Replying to myself here..
I've sorted this out (mostly) and my test results seem to work well.
I can make this work by breaking the switch into two routed interfaces;
* one facing the ISP (for classification)
* one facing my branch (for shaping)
+ one l2_access ports;
* vlan100 (4 ports total : 3 facing my clients, and the 4th facing my other routed port
Here's the snipped of relevant config on the switch. The diagram above is actually the same switch, just logically broken out. I've tested this and my corporate traffic an eat 9m of traffic and push aside internet, while if there is no corporate traffic, the internet can utilize up to 9m (queue shaping rate) leaving 1m of BW available for corp to start a converstation.
The only problem remaining is how to solve for the provider assigned /29 w/o having to get the ISP to provision a point-to-point interface, and a static route for the /29. I actually tried to overlap the same network (99.99.99.0/24) on both north/south interfaces, enable proxy-arp, and tried to use ARP binding as a more specific route. This works up until I add a static route for a default, then it all breaks. Plus, it was ugly.
root@EX2200-branch# show class-of-service
interfaces {
ge-0/0/44 {
scheduler-map cos-map;
shaping-rate 10m;
}
}
scheduler-maps {
cos-map {
forwarding-class assured-forwarding scheduler sch_af;
forwarding-class best-effort scheduler sch_be;
forwarding-class network-control scheduler sch_nc;
}
}
schedulers {
sch_be {
# target : 10%
transmit-rate 3m;
shaping-rate 9m;
priority low;
}
sch_af {
# target : 60% of shaping-rate
inactive: transmit-rate 6m;
shaping-rate 9m;
priority strict-high;
}
sch_nc {
# target : 10% of shaping-rate
# transmit-rate 1m;
shaping-rate 1m;
priority strict-high;
}
}
{master:0}[edit]
root@EX2200-branch# show interfaces ge-0/0/42
# branch public VLAN
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VLAN200;
}
}
}
{master:0}[edit]
root@EX2200-branch# show interfaces ge-0/0/44
# downlink to branch VLAN
unit 0 {
proxy-arp unrestricted;
family inet {
address 99.99.99.99/24;
}
}
{master:0}[edit]
root@EX2200-branch# show interfaces ge-0/0/46
# uplink to ISP
unit 0 {
family inet {
filter {
input classify_internet_l3;
}
address 172.16.1.1/24;
}
}
{master:0}[edit]
root@EX2200-branch# show firewall family inet filter classify_internet_l3
term corporate {
from {
destination-address {
# firewall
99.99.99.1/32;
}
}
then {
loss-priority low;
forwarding-class assured-forwarding;
}
}
term network_control {
from {
precedence [ net-control internet-control ];
}
then {
loss-priority low;
forwarding-class network-control;
}
}
term best_effort_traffic {
then {
loss-priority low;
forwarding-class best-effort;
}
}
#shaping#QOS#EX