Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  QoS on EX2200 Shaping

    Posted 05-01-2015 14:26

    All;

     

    I suspect I may have exhausted my options here, but thought perhaps someone else might have a clever idea for this problem.

     

    Scenario: Shape ISP download BW on the switch to prioritize 'corporate' traffic over 'internet' traffic. This requires some sort of shaper on a south facing interface. The challenge is there is one port uplink to the ISP, and 3x ports for downlink to various devices on a common VLAN, sharing a provider allocated /29 address block. I can apply a policer to multiple ports in aggregate, but there doesn't appear to be a way to apply a shaper similarly to a series of output ports.

     

    I can mark on ingress, but impossible (as far as I can tell) to shape 3 output ports to a common speed. 

     

    Example. Assume 10M ISP circuit. I want to reserve 7Mbps for corp, and leave 3Mbps for Internet but allow Internet to burst up to full rate if there is no contention. I can use MF Classification on the ingress port, but my shapers are specific to the output port, thus by applying the same output shaper to 3 ports. The end result ideally would be 3Mbps split across 2x output ports, and 7Mbps to the 1x backoffice port (under congestion).

     

    Options Considered

    *) Policing inbound to limit 'internet' to 3Mbps and discard remainder. This works, but doesn't allow Internet to burst and utilize remaining BW if corp traffic is not present. 

    *) Two color policer : not effective as reclassifying traffic to a higher loss priority or different traffic class doesn't scale across 3x output ports either.

    switch_to_ISP_slash29.png



  • 2.  RE: QoS on EX2200 Shaping

    Posted 05-01-2015 14:41

    Replying to myself here..

     

    I've sorted this out (mostly) and my test results seem to work well.

     

    I can make this work by breaking the switch into two routed interfaces;

      * one facing the ISP (for classification)

      * one facing my branch (for shaping)

     

    + one l2_access ports;

      * vlan100 (4 ports total : 3 facing my clients, and the 4th facing my other routed port

     

     switch_to_ISP_slash29_logical_routed.png

     

    Here's the snipped of relevant config on the switch. The diagram above is actually the same switch, just logically broken out. I've tested this and my corporate traffic an eat 9m of traffic and push aside internet, while if there is no corporate traffic, the internet can utilize up to 9m (queue shaping rate) leaving 1m of BW available for corp to start a converstation.

     

    The only problem remaining is how to solve for the provider assigned /29 w/o having to get the ISP to provision a point-to-point interface, and a static route for the /29. I actually tried to overlap the same network (99.99.99.0/24) on both north/south interfaces, enable proxy-arp, and tried to use ARP binding as a more specific route. This works up until I add a static route for a default, then it all breaks. Plus, it was ugly. 

     

    root@EX2200-branch# show class-of-service
    interfaces {
        ge-0/0/44 {
            scheduler-map cos-map;
            shaping-rate 10m;
        }
    }
    scheduler-maps {
        cos-map {
            forwarding-class assured-forwarding scheduler sch_af;
            forwarding-class best-effort scheduler sch_be;
            forwarding-class network-control scheduler sch_nc;
        }
    }
    schedulers {
        sch_be {
            # target : 10%
            transmit-rate 3m;
            shaping-rate 9m;
            priority low;
        }
        sch_af {
            # target : 60% of shaping-rate
            inactive: transmit-rate 6m;
            shaping-rate 9m;
            priority strict-high;
        }
        sch_nc {
            # target : 10% of shaping-rate
            # transmit-rate 1m;
            shaping-rate 1m;
            priority strict-high;
        }
    }
    
    
    
    {master:0}[edit]
    root@EX2200-branch# show interfaces ge-0/0/42
    # branch public VLAN unit 0 { family ethernet-switching { port-mode access; vlan { members VLAN200; } } } {master:0}[edit] root@EX2200-branch# show interfaces ge-0/0/44 # downlink to branch VLAN unit 0 { proxy-arp unrestricted; family inet { address 99.99.99.99/24; } } {master:0}[edit] root@EX2200-branch# show interfaces ge-0/0/46 # uplink to ISP unit 0 { family inet { filter { input classify_internet_l3; } address 172.16.1.1/24; } } {master:0}[edit] root@EX2200-branch# show firewall family inet filter classify_internet_l3 term corporate { from { destination-address { # firewall 99.99.99.1/32; } } then { loss-priority low; forwarding-class assured-forwarding; } } term network_control { from { precedence [ net-control internet-control ]; } then { loss-priority low; forwarding-class network-control; } } term best_effort_traffic { then { loss-priority low; forwarding-class best-effort; } }

    #shaping
    #QOS
    #EX


  • 3.  RE: QoS on EX2200 Shaping

    Posted 05-01-2015 16:12

    So to summarize.

     

    * I'd like to reduce truck rolls (ie. not require the addition of a physical loop cable)

    * Not have to ask the ISP to change anything

     

    1) Is there any way to perform aggregate output queueing w/o using a physical loop cable w/ routed interfaces between ge-0/0/44 to ge-0/0/42. I tried using output shaping on a vlan interface, which isn't supported - thus I reverted to a physical cable to loop traffic out a physical port and into a l2_access port to achieve this.

     

    2) Any other ideas on mitigating ISP address changes? Current config would require a point-to-point /30 link between the switch and ISP, and a static route on the ISP to direct the existing /29 back to the switch.  One thought I had was to have the ISP remain configured with it's /29 mask, I could reconfigure my north interface with the first half of the /29 ( with a /30 mask ) facing the ISP and the back half /30 facing the south devices and use proxy-arp on the north interface to get the ISP to route traffic where it needs to go. This would chop my usable public addresses in half, but would do so with minimal interaction with my various ISPs.

