SRX Services Gateway
Highlighted
SRX Services Gateway

SRX per customer bandwidth shaping upload & download

07.19.17   |  
‎07-19-2017 09:52 AM

We're migrating from ScreenOS to an SRX1500 as a edge firewall each customer will be on their own port/zone and virtual-router. All traffic from each VR to Trust will be natted to a specific NAT IP (one IP per customer). These NAT IPs will be exported into the trust-vr and redistributed into our IGP.

The customers will access services hosted in trust.

I've managed to configure all of the above.

 

In ScreenOS we restrict customer bandwidth at the interface level using gbw and mbw (we allow max bandwidth of double the gbw they have purchased from us). The traffic from customer1_zone to trust_zone is split into two types; mission-critical traffic of which we guaranteed a small portion at the policy level, and everything else.

 

For example, a customer purchases 20Mbps of guaranteed bandwidth. We would allow a max bandwidth of 40Mbps if the bandwidth was available.

A minimum guarantee of 5Mbps would be allocated to mission-critical traffic (for ease, assume this is HTTPS). More than 5Mbps of HTTPS traffic would be allowed if no other traffic was seen. This was done at the policy level.

 

I need to replicate this to JUNOS.

I understand that policing is done on inbound and shaping on outbound. I do not want to do simple policing as this can have a detrimental impact on TCP traffic. I have considered 2 rate policing with sufficient burst but this does not take into account the type of packets it would drop (i would prefer to drop HTTP packets rather than at random).

 

I need to limit upload and download to the guaranteed bw/max bw. This means i'd need a shaper on the egress (trust) interface to limit upload bw which needs to be customer specific as each customer may purchase different bandwidth (filtered by routing-instance or NAT IP or logical interface).

To limit customer download, i'd need a shaper on the customer interface.

 

However, i still need to be able to configure a guaranteed bandwidth of 5Mbps for HTTPS traffic in both directions.

 

In IOS, this would be easily achieved using Hierarchical QoS but SRX1500 doesn't seem to support this.

 

Could anyone provide some hints on how to achieve this?

 

5 REPLIES
SRX Services Gateway

Re: SRX per customer bandwidth shaping upload & download

07.20.17   |  
‎07-20-2017 05:08 PM

Take a look at this:

https://www.juniper.net/documentation/en_US/junos/topics/concept/cos-hierarchical-scheduler-security...

The other option could be to look at AppSecure AppQoS and see if that has any options that could work.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: SRX per customer bandwidth shaping upload & download

07.21.17   |  
‎07-21-2017 12:57 AM

Unfortunatly, SRX1500 doesn't yet support HQoS.

I'll take a look at AppQoS and see if it meets my requirements.

 

Thanks

SRX Services Gateway

Re: SRX per customer bandwidth shaping upload & download

07.21.17   |  
‎07-21-2017 12:53 PM

Look at the supported platforms to the right of the link I posted. That link applies to the vSRX and the SRX. There is another type of HCoS that does not apply to the SRX. Give it a shot and let us know if you get any errors etc. There is an example shown and explained. Save your config first. In fact you can copy the example, paste it notepad, then modify it to suit your srx, load it in the terminal (load merge terminal) then copy/paste it in. If there are errors loading it, it will tell you. Ctrl ^D, then "commit check" and that will tell you where the errors are. Rollback, fix the errors then try. Then use "commit confirmed <value in minutes>" to temporarily apply and test.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: SRX per customer bandwidth shaping upload & download

07.24.17   |  
‎07-24-2017 01:58 AM

I dont think AppQoS will meet my needs. I need different CoS applied to the same application but for each customer.

And to restrict upload traffic (from customer to trust) i would have to shape on the egrees interface. And as shaping is only done on queues, i may have more customers than queues (with each customer having their own purchased CIR)

 

At the moment i've got outbound shaping on the customer interface and inbound policing but this is having a detrimental affect on TCP connections.

Even two rate policers (more specifically three-color-policers) aren't supported on the srx1500 to ease the level of packet loss.

 

I tried using traffic-control-profiles but it says it is unsupported. I've got a ticket opened with JTAC to ask when this feature will be released.

 

[edit class-of-service]
xxxxx@xxxxxxxxxx# show
##
## Warning: configuration block ignored: unsupported platform (srx1500)
##
traffic-control-profiles {
customer1-100m-shaper {
shaping-rate 100m;
}
}

xxxxx@xxxxxxxxxx# run show version
Hostname: xxxxxxxxxx
Model: srx1500
Junos: 15.1X49-D100.6

 

 

SRX Services Gateway

Re: SRX per customer bandwidth shaping upload & download

07.24.17   |  
‎07-24-2017 09:52 AM

Ok Thanks for the update. Keep us appraised of the outcome. Unless this feature is strictly hardware dependent, then it should not be too long before they make it possible. Maybe a feature request to Juniper.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]