Juniper SRX: Using CoS to manage bandwidth

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sometimes it’s necessary to limit specific traffic in terms of bandwidth. Today I like to show you how to manage bandwidth limits using QoS and firewall policies. Especially if you have only limited bandwidth, e.g. a DSL connection, it can be useful to manage the used bandwidth for specific hosts or protocols. I use a really simple setup to show you, how you can manage bandwidth using CoS on a Juniper SRX.

juniper-srx-testbed

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

As you can see: A very simple setup. Also the initial config of my SRX is also quite simple. Two Interfaces, default-permit between the zones. Interface ge-0/0/1 is the untrusted, the external interface. Interface ge-0/0/0 is my the interface to my trusted network, therefore it belongs to my trusted zone. Let’s assume, that ge-0/0/1 is limited to 15 Mb/s and that 10 Mb/s of the traffic should be for traffic to port 80 and 5001. Any other traffic should be limited to 5 Mb/s.

Class of Service Config

First of all we need to configure two new queues.

Now we add two schedulers. The first scheduler will set the transmit rate to 10 Mb/s, the second scheduler to 5 Mb/s. The keyword “exact” causes, that packets were buffered under congestion.

Before the schedulers can be applied to an interface, we have to create a scheduler-map and map the forwarding-class to a specific scheduler.

Now we can apply the scheduler-map to the untrusted interface. The keyword “shaping-rate” specifies the amount of bandwidth to be allocated to the logical interface.

Firewall Config

The next step is to create input and output filters. The filters assigns traffic with specific criterias to a forwarding queue. The first filter is the filter for the input traffic.

As you can see, the filter assigns traffic with source-port 80 or 5001 to the forwarding-class “bandwidth-10mb”, which uses the scheduler “scheduler-10mb”. This scheduler limits the transmit-rate to 10 Mb/s. If traffic doesn’t use source port 80 or 5001, then the forwarding-class” bandwidth-5mb” will be assigned.

The second filter is for the outbound traffic. It uses the same setup, but it assigns traffic to forwarding-class “bandwidth-10mb”, when the destination port is 80 or 5001

Filter Config

The last step is to assign the input and output filter, as well as setting the “per-unit-scheduler” option, which is needed when shaping is used with logical interfaces.

Final words

This setup worked in my lab and I was able to test the funktion of the different filters with iperf. The most challenging part are the firewall filters, especially if you need to create more complex filters. I recommend not to change the default queues. I added two new queues for my needs. Input filters are used to evaluate packets received on the interface. For output filters the opposite is true: They are used to evaluate packets that are transmitted on the interface.

Follow me

Patrick Terlisten

vcloudnine.de is the personal blog of Patrick Terlisten. Patrick has a strong focus on virtualization & cloud solutions, but also storage, networking, and IT infrastructure in general. He is a fan of Lean Management and agile methods, and practices continuous improvement whereever it is possible.

Feel free to follow him on Twitter and/ or leave a comment.
Patrick Terlisten
Follow me

10 thoughts on “Juniper SRX: Using CoS to manage bandwidth

  1. judy

    In your example, in the “class-of-service forwarding-classes queue #” command, does the number selected have a significance?

    Reply
  2. Ryan

    I have a wireless WAN connection 10Mbps down / 2Mbps up. In addition to their office the business has rental properties that share this internet connection. I want to give the office a guaranteed 8mbps down and 1mbps up. I want to give the rentals a best effort in either direction. That way if someone fires up Netflix in the middle of the day they don’t kill the download bandwidth while the office is trying to get work done online.

    I’m assuming that if I shape the office traffic to 8m/1m that the rest of the traffic would be considered best-effort and take up the remainder of the pipe during congestion. Or would my code not work?

    set class-of-service forwarding-classes queue 4 bandwidth-8mb
    set class-of-service forwarding-classes queue 5 bandwidth-1mb

    set class-of-service schedulers scheduler-8mb transmit-rate 8m
    set class-of-service schedulers scheduler-8mb transmit-rate exact
    set class-of-service schedulers scheduler-1mb transmit-rate 1m
    set class-of-service schedulers scheduler-1mb transmit-rate exact

    set class-of-service scheduler-maps bandwidth-limit forwarding-class bandwidth-8mb scheduler scheduler-8mb

    set class-of-service interfaces ge-0/0/1 unit 0 scheduler-map bandwidth-limit
    set class-of-service interfaces ge-0/0/1 unit 0 shaping-rate 10m

    ;Rental is vlan 30, office is 31. 192.168.30.0/24 & 192.168.30.1/24 respectively
    set firewall family inet filter bandwidth-input term 0 from source-address 192.168.31.0/24
    set firewall family inet filter bandwidth-input term 0 then count input-8m
    set firewall family inet filter bandwidth-input term 0 then forwarding-class bandwidth-8mb
    set firewall family inet filter bandwidth-input term 0 then accept

    set firewall family inet filter bandwidth-output term 0 from source-address 192.168.31.0/24
    set firewall family inet filter bandwidth-output term 0 then count output-1m
    set firewall family inet filter bandwidth-output term 0 then forwarding-class bandwidth-1mb
    set firewall family inet filter bandwidth-output term 0 then accept

    set interfaces ge-0/0/7 per-unit-scheduler
    set interfaces ge-0/0/7 unit 0 family inet filter input bandwidth-input
    set interfaces ge-0/0/7 unit 0 family inet filter output bandwidth-output

    Reply
    1. Patrick Terlisten Post author

      Your code should work. I recommend to test it. But AFAIK is the traffic shaping fix, so that the traffic is always 8/1 and not only in case of congestion.

      Reply
      1. Ryan

        If I remove the transmit-rate exact statements that would let it have the whole pipe and then take it down to 8/1 in the case of congestion. That’s what I’ve read at least.

        Reply
        1. Patrick Terlisten Post author

          Important note: With transmit-rate exact, packets get eventually dropped unter sustained congestion. It’s optional. You don’t have to set it. The traffic that enters the queues will get up to the configured bandwidth.

          Reply
  3. Ryan

    I can’t seem to get the download speed to shape at all. No internet traffic at all if I have anything besides 0.0.0.0/0 for the address.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept!