Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - How to shape traffic from a subnet going out of a certain interface in SRX

0

0

Article ID: KB22066 KB Last Updated: 30 Sep 2020Version: 5.0
Summary:

This article provides a procedure to create a working configuration to set up traffic shaping on SRX.

Symptoms:

Consider a scenario where an SRX has multiple interfaces. One of the interfaces connects to the ISP and has 1Gb bandwidth. You do not want this link to be consumed by traffic coming from a particular subnet.

Solution:

Assume you want to limit traffic coming from the subnet 10.132.245.0/24 to 50Mbps on the outgoing interface ge-0/0/0. Here is how you do it:

Note: Monitor the ddn queue and ddn scheduler.

Configuration

Select a firewall filter to filter the traffic coming from source 10.132.245.0/24 to forward the traffic to a particular forwarding-class.

firewall {
    family inet {
        filter ddn-traffic {
            term 1 {
                from {
                    source-address {
                        10.132.245.0/24;
                    }
                }
                then {
                    forwarding-class ddn;
                    accept;
                }
            }
            term default {
                then {
                    forwarding-class best-effort;
                    accept;
                }
            }
        }
    }
}

Apply the firewall filter as output on the egress interface. This firewall will filter out the traffic when the traffic is leaving ge-0/0/0. Enable per-unit-scheduling on the interface, so that all the units will be applied with the CoS configuration.

interfaces {
    ge-0/0/0 {
        per-unit-scheduler;
        unit 0 {
            family inet {
                filter {
                    output ddn-traffic;
                }
                address 1.1.1.2/24;
            }
        }
    }

Select different kinds of schedulers that configure the priority rate and the amount of traffic that can be transmitted. Map the individual scheduler to the forwarding class in scheduler-maps.

class-of-service {
    forwarding-classes {  <---Map the queues to the forwarding classes.
        queue 1 real-time;
        queue 2 burst-hi;
        queue 0 best-effort;
        queue 3 network-control;
        queue 4 ddn;
    }
    interfaces {
        ge-0/0/0 {  <---Define the interface to which the class-of-service needs to be applied.
            unit * {
                scheduler-map cos-map;
                shaping-rate 1g;
            }
        }
    }
    scheduler-maps {
        cos-map {
            forwarding-class real-time scheduler rt-scheduler;
            forwarding-class burst-hi scheduler bh-scheduler;
            forwarding-class best-effort scheduler be-scheduler;
            forwarding-class network-control scheduler nc-scheduler;
            forwarding-class ddn scheduler ddn-scheduler;
        }
    }
    schedulers {
        nc-scheduler {
            transmit-rate 70k;
            buffer-size percent 5;
            priority high;
        }
        rt-scheduler {
            transmit-rate 50k;
            buffer-size percent 1;
            priority high;
        }
        bh-scheduler {
            transmit-rate 100k;
            buffer-size percent 10;
            priority medium-high;
        }
        be-scheduler {
            transmit-rate {
                remainder;
            }
            buffer-size {
                remainder;
            }
            priority low;
        }
        ddn-scheduler {
            transmit-rate {
                50m;
                exact;
            }
            priority low;
        }
    }
}

Procedure

  1. Create a separate queue; that is the queue for ddn.
  2. Then create a scheduler; that is the ddn-scheduler.
  3. Define the exact rate to which you want to limit the traffic that belongs to that class.
  4. Create a scheduler-map and attach the ddn-scheduler to the map.
  5. Define a firewall filter which matches the traffic you want to forward through the ddn class.
  6. If the exact keyword is not defined, then the traffic will go up to 50Mbps and then will use the remaining available bandwidth if no other class is using it.
Modification History:

2020-09-26: Article reviewed for accuracy. No changes required. Article is correct and complete.
2017-05-01: Minor formatting edits.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search