Day One Tips
Day One Tips

VPN traffic shaping with conjuction of traffic shaping inside the VPN tunnel on one device

[ Edited ]
‎11-23-2010 07:10 AM

VPN traffic shaping with conjuction of traffic shaping inside the VPN tunnel on one device:

 

show class-of-service
interfaces {
    ge-0/0/1 {
        unit 0 {
            scheduler-map vpn_interface;
        }
    }
    fe-0/0/2 {
        unit 0 {
            scheduler-map external_interface;
        }
    }
}
scheduler-maps {
    external_interface {
        forwarding-class best-effort scheduler be_scheduler;
        forwarding-class assured-forwarding scheduler af_scheduler;
        forwarding-class network-control scheduler nc_scheduler;
    }
    vpn_interface {
        forwarding-class assured-forwarding scheduler other_services;
        forwarding-class best-effort scheduler netbios;
        forwarding-class expedited-forwarding scheduler critical_services;
    }
}                                       
schedulers {
    be_scheduler {
        transmit-rate percent 45;
        buffer-size remainder;
        priority low;
    }
    af_scheduler {
        transmit-rate percent 50;
        buffer-size percent 30;
        priority high;
    }
    nc_scheduler {
        buffer-size percent 5;
        priority medium-high;
    }
    critical_services {
        transmit-rate percent 50;
        buffer-size percent 30;
        priority high;
    }
    other_services {
        transmit-rate percent 20;
        buffer-size percent 30;
        priority medium-high;
    }
    netbios {
        transmit-rate remainder;
        buffer-size remainder;
        priority low;
    }
}

####################

 

show firewall
family inet {
    filter egress {
        term vpn {
            from {
                destination-prefix-list {
                    vpn_domeenid_ext;
                }
            }
            then {
                loss-priority low;
                forwarding-class assured-forwarding;
            }
        }
        term accept_all {
            then accept;
        }
    }
    filter ingress {
        term critical {
            from {
                destination-port [ 1532 3389 1433 ];
            }
            then {
                loss-priority low;
                forwarding-class expedited-forwarding;
            }
        }
        term other {
            from {
                destination-port-except [ 1433 3389 1532 139 445 136 137 138 135 ];
            }
            then {
                loss-priority medium-low;
                forwarding-class assured-forwarding;
            }
        }
        term netbios {
            from {
                destination-port [ 139 445 135 136 137 138 ];
            }
            then {
                loss-priority high;
                forwarding-class best-effort;
            }
        }
        term accept_all {
            then accept;
        }
    }
}
filter protect-re {
    term management {
        from {
            source-prefix-list {        
                mgmt-ip;
            }
            destination-port [ 22 4343 ];
        }
        then {
            log;
            accept;
        }
    }
    term mgmt-deny-rest {
        from {
            destination-port [ 22 4343 ];
        }
        then {
            log;
            discard;
        }
    }
    term allow_rest {
        then accept;
    }
}

Note that 2 different filters are used to achieve this - first one shapes the bandwidth for the VPN tunnels themselves - vpn_domeenid is a address-set of vpn domains. The second filter shapes the traffic inside the VPN tunnel.

As you cannot apply the firewall filter to the st0 interface, it can be done on the ingress interface instead. Additional match can be used to prevent shaping traffic not going to the tunnel.

 

 

 

Feedback