Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 506

Network and Security Manager Administration Guide
456
You can configure the following traffic shaping parameters:
Traffic Shaping Mode—The traffic shaping mode is automatically determined by the
security device, but you can set it to on or off.
Bandwidth—You can control the amount of bandwidth that is available to the matching
network traffic. When traffic shaping is enabled, you can configure the minimum, or
guaranteed bandwidth allowed, by setting the number of kilobits per second (Kbps)
using the Guaranteed Bandwidth field. This setting guarantees that this minimum
amount of throughput is allowed to pass through the security device. In a similar manner,
you can set the maximum bandwidth allowed using the Maximum Bandwidth field.
For matching traffic that falls between the guaranteed and maximum settings, the
security device passes traffic based on the priority setting.
NOTE: We recommend that you set the maximum bandwidth to greater
than 10 Kbps. When the bandwidth is set to less than 10 Kbps, the security
device might drop packets or the source address might attempt to resend
the traffic repeatedly.
For security devices running ScreenOS 5.3 and later, you can also manage the flow of
traffic through the security device by limiting bandwidth at the point of ingress. To
configure the maximum amount of traffic allowed at the interface ingress, you need
to first enable Use Policing Bandwidth, and then set the number of Kbps using the
Policing Bandwidth field. This setting allows you to manage the maximum amount of
traffic allowed to pass through the ingress interface.
Priority—You can set a priority for each firewall rule in your security policy. Your security
device passes permitted traffic according to the priority level specified in the matching
rule. The higher the priority level of the rule, the faster the matching traffic for that rule
passes. You can configure the mappings of eight priority levels to the first three bits in
the DiffServ field or to the IP precedence field in the ToS byte in the IP packet header.
By default, the highest priority (priority 0) on the security device maps to 111 in the IP
precedence field. The lowest priority (priority 7) maps to 000 in the IP precedence
field.
DSCP Class Selector—NSM uses the Differentiated Services Code Point (DSCP)
mechanism to set priority levels. Using DSCP, you can mark traffic at a position within
a hierarchy of priority. You can map eight priority levels to the DiffServ system: Priority
0 is the highest priority, and priority 7 is the lowest priority. Each priority level maps to
a specific set of bits in the DiffServ field or the IP precedence field in the ToS byte of
the IP packet header. The class selector controls the number of bits affected in the
DiffServ field. By default, the priority levels affect only the first three bits in the eight
bit DiffServ field. The remaining bits are untouched, but can be altered by an upstream
router, which might change the IP priority preference.
When the DSCP class selector is enabled, the class selector zeroes the remaining five
bits in the DiffServ field, which prevents upstream routers from altering priority levels.
Copyright © 2010, Juniper Networks, Inc.