SRX

hi all,

I am trying to understand the differences between interface shaping-rate [edit class-of-service interfaces] versus [edit firewall policer]. I have read https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/cos-overview.html but this article does not explain the differences to my understanding.

My goal is I have a 100Mbps untrust link, and would like to split to different trusts as an example, 50/20/20/10 Mbps. I have currently setup and tested the following:

root# show class-of-service
interfaces {
    ge-0/0/0 {
        shaping-rate 105m;
    }
    ge-0/0/1 {
        shaping-rate 50m;
    }
}

What I see: ISP has confirmed when i put in the shaping-rate for untrust (ge-0/0/0), they don't see drops; if i were to take it out, they have their monitoring software aggressively dropping packets (especially upload when doing speedtest, my assumption is Windows machine is seeing the interface as 1Gbps and turn it all the way up).

However when I apply the 50Mbps shaping-rate as above on the trust interface (ge-0/0/1) and run speedtest, download is correct, but upload still uses up to 98Mbps.

Initially i thought source NAT was a factor but i have already deactivated it and that didn't help. Is the only way to achieve download/upload shaping through policer? Would you be able to point any other document that would explain how it works in more detail apart from https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/class-of-service-edit-shaping-rate-applying-to-interface.html ? or any other useful related topics.

Thanks.

Hi,

shape-rate under cos that you are using is egress. 

So untrust 100m is upload and trust 50m is download with regards to the ISP link. You ideal want to configure it on all interfaces and the sum of your trust interfaces to equal 100m otherwise you will not use all your internet bandwidth.

policer command can be applied ingress/egress on interfaces but will drop packets fairly agressively and you may not reach the subscribed bandwidth due to the packet drops. 

Tim

thanks Tim, 

You ideal want to configure it on all interfaces and the sum of your trust interfaces to equal 100m otherwise you will not use all your internet bandwidth. 

this is the initial setup but will be using the full 100Mbps as i go along. As mentioned in my post, i will probably looking at 50/20/20/10 as an example.

shape-rate under cos that you are using is egress. 

 

So untrust 100m is upload and trust 50m is download with regards to the ISP link. 

 

---

you mentioned that CoS on interface is egress? but shouldn't egress mean upload and ingress download in this scenario i had setup? I'm seeing shaping on just download for ge-0/0/1.  I don't quite understand what you mean by "untrust 100m is upload and trust 50m is download". Just to avoid confusion, ge-0/0/0 is untrust connecting to ISP (subscribing to 100Mbps) and ge-0/0/1 is LAN 1 that i wanted to shape to 50Mbps both upload and download.

Thanks.

Hi,

So using your exmaple configuration;

interfaces {
    ge-0/0/0 {
        shaping-rate 105m;
    }
    ge-0/0/1 {
        shaping-rate 50m;
    }
}

ge-0/0/0 will shape egress traffic to 105m which from your prespective is upload to the service provider

ge-0/0/1 will shape egress traffic to 50m (To the user), which when you look at your service provider interface it is download.

It this case it is always traffic leaving the device.

Edit: If you want to limit ingress from the LAN to 50m then you will also need an input policer. (ie shape egress, police ingress)

Tim

---

@thynard wrote:

 

It this case it is always traffic leaving the device.

 

 

---

Thanks, it makes sense now.