Wednesday, October 18, 2017

[SRX] Example - How to shape traffic from a subnet going out of a certain interface in SRX

[SRX] Example - How to shape traffic from a subnet going out of a certain interface in SRX

SUMMARY:
This article provides a procedure to create a working configuration to set up traffic shaping on SRX.
SYMPTOMS:
Consider a scenario where an SRX has multiple interfaces. One of the interfaces connects to the ISP and has 1Gb bandwidth. You do not want this link to be consumed by traffic coming from a particular subnet.
SOLUTION:
Assume you want to limit traffic coming from the subnet 10.132.245.0/24 to 50Mbps on the outgoing interface ge-0/0/0. Here is how you do it:
Note: Monitor the ddn queue and ddn scheduler.

Configuration

Select a firewall filter to filter the traffic coming from source 10.132.245.0/24 to forward the traffic to a particular forwarding-class.
firewall {
    family inet {
        filter ddn-traffic {
            term 1 {
                from {
                    source-address {
                        10.132.245.0/24;
                    }
                }
                then {
                    forwarding-class ddn;
                    accept;
                }
            }
            term default {
                then {
                    forwarding-class best-effort;
                    accept;
                }
            }
        }
    }
}
Apply the firewall filter as output on the egress interface. This firewall will filter out the traffic when the traffic is leaving ge-0/0/0. Enable per-unit-scheduling on the interface, so that all the units will be applied with the CoS configuration.
interfaces {
    ge-0/0/0 {
        per-unit-scheduler;
        unit 0 {
            family inet {
                filter {
                    output ddn-traffic;
                }
                address 1.1.1.2/24;
            }
        }
    }
Select different kinds of schedulers that configure the priority rate and the amount of traffic that can be transmitted. Map the individual scheduler to the forwarding class in scheduler-maps.
class-of-service {
    forwarding-classes {  <---Map the queues to the forwarding classes.
        queue 1 real-time;
        queue 2 burst-hi;
        queue 0 best-effort;
        queue 3 network-control;
        queue 4 ddn;
    }
    interfaces {
        ge-0/0/0 {  <---Define the interface to which the class-of-service needs to be applied.
            unit * {
                scheduler-map cos-map;
                shaping-rate 1g;
            }
        }
    }
    scheduler-maps {
        cos-map {
            forwarding-class real-time scheduler rt-scheduler;
            forwarding-class burst-hi scheduler bh-scheduler;
            forwarding-class best-effort scheduler be-scheduler;
            forwarding-class network-control scheduler nc-scheduler;
            forwarding-class ddn scheduler ddn-scheduler;
        }
    }
    schedulers {
        nc-scheduler {
            transmit-rate 70k;
            buffer-size percent 5;
            priority high;
        }
        rt-scheduler {
            transmit-rate 50k;
            buffer-size percent 1;
            priority high;
        }
        bh-scheduler {
            transmit-rate 100k;
            buffer-size percent 10;
            priority medium-high;
        }
        be-scheduler {
            transmit-rate {
                remainder;
            }
            buffer-size {
                remainder;
            }
            priority low;
        }
        ddn-scheduler {
            transmit-rate {
                50m;
                exact;
            }
            priority low;
        }
    }
}

Procedure
  1. Create a separate queue; that is the queue for ddn.

  2. Then create a scheduler; that is the ddn-scheduler.

  3. Define the exact rate to which you want to limit the traffic that belongs to that class.

  4. Create a scheduler-map and attach the ddn-scheduler to the map.

  5. Define a firewall filter which matches the traffic you want to forward through the ddn class.

  6. If the exact keyword is not defined, then the traffic will go up to 50Mbps and then will use the remaining available bandwidth if no other class is using it.
Posted by at No comments:

Thursday, May 25, 2017

load-balancing based on source-ip

Our scenario is below








 
 
 
 
 
 
 
 
 
 
firewall {
    family inet {
        filter source-based-lb {
            term even {
                from {
                    source-address {
                        10.32.0.0/255.255.0.1;
                    }
                }
                then {
                    routing-instance fbf-prefer-isp1;
                }
            }
            term odd {
                from {
                    source-address {
                        10.32.0.1/255.255.0.1;
                    }
                }
                then {
                    routing-instance fbf-prefer-isp2;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
Posted by at No comments:

2 ISP fail over with juniper SRX

We have two ISPs, ISP A and ISP B.
What we want to accomplish is, if primary ISP’s link fail, then switch the link through secondary link to ISP B. So, let’s get started.

