Understanding CoS Support on st0 Interfaces

You can configure class of service (CoS) features such as classifier, policer, queuing, scheduling, shaping, rewriting rules, and virtual channels on the secure tunnel interface (st0) for point-to-point VPNs.

The st0 tunnel interface is an internal interface. Route-based VPNs can use the st0 interface to route cleartext traffic to an IPsec VPN tunnel. The st0 interface supports the following CoS features on all available SRX Series Firewalls and vSRX2.0:

Classifiers
Policers
Queuing, scheduling, and shaping
Rewrite rules
Virtual channels

Note:

Rewriting/remarking is the act of replacing a value in the header of an outgoing packet to identify the class assigned to the packet by the transmitting router. It is possible to rewrite each of the packet header types using each of the marking types (IEEE 802.1p, MPLS EXP, IPv4 Precedence, IPv4 DSCP, or IPv6 DSCP).

Rewrite applies on egress interfaces only.

Limitations of CoS support on VPN st0 interfaces

The following limitations apply to CoS support on VPN st0 interfaces:

The maximum number for software queues is 2048. If the number of st0 interfaces exceeds 2048, not enough software queues can be created for all the st0 interfaces.

Only route-based VPNs can apply CoS features on st0 interfaces. Table 1 describes the st0 CoS feature support for different types of VPNs.

Table 1: CoS Feature Support for VPN
Classifier Features	Site-to-Site VPN (P2P)	AutoVPN (P2P)	Site-to-Site/Auto VPN /AD-VPN (P2MP)
Classifiers, policers, and rewriting markers	Supported	Supported	Supported
Queueing, scheduling, and shaping based on st0 logical interfaces	Supported	Not supported	Not supported
Queueing, scheduling, and shaping based on virtual channels	Supported	Supported	Supported

On SRX300, SRX320, SRX340, SRX345, and SRX550HM firewalls, one st0 logical interface can bind to multiple VPN tunnels. The eight queues for the st0 logical interface cannot reroute the traffic to different tunnels, so pre-tunneling is not supported.

Note:
You can use the virtual channel feature as a workaround on SRX300, SRX320, SRX340, SRX345, and SRX550HM firewalls.
When defining a CoS shaping rate on an st0 tunnel interface, consider the following restrictions:
- The shaping rate on the tunnel interface must be less than that of the physical egress interface.
- The shaping rate only measures the packet size that includes the inner Layer 3 cleartext packet with an ESP/AH header and an outer IP header encapsulation. The outer Layer 2 encapsulation added by the physical interface is not factored into the shaping rate measurement.
- The CoS behavior works as expected when the physical interface carries the shaped GRE or IP-IP tunnel traffic only. If the physical interface carries other traffic, thereby lowering the available bandwidth for tunnel interface traffic, the CoS features do not work as expected.
On SRX550M, SRX5400, SRX5600, and SRX5800 firewalls, bandwidth limit and burst size limit values in a policer configuration are a per-SPU, not per-system limitation. This is the same policer behavior as on the physical interface.

Release History Table

Release

Description

17.4R1

Starting with Junos OS Release 17.4R1, support for listed CoS features is added for the st0 interface for SRX4600 firewalls.

15.1X49-D70

Starting with Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, support for queuing, scheduling, shaping, and virtual channels is added to the st0 interface for SRX5400, SRX5600, and SRX5800 firewalls. Support for all the listed CoS features is added for the st0 interface for SRX1500, SRX4100, and SRX4200 firewalls.

15.1X49-D60

Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, class of service (CoS) features such as classifier, policer, queuing, scheduling, shaping, rewriting markers, and virtual channels can now be configured on the secure tunnel interface (st0) for point-to-point VPNs.