Routing

Hi

Is is possible to implement per ip rate limiting in JUNOS?

Thanks

C

Yes, with "prefix-action" feature

http://www.juniper.net/techpubs/en_US/junos10.1/information-products/topic-collections/config-guide-policy/topic-28296.html#id-11043805

Key points:

1/ number of policers created would be  2 ^ (source/destination-prefix-length - subnet-prefix-length)

[here the caret sign ^ means 2 in the power of]

2/ number of IP addresses sharing the same policer would be 2 ^ (32 - subnet-prefix-length)

So if you have 10.100.240.0/20 subnet and want to police outbound per-every-single-source-IP then:

--source-prefix-length would be 32

--subnet-prefix-length would be 20

--number of policers auto-created for You would be 2 ^ (32-20) = 4096.

HTH

Regards

Alex

Hi Alex

Kindly explain to us, If I want to rate limit the http traffic to 1Mbps then in policer configuration bandwidth-limit would be 1Mbps. BUT

1- what is burst-size-limit parameter?

2- how to calculate burst-size-limit parameter?

3- what does it mean by interface-specific?

Thanks

Hello there,

Answer to Question #1:

Policing uses the token-bucket algorithm, which enforces a limit on average bandwidth while allowing bursts up to a specified maximum value.

http://www.juniper.net/techpubs/en_US/junos10.1/information-products/topic-collections/config-guide-policy/jd0e37131.html

"Burst-size-limit" is the volume of token bucket.

Answer to Question #2:

To determine the value for the burst-size limit, the preferred method is to multiply the bandwidth (expressed as bytes per second) of the interface on which you are applying the filter by the amount of time you allow a burst of traffic at that bandwidth to occur. We recommend that you use a value of 5 ms as the starting point for the allowable amount of time for a burst of traffic.

If you express the bandwidth as bits per second, use the following formula to calculate the burst size.

burst size = bandwidth x allowable time for burst traffic / 8

If you do not know the interface bandwidth, you can multiply the maximum transmission unit (MTU) of the traffic on the interface by 10 to obtain a value. For example, the burst size for an MTU of 4700 would be 47,000 bytes. At minimum, burst size should be at least 10 interface MTUs. The maximum value for the burst-size limit is 100 megabits per second (Mbps), or 12.5 megabytes per second (MBps).

http://www.juniper.net/techpubs/en_US/junos10.1/information-products/topic-collections/config-guide-policy/topic-28295.html

Answer to Question #3:

When you configure a firewall filter that is applied to multiple interfaces, you can name individual counters specific to each interface. These counters enable you to easily maintain statistics on the traffic transiting the different interfaces. A separate instance of the interface-specific firewall filter is created for each interface to which you apply the filter.

http://www.juniper.net/techpubs/en_US/junos10.1/information-products/topic-collections/config-guide-policy/topic-28286.html

HTH

Regards

Alex

Great Explaination Alex

Thanks

I've been trying to limit the bandwidth per IP on a 172.16.0.0/16 network.  I've tried using "prefix-action", but it doesn't appear to be supported on the SRX240h.  Is there another way to do this on the SRX240?  

## Warning: configuration block ignored: unsupported platform (srx240h)
prefix-action per-source-policer {
policer limiter;
subnet-prefix-length 16;
destination-prefix-length 32;

Thanks!

You could certainly do this using firewall policers. Define a policer policy and then match it to the traffic you want to rate limit:

Define your policer first and then map it into a filter - then apply that filter to the appropriate I/F's (not shown below)

firewall {

policer rate-limit-policer {

if-exceeding {

bandwidth-limit 40k;

burst-size-limit 1024;

       }

then discard;

   }

}

firewall{

family ethernet-switching {

filter port-policer {

interface-specific;

term limit-ip {

from {

destination-address {

192.168.3.10/32;

}

}

then policer rate-limit-policer;

}

}

}

}