My network looks:
ISP (25Mbit symmetric) is connected to Juniper SSG-140 with two interfaces:
Behind B there is PA200 and two serwers connected by switch to B interface of SSG.
I have to use QoS on SSG. I put 25Mbit limit on untrust interface, and 10Mbit limit on A interface.
On B I try to use policy base QoS.
Question is how to set DSCP on PAN on NAT rule?
I'd like to mark VoIP/SSH/RDP traffic with higher mark than other traffic. How to do that? Maybe I should do it in other way?
The diffserv Qos mark is done in Security Policy not in NAT rules. In the option field you case choose IP dscp or IP Precedence according to your Juniper configuration and all the traffic voice, ie sip application, can be marked to higher priority.
Traffic shaping Qos is the second technology, useful to limit/guarantee certain amount of traffic, but in your topology maybe is better to handle this with Juniper. On the contrary, if your juniper can be moved to outside to inside, for example as vpn concentrator, you can use directly traffic shaping.
I found very bad for me information http://kb.juniper.net/InfoCenter/index?page=content&id=KB12939&cat=DSCP&actp=LIST&smlogin=true
I'm using 6.3r8 ScreenOS. So my plan fizzled out.
What you can recomdate in my situation?
I can't move SSG,but I thinking of it.irst I have to learn about more than one VR I'm not sure that PA200 can handle 2 VR. Another problem that I have is that at the moment I have 9 security zones. Limit is 10 for PA200. If I remove SSG and do the same on PA I will have 3 security zones (untrust/A/B) - I'm right?
I'm not sure having fully understood your goal, if I were you I'll remove the SSG and put PA-200 in its place. The little PA device is able to handle layer3 topology with multiple WAN connections using vrouters (2 available) and PBR. The simplest topology that can be suited you is WAN (untrusted) DMZ (servers) and LAN (trusted). In this choice traffic shaping & qos for servers/client are directly managed by PA-200 either with diffserv of qos polycy.
For better undestanding I atached simple draw
My topology exactly as on this pictures and can't be changed. I'd like to limit WAN2 to 10Mbit/10Mbit and I want to setup SSG to keep VoIP/SSH/RDP with maximum proirytet.
According to kb from Juniper it's problably impossible because SSG will ignore DSCP from PA200, or I can setup polisy bandwitch on SSG but only per IP (not per aplications).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!