SRX

Expand all | Collapse all

How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

Jump to Best Answer
  • 1.  How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

    Posted 09-11-2019 09:06

    Hi guys, 

    I'm facing some issues with the bandwidth usage and it's affecting the performance of the VPN tunnels ending on a SRX240 cluster running JUNOS 12.3X48-D65.1. 

     

    We have a symmetric internet line 50Mbps up/down. I wonder if there is a way to reserve say 25Mbps only for the IPSec VPN traffic. 

     

    Any help would be much appreciated

    Thanks



  • 2.  RE: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

    Posted 09-11-2019 09:16

    You may configure COS to prioritize outgoing VPN traffic. Please follow this KB for example config: https://kb.juniper.net/InfoCenter/index?page=content&id=KB25847&cat=TRAFFIC_ENGINEERING&actp=LIST

     

     



  • 3.  RE: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

    Posted 09-11-2019 09:39

    Hi Nellikka, 

    In my case, which protocol should I pick? ESP?

    Also, which queue?

     

    BR



  • 4.  RE: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

    Posted 09-11-2019 22:20

    Match the actual traffic going through the tunnel and you may use assured forwarding or expedited forwding queue or create a custom one.

     

     



  • 5.  RE: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

    Posted 09-12-2019 00:31

    I don't understand what do you mean. My questions at this point are quite specific, which protocol to use for IPsec VPN tunnels, and which queue to set, as i didn't understand it in the KB

     

    Thanks



  • 6.  RE: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?
    Best Answer

    Posted 09-12-2019 01:30

    Please try this config:

     

    set firewall family inet filter VPN-cos term T1 from source-address 10.100.11.0/24 <-----------Site-A LAN Address
    set firewall family inet filter VPN-cos term T1 from destination-address 10.100.22.0/24 <------- Site-B LAN address
    set firewall family inet filter VPN-cos term T1 then forwarding-class assured-forwarding
    set firewall family inet filter VPN-cos term T1 then accept
    set firewall family inet filter VPN-cos term T1 then count VPN-Traffic
    set firewall family inet filter VPN-cos term default then accept

     

    set interfaces ge-0/0/0 unit 0 family inet filter input VPN-cos <------ Site-A Lan facing interface

    set class-of-service schedulers af-vpn transmit-rate percent 25
    set class-of-service schedulers af-vpn buffer-size percent 25
    set class-of-service schedulers af-vpn priority medium-high
    set class-of-service scheduler-maps af-vpn-map forwarding-class assured-forwarding scheduler af-vpn

     

    set interfaces ge-0/0/1 per-unit-scheduler
    set class-of-service interfaces ge-0/0/1 unit 0 scheduler-map af-vpn-map <------- ISP facing interface

     

    show firewall <-- Verify the hitcount
    show interface ge-0/0/1 extensive | find "Queue counters:" <------- verify counters in Assured forwarding queue

     

     



  • 7.  RE: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

    Posted 09-12-2019 07:58

    Many thanks!!



  • 8.  RE: How to reserve bandwidth for the IPSec traffic in SRX240 cluster?

    Posted 09-12-2019 00:49

    Trasgu,

     

    see: https://forums.juniper.net/t5/SRX-Services-Gateway/SRX340-Prioritize-VPN-traffic/td-p/463511

     

    Because your goal is only to prioritize the VPN traffic and not what goes inside the VPN I believe you can use a multifield-classifier as stated on that post by mrojas and match ESP traffic between the two IPsec peers. Put that traffic on a specific forwarding-class and map it to a queue where you give 50% of the 50Mbps.