     



  • 4.  RE: QoS on EX2200 Shaping

    Posted 05-01-2015 17:00

    To address #2;

     

    Original /29 assigned by ISP;

    10.0.0.0 - network address

    10.0.0.1 - isp-gw

    10.0.0.2 - FW

    10.0.0.3 - public_wifi

    10.0.0.4 - public_wifi

    10.0.0.5 - unused

    10.0.0.6 - unused

    10.0.0.7 - broadcast

     

    I can break my routing into the following;

     

                        ISP - 10.0.0.1/29

                         |

                         |

                      ge-0/0/46 - 10.0.0.0/31 (enable proxy-arp)

                         |

                         |

                      ge-0/0/44 - 10.0.0.6/29

                         |

                         |

                       / | \

                    /    |   \

                 c1   c2   c3

     

    where;

    c1 = 10.0.0.2 - FW

    c2 = 10.0.0.3 - wifi

    c3 = 10.0.0.4 - wifi

     

    Then I only need to change my GW for my devices to point to my updated south facing interface, and everything starts working again. my GW/wifi units shouldn't need to reach 10.0.0.0 or 10.0.0.1 directly, so we'll ignore the fact that ARP will fail in this case. No changes required on the ISP.



  • 5.  RE: QoS on EX2200 Shaping
    Best Answer

    Posted 06-30-2015 09:06
      |   view attached

    Replying to myself for the solution based on a suggestion from JTAC to avoid L3 routing in the middle, which I think is a more elegant solution.

     

    In order to apply an outbound shaper - we can use a hardware loop cable to ingress internet traffic on VLAN100. You need to disable mac-learning on this vlan to ensure traffic is flooded out the ports, else you'll get mac thrashing between vlans as it gets learned on different ports which is bad. We apply the shaper out from VLAN100 and into VLAN200 in this example, then ports in VLAN200 have access to a throttled stream of X Mbit/s of traffic as defined from your output shaper applied to VLAN100.

     

    interfaces {
        ge-0/0/42 {
            # loop in from VLAN100
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                    vlan {
                        members VLAN200;
                    }
                }
            }
        }
        ge-0/0/44 {
            # loop out to VLAN200
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                    vlan {
                        members VLAN100;
                    }
                }
            }
        }
        ge-0/0/46 {
            # this interface faces the ISP and classifies traffic to be shaped on reception
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                    vlan {
                        members VLAN100;
                    }
                    filter {
                        input classify_internet_l2;
                    }
                }
            }
        }
    }
    class-of-service {
        interfaces {
            ge-0/0/44 {
                scheduler-map cos-map;
                shaping-rate 10m;
            }
        }
        scheduler-maps {
            cos-map {
                forwarding-class assured-forwarding scheduler sch_af;
                forwarding-class best-effort scheduler sch_be;
                forwarding-class network-control scheduler sch_nc;
            }
        }
        schedulers {
            # Example assumes a 10MB Broadband link
            sch_be {
                # target : 30% under congestion (always trumped by strict-high in this case) with 8m cap to leave enough headroom for corporate AF traffic to ramp
                transmit-rate 3m;
                shaping-rate 8m;
                priority low;
            }
            sch_af {
                # target : 60% of shaping-rate under congestion with cap of 80%
                inactive: transmit-rate 6m;
                shaping-rate 8m;
                priority strict-high;
            }
            sch_nc {
                # target : 10% of shaping-rate
                # transmit-rate 1m;  ## not effective when using strict-high
                shaping-rate 1m;
                priority strict-high;
            }
        }
    }
    firewall {
        family ethernet-switching {
            filter classify_internet_l2 {
                term corporate {
                    from {
                        destination-mac-address {
                           # mac-address mask of Juniper kit (ie. corp firewall)
                            28:8a:1c:00:00:00/24;
                            f4:b5:2f:00:00:00/24;
                        }
                    }
                    then {
                        forwarding-class assured-forwarding;
                        loss-priority low;
                    }
                }
                term network_control {
                    from {
                        precedence [ net-control internet-control ];
                    }
                    then {
                        forwarding-class network-control;
                        loss-priority low;
                    }
                }
                term best_effort {
                   # everything else is BE
                    then {
                        forwarding-class best-effort;
                        loss-priority low;
                    }
                }
            }
       }
    }
    vlans {
        VLAN200 {
            vlan-id 200;
        }
        VLAN100 {
            vlan-id 100;
            no-mac-learning;
        }
    }
    
    

    Hope this might be useful to someone else looking for similar solution in the future. This has been tested in the lab and provides a sliding scale of;

    1. reserving small amount of headroom for corporate traffic (transactional based) to ramp which can grow to 90% of defined download link speed (9m). This will cause any non-corporate traffic to stall entirely the way it's configured until corporate traffic is reduced. 

    2. Allows BE traffic to consume up to 80% of the link, if available, but always backs off in favor of corporate traffic if present. 

    3. Provides 1m reservation for network-control traffic which is already classified

     

    There's some small tweak required depending on behavior, but the overall setup works as intended allowing throttling of inbound user data (tcp based only) providing rudimentary QoS inbound for public internet connections.


    #ex2200
    #shaping
    #QOS
    #vpn