Because your goal is only to prioritize the VPN traffic and not what goes inside the VPN I believe you can use a multifield-classifier as stated on that post by mrojas and match ESP traffic between the two IPsec peers. Put that traffic on a specific forwarding-class and map it to a queue where you give 50% of the 50Mbps.
Re: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?
Please try this config:
set firewall family inet filter VPN-cos term T1 from source-address 10.100.11.0/24 <-----------Site-A LAN Address set firewall family inet filter VPN-cos term T1 from destination-address 10.100.22.0/24 <------- Site-B LAN address set firewall family inet filter VPN-cos term T1 then forwarding-class assured-forwarding set firewall family inet filter VPN-cos term T1 then accept set firewall family inet filter VPN-cos term T1 then count VPN-Traffic set firewall family inet filter VPN-cos term default then accept
set interfaces ge-0/0/0 unit 0 family inet filter input VPN-cos <------ Site-A Lan facing interface
set class-of-service schedulers af-vpn transmit-rate percent 25 set class-of-service schedulers af-vpn buffer-size percent 25 set class-of-service schedulers af-vpn priority medium-high set class-of-service scheduler-maps af-vpn-map forwarding-class assured-forwarding scheduler af-vpn
set interfaces ge-0/0/1 per-unit-scheduler set class-of-service interfaces ge-0/0/1 unit 0 scheduler-map af-vpn-map <------- ISP facing interface
show firewall <-- Verify the hitcount show interface ge-0/0/1 extensive | find "Queue counters:" <------- verify counters in Assured forwarding queue
Thanks, Nellikka JNCIE x3 (SEC #321; SP #2839; ENT #790) Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!