Junos
Reply
Visitor
duron
Posts: 7
Registered: ‎01-25-2010
0

Traffic speed limiting.

Hello.

I have Juniper J2320, 10mbps on WAN and a lot of LAN users. How can I consolidate users into groups and limit outbound speed to internet for each group? I.e. 128kbps for managers, 512kbps for bosses, 1mbps for IT, etc. I think it's somwhere in firewall or policies.

Also one group must walk through the second ISP.

 

Anyone know how to do it?

With config examples ofcourse.

Trusted Contributor
Gniewko
Posts: 67
Registered: ‎04-14-2008
0

Re: Traffic speed limiting.

Hey,

 

How many such groups you need? Can groups exceed the assigned bandwidth when there is spare capacity? Should any group always be preferred over others (regardless of its utilization/demand)? If any group exceeds its bandwidth, should it be dropped (policer) or buffered/delayed (shaper)?

In the meantime, I strongly encourage you to take a look at "JUNOS Enterprise Routing" book which explains all these mechanisms. There used to be also OJRE/AJRE Juniper courses available via Learning Portal which would be helpful here, I guess.

 

Thanks,

Visitor
duron
Posts: 7
Registered: ‎01-25-2010
0

Re: Traffic speed limiting.

Hi.

Total six or seven groups. But I mean bandwidth assignement not for all group, but for each user in group. For example:

some group have 128kbps limit, if user1 in this group "eat" 128kbps, user2 in this group still have its own 128kbps.

Yes. two groups must be always preferred over others.

If any group exceeds its bandwidth, it should be buffered/delayed.

 

Well, config examples would be more useful and understandable for me.

Also I need some sort of PPPoE/PPTP or something to access clients (windows machines) into LAN from internet, via juniper. At this time I've redirect port 1723 to internal PPTP server, but this is a bad solution. Junos Pulse would be better solution. Highly desirable with the LDAP authorization in local AD.

 

PS: Sorry for my english.

Visitor
duron
Posts: 7
Registered: ‎01-25-2010
0

Re: Traffic speed limiting.

Answer for my question is...

firewall {
    policer 128k {
        if-exceeding {
            bandwidth-limit 128k;
            burst-size-limit 32k;
        }
        then discard;
    }
    filter Limiter {
        term 1 {
            from {
                source-address {
                    192.168.0.123/32;
                }
            }
            then policer 128k;
        }
        term 2 {
            from {
                destination-address {
                    192.168.0.123/32;
                }
            }
            then policer 128k;
        }
}
Also, I can add "then count" to each of the firewall filter term. But I haven't any idea yet, how to apply terms not for single ip, but for groups.

Visitor
duron
Posts: 7
Registered: ‎01-25-2010
0

Re: Traffic speed limiting.

More useful solution:

 

firewall {
    policer 128k {
        if-exceeding {
            bandwidth-limit 128k;
            burst-size-limit 15k;
        }
        then discard;
    }
    policer 256k {
        if-exceeding {
            bandwidth-limit 256k;
            burst-size-limit 15k;
        }
        then discard;
    }
    policer 512k {
        if-exceeding {
            bandwidth-limit 512k;
            burst-size-limit 15k;
        }
        then discard;
    }
    policer 1024k {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 15k;
        }
        then discard;
    }
    filter Limiter {
        term Nets-in {
            from {
                source-address {
                    192.168.1.0/24;
                    192.168.2.0/24;
                    192.168.100.0/24;
                    192.168.254.0/30;
                }
                destination-address {
                    192.168.0.0/24;
                }
            }
            then accept;
        }
        term Nets-out {
            from {
                source-address {
                    192.168.0.0/24;
                }
                destination-address {
                    192.168.1.0/24;
                    192.168.2.0/24;
                    192.168.5.0/24;
                    192.168.100.0/24;
                    192.168.254.0/30;
                }
            }
            then accept;
        }
        term Servers {
            from {
                destination-address {
                    192.168.0.xxx/32;
                     ...
                    192.168.0.yyy/32;
                }
            }
            then accept;
        }
        term IT {
            from {
                destination-address {
                    192.168.0.xxx/32;
                    ...
                    192.168.0.yyy/32;
                }
            }
            then accept;
        }
        term Reception {
            from {
                destination-address {
                    192.168.0.xxx/32;
                    192.168.0.yyy/32;
                }
            }
            then policer 128k;
        }
        term Bosses {
            from {
                destination-address {
                    192.168.0.xxx/32;
                    ...
                    192.168.0.yyy/32;
                }
            }
            then policer 512k;
        }
        term Accounting {
            from {
                destination-address {
                    192.168.0.xxx32;
                    ...;
                    192.168.0.yyy/32;
                }
            }
            then policer 128k;
        }
        term InetManagers {
            from {
                destination-address {
                    192.168.0.xxx/32;
                    ...
                    192.168.0.yyy/32;
                }
            }
            then policer 256k;
        }
        term SalesManagers {
            from {
                destination-address {
                    192.168.0.xxx/32;
                    ...
                    192.168.0.yyy/32;
                }
            }
            then policer 128k;
        }
    }
}

 

But I'm not sure about burst-size-limit correct size.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.