SRX Services Gateway
Highlighted
SRX Services Gateway

Opinion on Approach: COS with Dual Subnet Ethernet Handoff.

‎04-10-2015 03:18 PM

I have 2 SRX240H2's, 2 Sites.

 

At each site we have an internet connection and an MPLS tunnel, each on their own Subnet.

 

I have X amount of throughput, whether it's going over the Internet or MPLS it's limited to X.

 

How would I group these subnets together on one physical interface "correctly" for COS to properly manage the outbound traffic?

 

I am thinking this:

http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/cos-applying-scheduling-to-vlans.html

 

But with a single Scheduler, single traffic control profile.  The only real difference there is should be the output-traffic-control-profile statement:

 

 interfaces {
        xe-9/0/3 {
            output-traffic-control-profile tcp_ifd;
            unit 1 {
                output-traffic-control-profile tcp_gold;
            }
            unit 2 {
                output-traffic-control-profile tcp_silver;
            }
        }
    }

Would become

 interfaces {
        GE-0/0/0 {
            output-traffic-control-profile tcp_ifd;
            unit 1 {
                output-traffic-control-profile Site2Site;
            }
            unit 2 {
                output-traffic-control-profile Site2Site;
            }
        }
    }

 

From there I use a combination of MF and BE Classifiers to map my traffic to DSCP codepoints before they hit the schedulers and problem solved.

 

If I throw IPSEC VPN, Mac-Sec or GRE tunnels into the mix, I'd just terminate the tunnel one one of the logical interfaces and I'm set.  (I've considered setting up 2 tunnels over the MPLS link, both IPSEC VPN with AH+ESP; one encrypted for file\print\etc traffic, one unencrypted for realtime traffic).

 

Any Thoughts?

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: Opinion on Approach: COS with Dual Subnet Ethernet Handoff.

‎04-11-2015 07:19 AM
I am not sure if output-traffic-control-profile is supported on SRX240 as it uses software based CoS
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Opinion on Approach: COS with Dual Subnet Ethernet Handoff.

‎04-13-2015 12:00 PM

This guy shows support in 12.1 which is what i'm running.  The Tiered COS makes sense as a feature on the branch SRX and is a good solution for multisite mpls as well.  I can apply the limiters directly to the interface, and use BE\MF Classifiers to classify the VPN Traffic.

 

http://www.juniper.net/documentation/en_US/junos12.1/topics/example/cos-control-remaining-traffic-se...

 

I was thinking since it was configured under root > class-of-service and not directly on interfaces and fw zones that we were probably dealing with Software COS anyway.  I have the Oreilly enterprise switching, routing, and SRX books; the SRX book makes no mention to COS at all, the Enterprise routing and switching makes some references and in those references you are configuring things on the interfaces - [int id] - unit [x] subcontext.

 

I've got 2 SRX connected with a Cisco 806 for a test environment.  The 806 maxes out at 10Mbit, and my wan links are 10mbit and 20mbit.  I think this lines me up to do a study today and tomorrow using Iperfs and a couple laptops to do a few example configurations and see what happens with and without the cross-site VPN connection when I shove a gigabit of mixed traffic into the SRX using iperfs.

 

I've seen IMIX Scores on the SRX of 70mbit at full bore, so I should be able to get to at least half with with COS and the reference configuration.