not congest the slower links.

Creating different zones for each tunnel interface would mean that I have to duplicate and adapt all rules for each and every possible combination of zones, plus all rules from each tunnel to the Internet, so this approach is rather not feasible.

Another idea I had was to stick with only one internal security zone and implement the shaping policy on a Cisco router that sits in front of the central firewall (as the DSCP of pre-marked traffic gets copied to the VPN outer header) and do nothing at all on the firewall. But then I could not use the priority queuing on the SSG, which might be critical for some real-time traffic.

 

I'd be very happy to know how others have solved this.

 

Cheers & many thanks

Lukas

 

 

Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: Intra-company QoS

Is it documented you can't trafficshape intrazone or experience? I'm not aware of it, so interested, willing to simulate in a lab if you like.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
ZTG
Visitor
ZTG
Posts: 3
Registered: ‎02-06-2009
0

Re: Intra-company QoS

Hi Screenie

 

from experience so far. In the Web UI, for intrazone policies (eg. trust->trust), on the advanced tab, there is no option to configure traffic shaping.

I can create intrazone policies on NSM, but it fails when trying to upload it to the device (as it's goes as an unkown CLI command trying to set traffic shaping on an intrazone policy).

It works fine for me for inter-zone policies.

The only thing I've found so far is this KB article http://kb.juniper.net/KB6409 but of course 5.3.0 is a really old release.

 

I'm experiencing it on SSG5's and SSG520M's, with firmwares 6.1r4 and 6.2r1.

 

Cheers

Lukas

Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: Intra-company QoS

You're right! Also on my SSG5. So we need to think about a workaround. Just thinking out loud now:

 

Could we do somthing with a loop back int in another zone/VR using source or sourceinterfacebased routing to the traffic to go there and route back with normal destination routing? Your passing zones twice this way so interzone policies should be there. Might work don't you think?!

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.