I have a setup where 2 types of clients are connected to my MX
- Business critical devices - endpoint of an encrypted VPN (directly connected to MX)
- Non business critical devices & normal users - unencrypted (connected via MS & MR devices)
Business critical devices are physically separated from the rest of the devices.
How can I provide strict priority for internet access to the business critical devices & prevent non business critical devices from impacting the business critical devices internet access?
I so far only found the option to create a group policy with non business critical clients and limit per client bandwidth. May help, but does not ensure some BW is prioritized to business critical devices
The challenge here is that the mission critical servers are terminating VPNs from the internet. So from the MX standpoint to which they are connected, those clients just have 99% UDP traffic (encrypted traffic) - and MX has no visibility into the traffic actually inside.
What I'd ideally be looking for is a QoS setting like
- Give VLAN 2 or address range 192.168.2.x/24 or set of clients a,b,c "guaranteed 10mbps"
- or "Give other VLANs, address ranges or set of clients a maximum aggregated 40 mbps during work hours"
Looked around and the only option I see is to tag VLAN 2 (mission critical servers) with DSCP tags and high priority.
Is there any way to provide clients of a VLAN guaranteed BW ?
Thanks All. I have for now moved the mission critical servers into separate VLANs, and used SD-WAN traffic shaping to assign a high priority ratio; and limited during working hours the BW for normal users with group policies. I'll give it a go, and consider a 2nd uplink if the current setup isn't good enough in the future.