How to rate limit on a Juniper router acting as just a router?

Hi,

We have a Juniper SRX210 router configured for for BGP routing for our Telco's Fibre internet install. It is configured as per:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28243494.html
(much thanks to dpk_wal) That Question should have all the details of the config, including the final config that got it working. BUt I can post it again if needed.

One important point, it is acting as a router:
set security forwarding-options family mpls mode packet-based
(no NAT, and I think it defaults to allowing all traffic, which is what we want -- we use the Juniper only as a router, we have our own company Firewall)

I checked with the ISP and the correct settings are 100Mbps / Full Duplex, so I added:
set interfaces ge-0/0/0 speed 100m
set interfaces ge-0/0/0 link-mode full-duplex
set interfaces ge-0/0/0 gigether-options no-auto-negotiation

And it is now running very well, burstable up to nearly 100Mbps up and down!

However we get charged if our usage goes over 10Mbps. We connect through a SonicWALL NSA 240 (which connects to the ge-0/0/1 interface). Because we have multiple WAN ISPs on the SonicWALL it isn't able to accurately do Bandwidth Management -- it seems to combine them or go with only the primary WAN, etc.

How can we limit the rate/speed of the Fibre internet on the Juniper SRX210 to, say, 9.75Mbps? (to avoid any over charges) But sometimes we may want to adjust it to, say, 20Mbps if we needed to download something or push up a large update. So that it could be flexible if needed (ie. NOT just changing ge-0/0/1 to 10Mbps)
We need to be able to limit both inbound/outbound (upload/download) bandwidth.

Can this be done? So that we can set max the upload/download limits, and optionally change them if we have a business case to allow more or less in the future?

Thanks so much!
LVL 1
YardstickAsked:
Who is Participating?
 
Fred MarshallConnect With a Mentor PrincipalCommented:
Take a look at:
http://jsrx.juniperwiki.com/index.php?title=JNCIE-SEC
and search on "shaping rate"

Juniper calls it CoS for Class of Service while Cisco and others call it QoS or Quality of Service as the general topic.  

I find most treatments are way more than you need for simple rate limiting or throttling.  So don't be daunted by all that.  Yours is a simple need.  And, I believe, a very typical need.  It's surprising that the simplest thing isn't better treated in the literature.

In the SRX you establish a Scheduler which you assign to a Scheduler Map which you then assign to an Interface.  You can see all this in the JWEB structure.

I've also seen reference to "policers" in the JUNOS cookbook and no reference to "schedulers" so I imagine they are somehow equivalent or closely related.  It appears that policers and classifiers are the same thing.....

You might look at:
http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-security-swconfig-class-of-service/index.html?junos-cos-comp-section.html
0
 
YardstickConnect With a Mentor Author Commented:
Thanks fmarshal,

Sorry for the delay in getting back to this, had a few other things to take care of. I was able to use your pointers to figure out what I needed. Initially I did use the J-WEB to configure them but admit I didn't really know what I was doing, or why. But it actually worked!

Then I went back and worked through some of the documentation (which as you note isn't great) and I have worked out what I need that seems to work, and changes as little as possible (like not messing with the priorities). Do you think this best, or should I tweak any of this? I was hoping that by NOT specifiying anthing other than what I strictly needed to that the defaults for whatever (like the priority for best-effort vs network-control, etc) would remain as they were.

I found that exact transmit rate was best for the downloading (inbound) traffic and that the shaping rate worked best for uploading (outbound traffic). Here is what I ended up doing:

Create 2 schedulers, one for exact, one for shaping:
set class-of-service schedulers limit10ex transmit-rate 10m
set class-of-service schedulers limit10ex transmit-rate exact
set class-of-service schedulers limit10sh transmit-rate 10m
set class-of-service schedulers limit10sh shaping-rate 10m


Create 2 maps, each using one of the schedulers:
set class-of-service scheduler-maps limit10_map_inbound forwarding-class best-effort scheduler limit10ex
set class-of-service scheduler-maps limit10_map_inbound forwarding-class expedited-forwarding scheduler limit10ex
set class-of-service scheduler-maps limit10_map_inbound forwarding-class assured-forwarding scheduler limit10ex
set class-of-service scheduler-maps limit10_map_inbound forwarding-class network-control scheduler limit10ex
set class-of-service scheduler-maps limit10_map_outbound forwarding-class best-effort scheduler limit10sh
set class-of-service scheduler-maps limit10_map_outbound forwarding-class expedited-forwarding scheduler limit10sh
set class-of-service scheduler-maps limit10_map_outbound forwarding-class assured-forwarding scheduler limit10sh
set class-of-service scheduler-maps limit10_map_outbound forwarding-class network-control scheduler limit10sh


Assign the maps to each of the physical interfaces:
# download / inbound (data exits the Juniper TO the customer/LAN) - use exact
set class-of-service interfaces ge-0/0/1 scheduler-map limit10_map_inbound

# upload / outbound (data exits the Juniper TO the ISP/internet) - use shaping
set class-of-service interfaces ge-0/0/0 scheduler-map limit10_map_outbound

And it seems to work -- when I do speedtest.net downloads from my ISP's server it may spike a little on the download but essentially never goes above the 10Mbps. (which is OK as we are billed on the 95% of the traffic, sampled every 5 minutes).
And uploading creeps up slowly towards but not over the 10Mbps limit. I wished it would creep up quicker but it seems to work well.

Thanks again for pointing me in the right direction. Now I'll just see about updating the firmware on this router and I'll be good to go!
0
 
YardstickAuthor Commented:
Soloution wasn't specific but did point me in the direction I needed to go. I was able to create the initial (working) rules with J-WEB but I didn't (and I still don't) understand exactly what it is all doing (as noted, the documentation is fairly poor) but it works. Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.