Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  How to limit VPN bandwidth?

    Posted 03-13-2014 11:07

    Hi Guys,

     

    In a route based site-to-site VPN, if we would like to limit the VPN bandwidth, should this be done by limiting the bandwidth of the tunnel interface? Is this all we need to do?

     

    tunnel_interface.PNG

     

    Thank You,

     

    Arnel

     

     


    #bandwidth
    #vpn
    #interface
    #traffic
    #Tunnel


  • 2.  RE: How to limit VPN bandwidth?

    Posted 03-14-2014 06:32

    I've not used this particular approach, but the interface here is pretty much the same as the policer on a per policy basis.  This I have used and it works well for keeping bandwidth under control.

     

    Since this is on the interface it would apply to all traffic across your tunnel interface.

     

    The policy based policer restricts based on what specific traffic hits the policy.  These you wil see in the advanced tab under policy edit.

     

    All you need to do for the policy is select these numbers.

     

    If you want to use class of service instead then more design and configuraiton is required.



  • 3.  RE: How to limit VPN bandwidth?

    Posted 03-14-2014 07:29

    Hi Steve,

     

    USA

    11.11.1.0/24 – bgroup2

    Tunnel.3 associated with bgroup2

     

    China

    192.168.2.0/24 – eth0/9

    Tunnel.3 associated with eth0/9

     

    So to limit the bandwidth of the tunnel interface, the policy to be created is in Trust to Trust zone, is this correct? Also, should this be created in both sides?

     

    USA

    11.11.1.0/24(source) to 192.168.2.0/24(destination) ANY(service) Permit(Action) 

     

    China

    192.168.2.0/24(source) to 11.11.1.0/24(destination) ANY(service) Permit(Action) 

     

    Policy edit_advanced.PNG

     

    Thanks,

     

    Arnel



  • 4.  RE: How to limit VPN bandwidth?

    Posted 03-14-2014 07:36

    The policy zones will be based on the interface zones for ingress and egress.

     

    Bgroup2 zone to eth0/9 for traffic from USA to china

     

    And the reverse for China to USA.

     

    The address objects also need to be created in the matching zone to where the traffic is found.

     

    What I am saying is that tunnel interface setting would be one option and the Policy setting would be another option.

     

    You really would pick one or the other.

     

    The tunnel interface will provide a global overall limit.

     

    the policy settings let you choose per policy for more granular control if needed.



  • 5.  RE: How to limit VPN bandwidth?

    Posted 03-17-2014 14:55

    Hi Steve,

     

    Apologies as I dont think I follow. So we have 2 options to limit the VPN tunnel bandwith. Please confirm if below procedures for each option is correct. Thank you very much!

     

    1. By tunnel interface.

    a.)  Network > Interface > LIst >Edit

    b.) Set the Egress abd Ingress limit under Traffic Bandwidth.

     

    2. By Policy.

    a.)  Policy > Policies > Trust to Trust > New

    b.) Bgroup2 zone to eth0/9 ------> (for US firewall)

    c.) eth0/9 zone to Bgroup2 ------> (for China firewall)

    d.) Then for traffic shaping it will be look like the above screenshot for both firewalls.

     

    Again, sorry as Im kind of confused without asking the steps.

     

    Regards,

     

    Arnel



  • 6.  RE: How to limit VPN bandwidth?
    Best Answer

    Posted 03-18-2014 03:13

    Sorry for the lact of clarity.

     

    Yes, you have this correct.  These are the two places you can put in bandwidth limits.



  • 7.  RE: How to limit VPN bandwidth?

    Posted 03-18-2014 06:45

    Alright! Thanks Steve. 🙂