SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX240 QoS to ISP

    Posted 02-05-2014 01:48

    Hi all,

     

    I need some advice on the following please:

     

    • I have two internal networks (Guest and Corp) and two connections to the Internet via two separate ISP routers.
    • The guest traffic egresses to the Internet using ISP A and the Corp traffic is filter based forwarded to the Internet via  ISP B.
    • If the ISP B Internet connection fails, the Corp traffic is routed via ISP A.

    jnet.vsd

     

    I need to figure out how to implement QoS or CoS on the SRX interface that connects to ISP A, so that all the Corp traffic gets priority over the ISP A interface.

     

    Ideally i would like the Guest traffic to be able to use all of the ISP A bandwidth if there is no Corp traffic on that interface.

     

    But if there is Corp traffic on the ISP A connection (ie the ISP B connection has failed), then i would like to constrain the Guest traffic to either a bandwidth percentage or limit it to a set number bytes etc. A 25% Guest and 75% Corp split would be good.

     

    I am guessing that i will need to set the different DSCP values on the Guest and Corp traffic when it comes inbound to the SRX and then setup the interface queuing to prioritise the Corp traffic.

     

    Does anybody have a example configs or know of any KB articles that would point me in the right direction (assuming that the above can be done can be done).

     

    Thanks in advance for any help given.

     

    Rgds

     

    John



  • 2.  RE: SRX240 QoS to ISP
    Best Answer

    Posted 02-05-2014 03:56

    Hi John,

     

    You shouldn't need to go to the trouble of (re)marking your Corp and Guest traffic with DSCP - Junos CoS configuration will allow you to just place all traffic from a particular interface into a forwarding-class, then handle the scheduling/queuing appropriately.

     

    Create yourself a firewall filter like so:

     

    family inet {
    filter CORP-TRAFFIC {
        term ALL-TRAFFIC {
            then forwarding-class CORP-TRAFFIC;
        }
    }
}

     then apply it on the inbound direction to ge-0/0/4:

    ge-0/0/4 {
    unit 0 {
        family inet {
            filter {
                input CORP-TRAFFIC;
            }
            address 10.1.1.1/24;
        }
    }
}

    Do the same for the guest traffic and then it's just a matter of configuring your Class of Service settings for the ISP B interface to actually use with appropriate schedulers.  Make sure you shape your ISP-B interface to the actual speed you're being delivered, otherwise the percentage will be of the detected link speed (eg: 1G or 100Mbps):

     

    forwarding-classes {
    queue 4 GUEST-TRAFFIC;                
    queue 5 CORP-TRAFFIC;
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            scheduler-map ISP-B-SCHEDULER;
            shaping-rate 10m;
        }
    }
}
scheduler-maps {
    ISP-B-SCHEDULER {
        forwarding-class GUEST-TRAFFIC scheduler GUEST-SCHEDULER;
        forwarding-class CORP-TRAFFIC scheduler CORP-SCHEDULER;
    }
}
schedulers {
    CORP-SCHEDULER {
        transmit-rate percent 75;
        buffer-size percent 50;
        priority high;           
    }
    GUEST-SCHEDULER {
        transmit-rate {
            remainder;
        }
        buffer-size {
            remainder;
        }
        priority low;
    }
}

     

    Dealing with the inbound flow (probably the bigger issue here since it is Internet traffic) will be a bit harder though.  You would expect your firewall filter would need to match on destination addresses (maybe your entire Guest range for GUEST-TRAFFIC, then assume everything else is CORP-TRAFFIC) but because they apply before any security flow, the destination address will be the outside NAT interface when it hits the firewall filter.

     

    Nothing super-obvious springs to mind on how to get around this, but I'll let you know ; )



  • 3.  RE: SRX240 QoS to ISP

    Posted 02-06-2014 09:41

    Hi Ben,

     

    I've only done some basic testing so far, but it all looks good.

     

    The SRX complained as follows, but when I configured ge-0/0/1 with a per-unit-scheduler (the only option on my SRX240), it allowed me to commit the config:

     

    [edit class-of-service interfaces]
      'ge-0/0/1'
        'per-unit-scheduler', 'hierarchical-scheduler', or 'shared-scheduler' for this interface is required for scheduler map on interface unit
    error: commit failed: (statements constraint check failed)

     

    Thank you for your help and quick response.

     

    Rgds

     

    John



  • 4.  RE: SRX240 QoS to ISP

    Posted 02-09-2014 17:33

    Hi John,

     

    Sorry - I left that bit out, but yes you will require it ; )