Configure Dual ISP Link Failover in Juniper SRX

We need to configure the routing table under [routing-options] hierarchy.
[edit routing-options]
 
user@SRX240# set static route 0.0.0.0/0 next-hop 1.1.1.1 preference 5 [Next hop 1.1.1.1 is the primary next-hop for 0.0.0.0/0 destination network. Note, 0.0.0.0/0 means default gateway. Preference 5 is the default preference for static routes. Even if you don’t put preference 5 in this command, it is automatically there.
 
[edit routing-options]
user@SRX240# set static route 0.0.0.0/0 qualified-next-hop 2.2.2.1 preference 7 [Now next-hop 2.2.2.1 is the secondary next-hop for 0.0.0.0/0 network. It has the preference of 7. If the primary link is to go down, this link will be the gateway for the default route.
[edit routing-options]
user@SRX240# show
static {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
qualified-next-hop 2.2.2.1 {
preference 7;
}
preference 5;
}
}
Posted by at 1 comment:

2 ISP load balancing with Juniper SRX


We have two ISPs that we want to load balance the internet traffic to. Two internet links are in UNTRUST zone whereas the internal network is in TRUST zone.

I have already configured required security policies.




The first step is to define routing policy. Configure the following policy under [edit-policy-options] hierarchy.
[edit policy-options]
root@SRX240# set policy-statement LOAD-BALANCE then load-balance per-packet [Here, from clause is not used, so it means from any source then load-balance per-packet.]
[edit policy-options]
root@SRX240# show
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
}
}
The second step is to configure the routing option. Configure the following routing information under [edit routing-options] hierarchy.
[edit routing-options]
root@SRX240# set static route 0.0.0.0/0 next-hop 1.1.1.1
[edit routing-options]
root@SRX240# set static route 0.0.0.0/0 next-hop 2.2.2.1
Now, configure the routing policy called LOAD-BALANCE under the routing option.
[edit routing-options]
root@SRX240#set forwarding-table export LOAD-BALANCE
Type show command to view the configuration.
[edit routing-options]
root@SRX# show
static {
route 0.0.0.0/0 next-hop [ 1.1.1.1 2.2.2.1 ];
}
forwarding-table {
export LOAD-BALANCE;
}

You can now view route forwarding table to verify.
 
root@SRX> show route forwarding-table

You will see two next-hop MAC addresses for default destination network.
By default JunOS include only layer 3 IP address to determine the flow but you can change this behavior and include both layer 3 and layer 4 information. To do so, hit the following command under [edit forwarding-options] hierarchy.
[edit forwarding-options]
root@SRX#set hash-key family inet layer-3
[edit forwarding-options]
root@SRX# set hash-key family inet layer-4
[edit forwarding-options]
root@SRX# show
hash-key {
family inet {
layer-3;
layer-4;
}
}


You can now see the logs or even do tracert from client PC and test the load sharing. 
You can test from a single PC in the network.
Posted by at No comments:

Friday, April 7, 2017

VLAN over wireless bridge

vlan configuration over radio wireless bridge

1. Create VLAN Trunk on R1.
2. On R2, create interface bridge to forward trunk packet
[admin@Router2] > interface bridge add name=bridge-trunk
Add interface that you want to forward the VLAN in the interface bridge.
[admin@Router2] > interface bridge port add interface=ether1 bridge=bridge-trunk
[admin@Router2] > interface bridge port add interface=wlan1 bridge=bridge-trunk
Configure wireless interface as mode ap-bridge

 [admin@Router2] > interface wireless set wlan1 mode=ap-bridge disabled=no
3. On R3, please configure wireless interface as mode station-bridge and connect ether1 R3 using LAN cable to switch manageable.

 [admin@R1] > interface wireless set wlan1 mode=station-bridge disabled=no
4. Configure switch manageable as desired
Posted by at No comments:

Sunday, February 26, 2017

invalid JSON (filename=/var/lib/openmediavault/dirtymodules.json)

When OMV fresh install, we found some bugs such as " invalid JSON (filename=/var/lib/openmediavault/dirtymodules.json)" when saving new setting.

 Easy way to fix that only delete or rename file
 
/var/lib/openmediavault/dirtymodules.json

That's work
Posted by at No comments:
Subscribe to: Posts (Atom)