ON THIS PAGE
Example: Configuring Virtual Channels on a Security Device
This example shows how to create virtual channels between a headquarters and its branch office.
Requirements
Before you begin, ensure that your headquarters and branch office have a network connection where the expected aggregate bandwidth is higher for your headquarters than for your branch office. The devices at your headquarters will then be set up to limit the traffic sent to the branch office to avoid oversubscribing the link.
Overview
In this example, you create the virtual channels as branch1–vc, branch2–vc, branch3–vc, and default-vc. You then define the virtual channel group as wan-vc-group to include the four virtual channels and assign the scheduler map as bestscheduler to each virtual channel. Three of the virtual channels are shaped to 1.5 Mbps. The fourth virtual channel is default-vc, and it is not shaped. Hence can use the full interface bandwidth.
Then you apply them in the firewall filter as choose-vc to the device's irb interface. The output filter on the interface sends all traffic with a destination address matching 192.168.10.0/24 to branch1-vc, and similar configurations are set for branch2-vc and branch3-vc. Traffic not matching any of the addresses goes to the default, unshaped virtual channel.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure virtual channels:
- Define the virtual channels and the default virtual channel.[edit]user@host# edit class-of-serviceuser@host# set virtual-channels branch1-vcuser@host# set virtual-channels branch2-vcuser@host# set virtual-channels branch3-vcuser@host# set virtual-channels default-vc
- Define the virtual channel group and assign each virtual
channel a scheduler map.[edit class-of-service]user@host# set virtual-channel-groups wan-vc-group branch1-vc scheduler-map bestscheduleruser@host# set virtual-channel-groups wan-vc-group branch2-vc scheduler-map bestscheduleruser@host# set virtual-channel-groups wan-vc-group branch3-vc scheduler-map bestscheduleruser@host# set virtual-channel-groups wan-vc-group default-vc scheduler-map bestscheduleruser@host# set virtual-channel-groups wan-vc-group default-vc default
- Specify a shaping rate.[edit class-of-service]user@host# set virtual-channel-groups wan-vc-group branch1-vc shaping-rate 1.5muser@host# set virtual-channel-groups wan-vc-group branch2-vc shaping-rate 1.5muser@host# set virtual-channel-groups wan-vc-group branch3-vc shaping-rate 1.5m
- Apply the virtual channel group to the irb interface.[edit class-of-service]user@host# set interfaces irb unit 0 virtual-channel-group wan-vc-group
- Create the firewall filter to select the traffic.
Note Separate traffic and scheduling for different traffic streams with different priorities/bandwidths.
In production use, there is no need to classify the same stream traffic into different classes. You may choose your own criteria to classify traffic into different vc, such as src/dst ip, port number, protocol, and so on.
[edit firewall]user@host# set family inet filter choose-vc term branch1 from destination 192.168.10.0/24user@host# set family inet filter choose-vc term branch1 then acceptuser@host# set family inet filter choose-vc term branch2 from destination 192.168.20.0/24user@host# set family inet filter choose-vc term branch2 then acceptuser@host# set family inet filter choose-vc term branch3 from destination 192.168.30.0/24user@host# set family inet filter choose-vc term branch3 then acceptuser@host# set family inet filter choose-vc term branch1 then virtual-channel branch1-vcuser@host# set family inet filter choose-vc term branch2 then virtual-channel branch2-vcuser@host# set family inet filter choose-vc term branch3 then virtual-channel branch3-vc - Apply the firewall filter to output traffic.[edit interfaces]user@host# set irb unit 0 family inet filter output choose-vc
Results
From configuration mode, confirm your configuration by entering the show class-of-service, show firewall, and show interfaces irb commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Virtual Channel Configuration
Purpose
Verify that the virtual channels are properly configured.
Action
From configuration mode, enter the show class-of-service, show firewall, and show interfaces irb commands.