Sometimes it’s necessary to limit specific traffic in terms of bandwidth. Today I like to show you how to manage bandwidth limits using QoS and firewall policies. Especially if you have only limited bandwidth, e.g. a DSL connection, it can be useful to manage the used bandwidth for specific hosts or protocols. I use a really simple setup to show you, how you can manage bandwidth using CoS on a Juniper SRX.
As you can see: A very simple setup. Also the initial config of my SRX is also quite simple. Two Interfaces, default-permit between the zones. Interface ge-0/0/1 is the untrusted, the external interface. Interface ge-0/0/0 is my the interface to my trusted network, therefore it belongs to my trusted zone. Let’s assume, that ge-0/0/1 is limited to 15 Mb/s and that 10 Mb/s of the traffic should be for traffic to port 80 and 5001. Any other traffic should be limited to 5 Mb/s.
Class of Service Config
First of all we need to configure two new queues.
set class-of-service forwarding-classes queue 4 bandwidth-10mb
set class-of-service forwarding-classes queue 5 bandwidth-5mb
Now we add two schedulers. The first scheduler will set the transmit rate to 10 Mb/s, the second scheduler to 5 Mb/s. The keyword “exact” causes, that packets were buffered under congestion.
set class-of-service schedulers scheduler-10mb transmit-rate 10m
set class-of-service schedulers scheduler-10mb transmit-rate exact
set class-of-service schedulers scheduler-5mb transmit-rate 5m
set class-of-service schedulers scheduler-5mb transmit-rate exact
Before the schedulers can be applied to an interface, we have to create a scheduler-map and map the forwarding-class to a specific scheduler.
set class-of-service scheduler-maps bandwidth-limit forwarding-class bandwidth-10mb scheduler scheduler-10mb
set class-of-service scheduler-maps bandwidth-limit forwarding-class bandwidth-5mb scheduler scheduler-5mb
Now we can apply the scheduler-map to the untrusted interface. The keyword “shaping-rate” specifies the amount of bandwidth to be allocated to the logical interface.
set class-of-service interfaces ge-0/0/1 unit 0 scheduler-map bandwidth-limit
set class-of-service interfaces ge-0/0/1 unit 0 shaping-rate 15m
The next step is to create input and output filters. The filters assigns traffic with specific criterias to a forwarding queue. The first filter is the filter for the input traffic.
set firewall family inet filter bandwidth-input term 0 from source-port 80
set firewall family inet filter bandwidth-input term 0 from source-port 5001
set firewall family inet filter bandwidth-input term 0 then count input-10m
set firewall family inet filter bandwidth-input term 0 then forwarding-class bandwidth-10mb
set firewall family inet filter bandwidth-input term 0 then accept
set firewall family inet filter bandwidth-input term 1 then count input-5m
set firewall family inet filter bandwidth-input term 1 then forwarding-class bandwidth-5mb
set firewall family inet filter bandwidth-input term 1 then accept
As you can see, the filter assigns traffic with source-port 80 or 5001 to the forwarding-class “bandwidth-10mb”, which uses the scheduler “scheduler-10mb”. This scheduler limits the transmit-rate to 10 Mb/s. If traffic doesn’t use source port 80 or 5001, then the forwarding-class” bandwidth-5mb” will be assigned.
The second filter is for the outbound traffic. It uses the same setup, but it assigns traffic to forwarding-class “bandwidth-10mb”, when the destination port is 80 or 5001
set firewall family inet filter bandwidth-output term 0 from destination-port 80
set firewall family inet filter bandwidth-output term 0 from destination-port 5001
set firewall family inet filter bandwidth-output term 0 then count output-10m
set firewall family inet filter bandwidth-output term 0 then forwarding-class bandwidth-10mb
set firewall family inet filter bandwidth-output term 0 then accept
set firewall family inet filter bandwidth-output term 1 then count output-5m
set firewall family inet filter bandwidth-output term 1 then forwarding-class bandwidth-5mb
set firewall family inet filter bandwidth-output term 1 then accept
The last step is to assign the input and output filter, as well as setting the “per-unit-scheduler” option, which is needed when shaping is used with logical interfaces.
set interfaces ge-0/0/1 per-unit-scheduler
set interfaces ge-0/0/1 unit 0 family inet filter input bandwidth-input
set interfaces ge-0/0/1 unit 0 family inet filter output bandwidth-output
This setup worked in my lab and I was able to test the funktion of the different filters with iperf. The most challenging part are the firewall filters, especially if you need to create more complex filters. I recommend not to change the default queues. I added two new queues for my needs. Input filters are used to evaluate packets received on the interface. For output filters the opposite is true: They are used to evaluate packets that are transmitted on the interface.
Feel free to follow him on Twitter and/ or leave a comment.
Latest posts by Patrick Terlisten (see all)
- vCenter Migration from 6.0 to 6.7 fails due to missing user role - October 9, 2019
- VCAP6.5-DCV Design – Objective 2.1 Map business requirements to a vSphere 6.x logical design - October 4, 2019
- Supported Active Directory environments for Microsoft Exchange - September 7, 2019