topic Re: QoS in specifig configuration in General Topics

QoS in specifig configuration

_slv_ — Fri, 17 May 2013 15:56:37 GMT

Hello

My network looks:

ISP (25Mbit symmetric) is connected to Juniper SSG-140 with two interfaces:

- A

- B

Behind B there is PA200 and two serwers connected by switch to B interface of SSG.

I have to use QoS on SSG. I put 25Mbit limit on untrust interface, and 10Mbit limit on A interface.

On B I try to use policy base QoS.

Question is how to set DSCP on PAN on NAT rule?

I'd like to mark VoIP/SSH/RDP traffic with higher mark than other traffic. How to do that? Maybe I should do it in other way?

With regards

SLawek

Re: QoS in specifig configuration

NGS_SOC — Fri, 17 May 2013 16:19:10 GMT

The diffserv Qos mark is done in Security Policy not in NAT rules. In the option field you case choose IP dscp or IP Precedence according to your Juniper configuration and all the traffic voice, ie sip application, can be marked to higher priority.

Traffic shaping Qos is the second technology, useful to limit/guarantee certain amount of traffic, but in your topology maybe is better to handle this with Juniper. On the contrary, if your juniper can be moved to outside to inside, for example as vpn concentrator, you can use directly traffic shaping.

Re: QoS in specifig configuration

_slv_ — Fri, 17 May 2013 19:13:43 GMT

I found very bad for me information http://kb.juniper.net/InfoCenter/index?page=content&id=KB12939&cat=DSCP&actp=LIST&smlogin=true

I'm using 6.3r8 ScreenOS. So my plan fizzled out.

What you can recomdate in my situation?

I can't move SSG,but I thinking of it.irst I have to learn about more than one VR I'm not sure that PA200 can handle 2 VR. Another problem that I have is that at the moment I have 9 security zones. Limit is 10 for PA200. If I remove SSG and do the same on PA I will have 3 security zones (untrust/A/B) - I'm right?

Regards

Slawek

Re: QoS in specifig configuration

NGS_SOC — Fri, 17 May 2013 20:55:23 GMT

I'm not sure having fully understood your goal, if I were you I'll remove the SSG and put PA-200 in its place. The little PA device is able to handle layer3 topology with multiple WAN connections using vrouters (2 available) and PBR. The simplest topology that can be suited you is WAN (untrusted) DMZ (servers) and LAN (trusted). In this choice traffic shaping & qos for servers/client are directly managed by PA-200 either with diffserv of qos polycy.

Re: QoS in specifig configuration

_slv_ — Tue, 28 May 2013 10:47:59 GMT

For better undestanding I atached simple draw

My topology exactly as on this pictures and can't be changed. I'd like to limit WAN2 to 10Mbit/10Mbit and I want to setup SSG to keep VoIP/SSH/RDP with maximum proirytet.

According to kb from Juniper it's problably impossible because SSG will ignore DSCP from PA200, or I can setup polisy bandwitch on SSG but only per IP (not per aplications).

With regards

Slawek