SRX Services Gateway
SRX Services Gateway

How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

a week ago

Hi guys, 

I'm facing some issues with the bandwidth usage and it's affecting the performance of the VPN tunnels ending on a SRX240 cluster running JUNOS 12.3X48-D65.1. 

 

We have a symmetric internet line 50Mbps up/down. I wonder if there is a way to reserve say 25Mbps only for the IPSec VPN traffic. 

 

Any help would be much appreciated

Thanks

7 REPLIES 7
SRX Services Gateway

Re: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

a week ago

You may configure COS to prioritize outgoing VPN traffic. Please follow this KB for example config: https://kb.juniper.net/InfoCenter/index?page=content&id=KB25847&cat=TRAFFIC_ENGINEERING&actp=LIST

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

a week ago

Hi Nellikka, 

In my case, which protocol should I pick? ESP?

Also, which queue?

 

BR

SRX Services Gateway

Re: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

Wednesday

Match the actual traffic going through the tunnel and you may use assured forwarding or expedited forwding queue or create a custom one.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

Thursday

I don't understand what do you mean. My questions at this point are quite specific, which protocol to use for IPsec VPN tunnels, and which queue to set, as i didn't understand it in the KB

 

Thanks

SRX Services Gateway

Re: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

Thursday

Trasgu,

 

see: https://forums.juniper.net/t5/SRX-Services-Gateway/SRX340-Prioritize-VPN-traffic/td-p/463511

 

Because your goal is only to prioritize the VPN traffic and not what goes inside the VPN I believe you can use a multifield-classifier as stated on that post by mrojas and match ESP traffic between the two IPsec peers. Put that traffic on a specific forwarding-class and map it to a queue where you give 50% of the 50Mbps.

 

SRX Services Gateway
Solution
Accepted by topic author Trasgu
Thursday

Re: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

Thursday

Please try this config:

 

set firewall family inet filter VPN-cos term T1 from source-address 10.100.11.0/24 <-----------Site-A LAN Address
set firewall family inet filter VPN-cos term T1 from destination-address 10.100.22.0/24 <------- Site-B LAN address
set firewall family inet filter VPN-cos term T1 then forwarding-class assured-forwarding
set firewall family inet filter VPN-cos term T1 then accept
set firewall family inet filter VPN-cos term T1 then count VPN-Traffic
set firewall family inet filter VPN-cos term default then accept

 

set interfaces ge-0/0/0 unit 0 family inet filter input VPN-cos <------ Site-A Lan facing interface

set class-of-service schedulers af-vpn transmit-rate percent 25
set class-of-service schedulers af-vpn buffer-size percent 25
set class-of-service schedulers af-vpn priority medium-high
set class-of-service scheduler-maps af-vpn-map forwarding-class assured-forwarding scheduler af-vpn

 

set interfaces ge-0/0/1 per-unit-scheduler
set class-of-service interfaces ge-0/0/1 unit 0 scheduler-map af-vpn-map <------- ISP facing interface

 

show firewall <-- Verify the hitcount
show interface ge-0/0/1 extensive | find "Queue counters:" <------- verify counters in Assured forwarding queue

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

Thursday

Many thanks!!