Create a Post
Showing results for 
Search instead for 
Did you mean: 

Is there a way to do traffic shaping in VSX


Using VSX R80.10, I'm looking for a way to do traffic shaping at the interface level or each Virtual System.

Basically, my ISP is providing me a 1gig network connection for all internet services with 2 router (for redundancy) connected to a head switch.

Since I have multiple VS on my VSX cluster, I'm looking for a way to limit the throughput of each VS to a specific level (let say vs1 at 100 MB, vs2 at 500 MB and vs3 at 400 MB).

The thing is they all share the same network switch and VLAN to connect to the ISP. I do not have any router or other equipment between them.

Is there a way to make it work without using more equipment?

4 Replies

Well, you can take a "soft" approach to the bandwidth limiting without hard-codding it on networking level by specifying limits for each rule responsible for majority of the traffic traversing the VS in question:

I believe that you can specify the bandwidth limits manually in addition to those provided for you out of the box.

You can also use QoS for this purpose, which I personally do not recommend.

Alternatively, and this is kind of a hack, depending on the number of available 1G interfaces on the appliances running VSX, you can create bond groups containing number of the physical interfaces and terminate them on the same switch.

Assign each bond to corresponding VS as its interface.

0 Kudos

Hi Vladimir,

Sorry for the late answer.

I'm familiar with those configurations options and they do not provide much help, but here the solution I did found that would be a bit funky but functionnal.

I do have a /24 public address range and a router beween us and the ISP.

What I plan to do is to NAT our services on specific NAT address and those IPs will be linked to different quality of service.

In the router. we will do some "fake QOS" by prioritizing the traffic by they source IP.

It is not a proper QOS or traffic shaping method, but it sould do the trick.


0 Kudos

Dear Nicolas,

one of the limitations in VSX is the lack of the QoS rule in individual Virtual Systems. So, if you migrate a Firewall rulebase from a Security Management Server into a Multi-Domain Server, you will notice that the QoS rules are gone.

However, on the VS0 context, you can create QoS rules for prioritizing packets in which the ToS Byte is marked with DSCP values. This is only applicable for external packets hitting the external interface of your VSX Gateway.

The syntax is:

cpqos class add HighPrio type reg weight 1000 prio 15 dscp 64 (for packets with the DSCP value of 00100010)

cpqos class add MediumPrio type reg weight 500 prio 7 dscp 18

cpqos class add LowPrio type reg weight 100 prio 2 dscp default


cpqos install (?)

You will find the policy here: $FWDIR/database/qos_policy.C.




I am also trying to traffic shaping in my firewall on my VS4 context.  How do you specify which context the qos will be applied to since it is configured in the VS0 context?  I don't want the qos I am configuring applied to any other context.



0 Kudos