SRX

I would like to do the same thing described in this article, except with an SRX:

 

[MX] Example: Configuring a layer2-policer for rate limiting on a physical port in Access Mode

 

The trouble is that when I try to do the equivalent of this line:

 

set interfaces ge-1/3/9 unit 0 filter input TEST-L2-POLICER

 

...there is no "filter" argument available just under the "unit" level. Here's what happens when I try:

 

"[edit interfaces fe-0/0/2 unit 0]

root@meadowlark-fw# set fil[hitting tab here]
                    ^
unknown command."

 

I've added filter and policer stuff to other parts of the configuration. Commit works, but the rate limit doesn't ever seem to trigger when testing it. Some excerpts of things I've already set:

 

interfaces {

    fe-0/0/2 {
        unit 0 {
            family bridge {
                filter {
                    input filter-56k;
                    output filter-56k;
                }
                policer {
                    input policer-56k;
                    output policer-56k;
                }
                interface-mode access;
                vlan-id 1;
            }
        }
    }

}

 

firewall {

    family bridge {
        filter filter-56k {
            term 1 {
                then {
                    policer policer-56k;
                    count policer-56k-packets;
                }
            }
        }
    }
    policer policer-56k {
        if-exceeding {
            bandwidth-limit 56k;
            burst-size-limit 100k;
        }
        then discard;
    }

}

 

Advice appreciated!

As per KB16685 , filters are not supported on Transparent/bridge modes.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16685

 

As per below URL, rate limiting is possible via shapers only.

https://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/security-class-of-service-function-transparent-mode-overview.html

 

I belive you need to use shapers instead of Policers on family bridge on SRX. Below URLs may help you in CoS configuration.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23234

http://www.juniper.net/techpubs/en_US/junos12.1x46/information-products/pathway-pages/security/security-layer2-bridging-transparent-mode.pdf

 

Thank you. That puts me on a better path. I'll report back when I have it working. 🙂

I've not been successful. According to http://www.juniper.net/documentation/en_US/junos12.1/topics/concept/security-class-of-service-function-transparent-mode-overview.html, I should be able to use class of service in transparent mode to utilize "Shapers to apply rate limiting to an interface".

 

But examples of using shapers to apply rate limiting seem to always use filters on interfaces. Filters aren't allowed in transparent mode. I'm questioning whether it's even possible, because it seems like someone would have posted a relevant example online somewhere.

 

I would appreciate any help on this quandry.

Did you try applying shaping-rate on interface directly under class-of-service along with sceduler?

Success! ...partly.

I can now rate limit Internet downloading from a particular interface in transparent mode, but I haven't figured out how to do the same for Internet uploading. If I run a speed test from behind ge-0/0/1, download will be around 1 Mbps and upload will be quite a bit higher. If I run a speed test from behind fe-0/0/2, download will be higher and upload matches the other interface's high upload.

How can I limit upload as well, prefably at a different rate? Thank you for the help so far.


My test setup:

ge-0/0/0  Internet connection
ge-0/0/1  Rate limited host connected here
fe-0/0/2  Unlimited host connected here


Key parts of the SRX configuration:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 1;
            }
        }
    }
    ge-0/0/1 {
        per-unit-scheduler;
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 1;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 1;
            }
        }
    }
}
class-of-service {
    interfaces {
        ge-0/0/1 {
            unit 0 {
                scheduler-map slowmap;
                shaping-rate 1m;
            }
        }
    }
    scheduler-maps {
        slowmap {
            forwarding-class best-effort scheduler slowscheduler;
        }
    }    
    schedulers {
        slowscheduler {
            shaping-rate 1m;
        }
    }
}

Great news. Try applying the scheduler on ge-0/0/0 to restrict upload.

Wouldn't that restrict upload no matter whether the traffic is originating from ge-0/0/1 or fe-0/0/2? I would like the hosts on those two interfaces to have different upload limits.

You are correct, this will affect all traffic throgh ge-0/0/0.
Your requirement looks difficult/not possible with transparent mode (at least for curent junos versions)

Thank you. It helps just as much to know what's not (easily) doable.