SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
c1
Contributor
Posts: 28
Registered: ‎06-06-2016
0 Kudos
Accepted Solution

How can I set a filter to a External IP ?

[ Edited ]

I tried this http://kb.juniper.net/InfoCenter/index?page=content&id=KB28161&smlogin=true&actp=search

but I can't because the  interfaces ge-0/0/7 is family ethernet-swithing port-mode trunk

 

routing-options {
  static {
           route 0.0.0.0/0 next-hop X.X.X.209;
           }

 

unit 696 {
         family inet {
             address X.X.X.212/29;

             address X.X.X/214/29;
         }
}

 

proxy-arp {
      interface vlan.696 {
            address {
                  X.X.X.213/32;
            }
      }
}

 

the SRX240 IP is X.X.X.212         works! 

1 ext IP -> proxy-ap IP X.X.X.213   works!

2 ext IP -> static IP X.X.X.214   work only on vlan.696.

 

Is it possible to set limit bandwidth on a mac address where interfecase is family ethernet-switching ?

 

Any suggestion or any alternative solution?

 

 

Highlighted
Recognized Expert
Posts: 199
Registered: ‎04-03-2015

Re: How can I limit the bandwidth on a External IP

Hi,

 

Have you tried implementing the filter in all the other Vlans defined on the SRX as well ?

 

I would suggest that you try that and see if it works.

 

Regards,

Sahil

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

c1
Contributor
Posts: 28
Registered: ‎06-06-2016
0 Kudos

Re: How can I limit the bandwidth on a External IP

[ Edited ]

I tried the filter on a local vlan-host works but not if I try to do the same on External IP X.X.X.214

 

unit 696{
 family inet {
    filter {
        input output-limit;
        output output-limit;
    }
    address X.X.X.212/29;
    address X.X.X.214/29;
 }
}

 

show firewall family inet filter output-limit 
term 0 {
    from {
        source-address {
            X.X.X.214/32;
        }
    }
    then {
        policer policer-9mb;
        accept;
    }
}
term 1 {
    from {
        destination-address {
            X.X.X.214/32;
        }
    }
    then {
        policer policer-9mb;
        accept;
    }
}
term NO-RATE-ELSE {
    then accept;
}

It looks the filter is set on right place :

show interfaces vlan.696 detail | match "filter"    
      Input Filters: output-limit
      Output Filters: output-limit

Any ideas?

Recognized Expert
Posts: 199
Registered: ‎04-03-2015
0 Kudos

Re: How can I limit the bandwidth on a External IP

Hi,

 

Are you trying to add this filter/policer for the traffic coming from the internet towards the SRX external IP ?

 

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

c1
Contributor
Posts: 28
Registered: ‎06-06-2016
0 Kudos

Re: How can I limit the bandwidth on a External IP

[ Edited ]

@sahilsha yes both ways, the same filter works for a internal ip.

 

Recognized Expert
Posts: 199
Registered: ‎04-03-2015
0 Kudos

Re: How can I limit the bandwidth on a External IP

Hi,

 

If you are trying to limit bandwidth for traffic coming from the ISP, this does not make much sense as the traffic has already occupied your ISP pipe and will be dropped on the SRX only.

 

Policing is ideally for traffic from inside to outside.

 

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

c1
Contributor
Posts: 28
Registered: ‎06-06-2016
0 Kudos

Re: How can I limit the bandwidth on a External IP

yes I was aware about that ,

 

my scope is to have the main IP X.X.X.212 (SRX240)use the fulll bandiwidth provided by the ISP where another external IP X.X.X.214 using a part of it and it will assign to another router,

 

another alternative probabily is to limit a port ? is this could be implement ?

 

 

 

 

Recognized Expert
Posts: 199
Registered: ‎04-03-2015

Re: How can I limit the bandwidth on a External IP

Hi,

 

I dont think this requirement could be met from the SRX side.

 

The ISP might be able to do this, however on the SRX even if we limit the bandwidth for that particular ISP, it would still have consumed the whole ISP pipe and then it would be dropped on the SRX as you already know.

 

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.