SRX Services Gateway
Highlighted
SRX Services Gateway

How can I prioritize traffic coming from ISP on SRX

2 weeks ago

Hi,

Is there any way to prioritize traffic coming from ISP? For exampe start to drop packets from an HTTP transfer(download), but keep UDP VoIP packets when we reach the upper limit of the contracted bandwidth from ISP.

Thank you,

tcp

4 REPLIES
SRX Services Gateway

Re: How can I prioritize traffic coming from ISP on SRX

2 weeks ago

No only the ISP can, or you police or shape the outgoing http requests, but incomming from ISP with a limited bandwidth contract you are simply sitting on the wrong side of the line.

In some future if your ISP allows, you could send a police request using BGP-Flowspec, but currently most providers will not allow that.

 

regards

 

alexander

SRX Services Gateway

Re: How can I prioritize traffic coming from ISP on SRX

2 weeks ago

Hi,

So if somebody from my LAN protected by the SRX does a big download he could exhaust all the cotracted bandwidth and i cannot do anything about that?

I find it strange because even on old Juniper SSG I had the option to implement prioritization in the firewall rules. I thought SRX beeing a newer platform I have more options.

Thank you,

tcp. 

 

SRX Services Gateway

Re: How can I prioritize traffic coming from ISP on SRX

[ Edited ]
2 weeks ago

Hello,


@tcp wrote:

Hi,

So if somebody from my LAN protected by the SRX does a big download he could exhaust all the cotracted bandwidth and i cannot do anything about that?

 

 


 

Generally speaking yes. Because the packets are already on the wire. Your best hope is that this rogue downloader uses TCP and if You drop some of his/her packets, the TCP will slow down. If s/he uses UDP, then You may find out that it reacts less willingly, and if Your SRX is hit by a DDOS flood attack, You'd see that dropping packets _after_ Your SRX picked it from ISP wire is useless in freeing the download bandwidth on the ISP wire.

I'd suggest You look into individually rate-limiting applications that are TCP-based (and do respond to packet drops) using AppQoS rate-limiters, for instance

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-application-qos.html 

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: How can I prioritize traffic coming from ISP on SRX

2 weeks ago

Hi,

It looks like AppQoS is not really an option for SRX managed via the Security Director because it ruins the synch status.

Thank you,

tcp