QoS in specifig configuration

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

QoS in specifig configuration

Hello

My network looks:

ISP (25Mbit symmetric) is connected to Juniper SSG-140 with two interfaces:

- A

- B

Behind B there is PA200 and two serwers connected by switch to B interface of SSG.

I have to use QoS on SSG. I put 25Mbit limit on untrust interface, and 10Mbit limit on A interface.

On B I try to use policy base QoS.

Question is how to set DSCP on PAN on NAT rule?

I'd like to mark VoIP/SSH/RDP traffic with higher mark than other traffic. How to do that? Maybe I should do it in other way?

With regards

SLawek

Tags (1)
Highlighted
L3 Networker

The diffserv Qos mark is done in Security Policy not in NAT rules. In the option field you case choose IP dscp or IP Precedence according to your Juniper configuration and all the traffic voice, ie sip application, can be marked to higher priority.

Traffic shaping Qos is the second technology, useful to limit/guarantee certain amount of traffic, but in your topology maybe is better to handle this with Juniper. On the contrary, if your juniper can be moved to outside to inside, for example as vpn concentrator, you can use directly traffic shaping.

Highlighted
L4 Transporter

I found very bad for me information http://kb.juniper.net/InfoCenter/index?page=content&id=KB12939&cat=DSCP&actp=LIST&smlogin=true

I'm using 6.3r8 ScreenOS. So my plan fizzled out.


What you can recomdate in my situation?


I can't move SSG,but I thinking of it.irst I have to learn about more than one VR I'm not sure that PA200 can handle 2 VR. Another problem that I have is that at the moment I have 9 security zones. Limit is 10 for PA200. If I remove SSG and do the same on PA I will have 3 security zones (untrust/A/B) - I'm right?


Regards

Slawek

Highlighted
L3 Networker

I'm not sure having fully understood your goal, if I were you I'll remove the SSG and put PA-200 in its place. The little PA device is able to handle layer3 topology with multiple WAN connections using vrouters (2 available) and PBR. The simplest topology that can be suited you is WAN (untrusted) DMZ (servers) and LAN (trusted). In this choice traffic shaping & qos for servers/client are directly managed by PA-200 either with diffserv of qos polycy.

Highlighted
L4 Transporter

Hi

For better undestanding I atached simple draw

2013-05-28_123133.png

My topology exactly as on this pictures and can't be changed. I'd like to limit WAN2 to 10Mbit/10Mbit and I want to setup SSG to keep VoIP/SSH/RDP with maximum proirytet.

According to kb from Juniper it's problably impossible because SSG will ignore DSCP from PA200, or I can setup polisy bandwitch on SSG but only per IP (not per aplications).

With regards

Slawek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!