05-31-2011 01:26 PM - edited 05-31-2011 01:27 PM
I was wondering if someone could help me a bit to figure out how to setup QoS on a Juniper SSG5 running the 5.4.0r3a.0 (Firewall+VPN) version with hardware version 710(0).
What I want to achieve is a really basic implementation of quality of service. I have a priority VLAN which subnet is 172.22.254.0/24 while I have a standard VLAN which subnet is 172.22.1.0/24. I have an interface to the Internet (Untrust) and a trunk interface to my switch with two subinterfaces (all in Trust, one for each of my subnet).
I want to prioritize the 172.22.254.0 subnet. I went in "Policies" and added the following:
- Trust to Untrust, 172.22.254.0 to ANY, highest priority.
- Trust to Untrust, ANY to ANY, lowest priority.
When I activate that setting, there is no QoS that's enabled. When I start a big file transfer on the non-prioritized VLAN, it saturates the whole Internet connection and I get ping delays and 5%+ packet drop on pings from the prioritized VLAN. However, as soon as I turn on the "Limit bandwidth" feature on the non-priotized VLAN, it really caps it and I can access the link from the prioritized VLAN. I would rather use priorities than bandwidth settings.
I configure all of this using the Web interface (see the screenshots) and it's translated to these commands in the config tab:
set policy id 28 name "HIGH PRIORITY" from "Untrust" to "Trust" "Any" "172.22.254.0/24" "ANY" permit
traffic priority 0
set policy id 28
set policy id 15 name "DEFAULT PRIORITY" from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 15
As you probably understand, I'm new to Juniper and I'm not yet comfortable to configure everything using the CLI. As you can see on the screenshots, I've selected the "Lowest priority" settings and it adds the line "traffic" that I've put in blue, without anything following it. Is this a GUI bug that traffic is not followed by something like "priority 7"? or the lowest priority is on by default when you add the "traffic" line. If it's not a bug, I would really appreciate if somebody could take a few minutes to share their experience and knowledge about how to configure policy-based priority-based QoS settings on SSG5.
Thank you very much,
06-01-2011 06:33 AM
You can use priority queuing in ScreenOS like you've configured. If you set a higher priority to your 172.x rule, then you will want to make sure that policy is at the top. Use "show pol from trust to untrust" to verify this. You can also set max and gbw to ensure there is enough bw for either rule. I hope this helps.
If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.