[SRX] Example - How to shape traffic from a subnet going out of a certain interface in SRX
[KB22066] Show Article Properties
SUMMARY:
SYMPTOMS:
SOLUTION:
This article provides a procedure to create a working configuration to set up traffic shaping on SRX.
Consider a scenario where an SRX has multiple interfaces. One of the interfaces connects to the ISP and has 1Gb bandwidth. You do not want this link to be consumed by traffic coming from a particular subnet.
Assume you want to limit traffic coming from the subnet
10.132.245.0/24 to 50Mbps on the outgoing interface ge-0/0/0. Here is how you do it:
Note: Monitor the
ddn queue and ddn scheduler.Configuration
Select a firewall filter to filter the traffic coming from source 10.132.245.0/24 to forward the traffic to a particular forwarding-class.
firewall {
family inet {
filter ddn-traffic {
term 1 {
from {
source-address {
10.132.245.0/24;
}
}
then {
forwarding-class ddn;
accept;
}
}
term default {
then {
forwarding-class best-effort;
accept;
}
}
}
}
}
Apply the firewall filter as output on the egress interface. This firewall will filter out the traffic when the traffic is leaving ge-0/0/0. Enable per-unit-scheduling on the interface, so that all the units will be applied with the CoS configuration.
interfaces {
ge-0/0/0 {
per-unit-scheduler;
unit 0 {
family inet {
filter {
output ddn-traffic;
}
address 1.1.1.2/24;
}
}
}
Select different kinds of schedulers that configure the priority rate and the amount of traffic that can be transmitted. Map the individual scheduler to the forwarding class in scheduler-maps.
class-of-service {
forwarding-classes { <---Map the queues to the forwarding classes.
queue 1 real-time;
queue 2 burst-hi;
queue 0 best-effort;
queue 3 network-control;
queue 4 ddn;
}
interfaces {
ge-0/0/0 { <---Define the interface to which the class-of-service needs to be applied.
unit * {
scheduler-map cos-map;
shaping-rate 1g;
}
}
}
scheduler-maps {
cos-map {
forwarding-class real-time scheduler rt-scheduler;
forwarding-class burst-hi scheduler bh-scheduler;
forwarding-class best-effort scheduler be-scheduler;
forwarding-class network-control scheduler nc-scheduler;
forwarding-class ddn scheduler ddn-scheduler;
}
}
schedulers {
nc-scheduler {
transmit-rate 70k;
buffer-size percent 5;
priority high;
}
rt-scheduler {
transmit-rate 50k;
buffer-size percent 1;
priority high;
}
bh-scheduler {
transmit-rate 100k;
buffer-size percent 10;
priority medium-high;
}
be-scheduler {
transmit-rate {
remainder;
}
buffer-size {
remainder;
}
priority low;
}
ddn-scheduler {
transmit-rate {
50m;
exact;
}
priority low;
}
}
}
Procedure
- Create a separate queue; that is the queue for ddn.
- Then create a scheduler; that is the ddn-scheduler.
- Define the exact rate to which you want to limit the traffic that belongs to that class.
- Create a scheduler-map and attach the ddn-scheduler to the map.
- Define a firewall filter which matches the traffic you want to forward through the ddn class.
- If the exact keyword is not defined, then the traffic will go up to 50Mbps and then will use the remaining available bandwidth if no other class is using it.
