SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Policer

    Posted 07-26-2014 07:50

    Hi,

     

    I got a juniper SRX 210 from work to study for the JNCIA/JNCIS-SEC exams.

    Im trying to use a policer for CoS but cant get it to work for some reason.

    I want to limit the DMZ to 5Mbps over the internet, so ive made a policer to limit to 5 megabits.

    I thought it would be best to use a filter in the inbound direction of the WAN interface (pppoe) to prevent unecessery processing before the unit drops packets. so ive matched the destination address of the DMZ in the filter but it does not work.

    heres the configuration:

    family inet {
    filter RATE-LMT-INET-2-DMZ {
        term MATCH-DMZ {
            from {
                destination-address {
                    192.168.40.0/24;
                    192.168.20.0/24;
                }
            }
            then policer RATE-LMT-5M;
        }
        term NO-RATE-ELSE {
            then accept;
        }
    }
}
policer RATE-LMT-5M {
    if-exceeding {
        bandwidth-limit 5242880;
        burst-size-limit 1048576;
    }
    then discard;
}



 pp0 {
        unit 0 {
            ppp-options {
                pap {
                    local-name "******";
                    local-password "******"; ## SECRET-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 10;
                client;
            }
            family inet {
                filter {
                    input RATE-LMT-INET-2-DMZ;
                }

     did i got the configuration wrong? or maybe stateless filters occur before nat which is why destination addresses wouldnt work,

     

     

    Amit K.



  • 2.  RE: Policer

    Posted 07-26-2014 08:12

    Hi,

     

    You are right stateless filter is applied before security feature (before NAT also).



  • 3.  RE: Policer

    Posted 07-26-2014 08:12

    I think you've got it with "maybe stateless filters occur before nat which is why destination addresses wouldnt work".  The policer is hit before the flow services module is utilized:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16685

     

    ..  As a test you could add a counter to the filter, under the then clause, and see if it is getting any hits.  You could then remove the "from" portion so it should match all traffic and see if the counter is incrementing then. 



  • 4.  RE: Policer

    Posted 07-26-2014 10:35

    Hi,

     

    thanks for the replies.

    is the only solution is to apply the filter on the vlan interface? isnt all the processing up to the point its get to the filter a waste on the cpu?



  • 5.  RE: Policer
    Best Answer

    Posted 07-26-2014 21:23

    Hi Amitkor,


    I understand that you are applying policer to limit DMZ subnets to have 5 MB.

    If there is NAT applied to the traffic (ppoe), then applying policer will not work.

    Reason is return traffic will have PPOE ip address (NAT)as the destination and source is internet ip address.

    so inbound policer that you have configured will not work on the ppoe interface.

    may be you can try applying outbound filter on the DMZ interface to limit the bandwidth but not sure that would be helpful.

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 6.  RE: Policer

    Posted 07-27-2014 09:19

    Hi rparthi,

     

    Your solution does work.

    thanks.

     

    Regards,

    Amit K.