Hi,
I got a juniper SRX 210 from work to study for the JNCIA/JNCIS-SEC exams.
Im trying to use a policer for CoS but cant get it to work for some reason.
I want to limit the DMZ to 5Mbps over the internet, so ive made a policer to limit to 5 megabits.
I thought it would be best to use a filter in the inbound direction of the WAN interface (pppoe) to prevent unecessery processing before the unit drops packets. so ive matched the destination address of the DMZ in the filter but it does not work.
heres the configuration:
family inet {
filter RATE-LMT-INET-2-DMZ {
term MATCH-DMZ {
from {
destination-address {
192.168.40.0/24;
192.168.20.0/24;
}
}
then policer RATE-LMT-5M;
}
term NO-RATE-ELSE {
then accept;
}
}
}
policer RATE-LMT-5M {
if-exceeding {
bandwidth-limit 5242880;
burst-size-limit 1048576;
}
then discard;
}
pp0 {
unit 0 {
ppp-options {
pap {
local-name "******";
local-password "******"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
idle-timeout 0;
auto-reconnect 10;
client;
}
family inet {
filter {
input RATE-LMT-INET-2-DMZ;
}
did i got the configuration wrong? or maybe stateless filters occur before nat which is why destination addresses wouldnt work,
Amit K.