ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

How to limit VPN bandwidth?

‎03-13-2014 11:07 AM

Hi Guys,

 

In a route based site-to-site VPN, if we would like to limit the VPN bandwidth, should this be done by limiting the bandwidth of the tunnel interface? Is this all we need to do?

 

tunnel_interface.PNG

 

Thank You,

 

Arnel

 

 

6 REPLIES 6
ScreenOS Firewalls (NOT SRX)

Re: How to limit VPN bandwidth?

‎03-14-2014 06:31 AM

I've not used this particular approach, but the interface here is pretty much the same as the policer on a per policy basis.  This I have used and it works well for keeping bandwidth under control.

 

Since this is on the interface it would apply to all traffic across your tunnel interface.

 

The policy based policer restricts based on what specific traffic hits the policy.  These you wil see in the advanced tab under policy edit.

 

All you need to do for the policy is select these numbers.

 

If you want to use class of service instead then more design and configuraiton is required.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: How to limit VPN bandwidth?

[ Edited ]
‎03-14-2014 07:29 AM

Hi Steve,

 

USA

11.11.1.0/24 – bgroup2

Tunnel.3 associated with bgroup2

 

China

192.168.2.0/24 – eth0/9

Tunnel.3 associated with eth0/9

 

So to limit the bandwidth of the tunnel interface, the policy to be created is in Trust to Trust zone, is this correct? Also, should this be created in both sides?

 

USA

11.11.1.0/24(source) to 192.168.2.0/24(destination) ANY(service) Permit(Action) 

 

China

192.168.2.0/24(source) to 11.11.1.0/24(destination) ANY(service) Permit(Action) 

 

Policy edit_advanced.PNG

 

Thanks,

 

Arnel

ScreenOS Firewalls (NOT SRX)

Re: How to limit VPN bandwidth?

‎03-14-2014 07:36 AM

The policy zones will be based on the interface zones for ingress and egress.

 

Bgroup2 zone to eth0/9 for traffic from USA to china

 

And the reverse for China to USA.

 

The address objects also need to be created in the matching zone to where the traffic is found.

 

What I am saying is that tunnel interface setting would be one option and the Policy setting would be another option.

 

You really would pick one or the other.

 

The tunnel interface will provide a global overall limit.

 

the policy settings let you choose per policy for more granular control if needed.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: How to limit VPN bandwidth?

‎03-17-2014 02:55 PM

Hi Steve,

 

Apologies as I dont think I follow. So we have 2 options to limit the VPN tunnel bandwith. Please confirm if below procedures for each option is correct. Thank you very much!

 

1. By tunnel interface.

a.)  Network > Interface > LIst >Edit

b.) Set the Egress abd Ingress limit under Traffic Bandwidth.

 

2. By Policy.

a.)  Policy > Policies > Trust to Trust > New

b.) Bgroup2 zone to eth0/9 ------> (for US firewall)

c.) eth0/9 zone to Bgroup2 ------> (for China firewall)

d.) Then for traffic shaping it will be look like the above screenshot for both firewalls.

 

Again, sorry as Im kind of confused without asking the steps.

 

Regards,

 

Arnel

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author Noctis0791
‎08-26-2015 01:27 AM

Re: How to limit VPN bandwidth?

‎03-18-2014 03:12 AM

Sorry for the lact of clarity.

 

Yes, you have this correct.  These are the two places you can put in bandwidth limits.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: How to limit VPN bandwidth?

‎03-18-2014 06:45 AM

Alright! Thanks Steve. Smiley Happy