Shaping Traffic from a Specific Subnet on SRX Devices

Juniper Networks’ SRX series is a line of security services gateways that provide robust security, networking, and application control for enterprise and service provider networks. One of the key features of SRX devices is their ability to shape traffic, which allows network administrators to control the amount of bandwidth allocated to specific applications, users, or subnets. In this article, we will explore how to shape traffic from a specific subnet on SRX devices.

Understanding Traffic Shaping on SRX Devices

Traffic shaping is a technique used to control the rate of traffic transmitted to the network. It is used to prevent network congestion, ensure fair use of bandwidth, and prioritize critical applications. SRX devices support two types of traffic shaping: ingress shaping and egress shaping. Ingress shaping controls the rate of traffic entering the network, while egress shaping controls the rate of traffic leaving the network.

SRX devices use a token bucket algorithm to implement traffic shaping. The token bucket algorithm works by allocating a certain number of tokens to a traffic stream, which represents the allowed bandwidth. When a packet arrives, the algorithm checks if there are enough tokens available to transmit the packet. If there are, the packet is transmitted, and the corresponding number of tokens is deducted from the bucket. If there are not enough tokens, the packet is queued or dropped.

Configuring Traffic Shaping on SRX Devices

To configure traffic shaping on SRX devices, you need to create a shaping policy, which defines the traffic shaping parameters, such as the bandwidth limit, burst size, and priority. You can create a shaping policy using the following command:

set policy-options policy-statement <policy-name> then traffic-control shape <bandwidth-limit> <burst-size>

For example:

set policy-options policy-statement shape-policy then traffic-control shape 100m 100k

This command creates a shaping policy named “shape-policy” that limits the bandwidth to 100 Mbps and sets the burst size to 100 KB.

Shaping Traffic from a Specific Subnet

To shape traffic from a specific subnet, you need to create a firewall filter that matches the subnet and applies the shaping policy. You can create a firewall filter using the following command:

set firewall filter <filter-name> term <term-name> from source-address <subnet>

For example:

set firewall filter shape-filter term 1 from source-address 192.168.1.0/24

This command creates a firewall filter named “shape-filter” that matches traffic from the subnet 192.168.1.0/24.

To apply the shaping policy to the firewall filter, you can use the following command:

set firewall filter <filter-name> term <term-name> then traffic-control shape <policy-name>

For example:

set firewall filter shape-filter term 1 then traffic-control shape shape-policy

This command applies the shaping policy named “shape-policy” to the firewall filter named “shape-filter”.

Example Configuration

Here is an example configuration that shapes traffic from a specific subnet:

set policy-options policy-statement shape-policy then traffic-control shape 100m 100k

set firewall filter shape-filter term 1 from source-address 192.168.1.0/24

set firewall filter shape-filter term 1 then traffic-control shape shape-policy

set interfaces ge-0/0/0 unit 0 family inet filter input shape-filter

This configuration creates a shaping policy named “shape-policy” that limits the bandwidth to 100 Mbps and sets the burst size to 100 KB. It then creates a firewall filter named “shape-filter” that matches traffic from the subnet 192.168.1.0/24 and applies the shaping policy. Finally, it applies the firewall filter to the input interface ge-0/0/0.0.

Verifying Traffic Shaping

To verify that traffic shaping is working correctly, you can use the following command:

show firewall filter <filter-name>

For example:

show firewall filter shape-filter

This command displays the firewall filter configuration and statistics, including the number of packets and bytes that have been shaped.

You can also use the following command to verify that the shaping policy is being applied:

show policy-options policy-statement <policy-name>

For example:

show policy-options policy-statement shape-policy

This command displays the shaping policy configuration and statistics, including the bandwidth limit and burst size.

Conclusion

Shaping traffic from a specific subnet on SRX devices is a powerful tool for managing network bandwidth and ensuring fair use of resources. By creating a shaping policy and applying it to a firewall filter, you can control the amount of bandwidth allocated to specific applications, users, or subnets. This article has provided a step-by-step guide on how to configure traffic shaping on SRX devices and verify that it is working correctly.

By following the examples and configuration steps outlined in this article, you can effectively shape traffic from a specific subnet on SRX devices and ensure that your network is running smoothly and efficiently.

References

Juniper Networks. (2022). SRX Series Services Gateways Configuration Guide. Retrieved from https://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/config-guide-srx-series/config-guide-srx-series.pdf

Juniper Networks. (2022). Junos OS Policy Framework Configuration Guide. Retrieved from https://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/config-guide-policy-framework/config-guide-policy-framework.pdf