SRX

Hi All,

I noticed that on the High End SRX (11.4) I cant seem to apply an a policer policy in a policy statement.  The <THEN policer> command is not there. I then read some info that suggested this is not supported on the SRX high end.

How do you do something simple like rate limit outbound connection to the internet.

You can use the "shaping-rate" in class-of-service:

http://www.juniper.net/techpubs/software/junos/junos91/swconfig-cos/shaping-rate.html

interfaces {
    ge-0/0/0.0 {
        shaping-rate 9700000;
    }
}

Is that all that would need to be setup or is there alot more to this config?  Essentially I just need it on egress to the internet.

you sure your policer dont' have then statement? can you configure a IF statement? Also it may be just simple overlooking but you need to define the name of a policer first before configuring the If/then statement. I would be hard to imagine that Juniper would leave out such important functions for the high-end SRX.

btw, you have to define a policy name first i.e.:

set firewall policer NAMEOFTHISPOLICER if/then statements.

Also, I am not sure if the shaping rate needs an actual real CoS profile to work. If it's not shaping correctly with just that statement, you may need to configure a simple CoS profile to mark all traffics and apply that shaping rate to a scheduler.

Hi twei

Creating the policer is not the issue.  Its referencing the policer in a firewall filter so I can apply it to an interface that is the problem.

see below how policer is not an option on the SRX-3600:

root@SRX3600-A# set firewall family inet filter BWlimit term one then ?
Possible completions:
  accept               Accept the packet
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  count                Count the packet in the named counter
> discard              Discard the packet
  forwarding-class     Classify packet to forwarding class
  log                  Log the packet
  loss-priority        Packet's loss priority
  next                 Continue to next term in a filter
  prefix-action        Police or count packets using named prefix action
> reject               Reject the packet
> routing-instance     Packets are directed to specified routing instance
  sample               Sample the packet
  service-accounting   Count the packets for service accounting
  service-filter-hit   Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters
  syslog               System log (syslog) information about the packet
  topology             Packets are directed to specified topology

you apply the policer to the interface using

set interface ge-0/0/0 unit 0 family inet policer [input/output] POLICERNAME

or you trying to set the policer to a firewall policy?

something like this: http://juniper.cluepon.net/Simple_policing

if you trying to filter a particular traffic type to adhere to a egress rate limiting, check method 2 in the link. it uses a firewall filter for rate limiting.

I did not know you could apply a policer directly to an interface.

I was following this example form the QoS guide on egress policing

firewall {
     policer $policer_name$ {
        if-exceeding {
          bandwidth-limit $max_bandwidth$;
          burst-size-limit $bytes$;
        }
        then {
           discard;
          }
         }

family $family_name$ {
     filter $filter_name$ {
       term $term_name$ {
           from {
              $match_conditions$;
              }
           then {
              policer $policer_name$;
              $other_actions$;
             }
         }
         }
    }
}
interfaces {
   $interface_name$ {
        unit $unit_id$ {
           family $family_name$ {
             filter {
               output $filter_name$;
                }
         }
      }
}
}

🙂 hope you found a solution. we learn something new everyday~

Yea, i've also read the QoS Day One book, the explanation is pretty good and all, but the configuration is quite convoluted for my taste lol.

But yea, I wasn't aware of the ability to apply policer directly to an interface before (only knew about it couple weeks ago), and on top of that choose either input or output traffic. Very useful for just needing to control egress rate because not every client/customer can afford Symmetric bandwidth lines. 😉

Also, can you try:

set firewall filter FILTERNAME term TERMNAME then ?

Do you see policer as an option there?

I am still trying to figure out why Juniper would omit such function from an high-end SRX... seems weird... But it's juniper who also omits DHCP as a valid option in the zone policy lol... weird stuff.

Huh...well it looks like the High End SRX does not support this aswell.....wtf

{primary:node0}[edit interfaces reth3]
root@SRX-3600# set unit 0 family inet ?
Possible completions:
  <[Enter]>            Execute this command
> accounting           Configure interface-based accounting options
> address              Interface address/destination prefix
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> dhcp                 Configure DHCP Client
> filter               Packet filtering
  mtu                  Protocol family maximum transmission unit
  no-neighbor-learn    Disable neighbor address learning on interface
  no-redirects         Do not redirect traffic
  primary              Candidate for primary interface in system
> rpf-check            Enable reverse-path-forwarding checks on this interface
> sampling             Interface sampling
> simple-filter        Filter for doing multifield classification
> targeted-broadcast   Directed broadcast
> unnumbered-address   Unnumbered interface address/destination prefix

For fun i looked on my SRX-240 cluster and it IS there.

root@SRX-240-A# set interfaces reth3 unit 0 family inet ?
Possible completions:
  <[Enter]>            Execute this command
> address              Interface address/destination prefix
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> dhcp                 Configure DHCP Client
> filter               Packet filtering
  mtu                  Protocol family maximum transmission unit
  no-neighbor-learn    Disable neighbor address learning on interface
  no-redirects         Do not redirect traffic
> policer              Interface policing
  primary              Candidate for primary interface in system
> rpf-check            Enable reverse-path-forwarding checks on this interface
> sampling             Interface sampling
> simple-filter        Filter for doing multifield classification
> targeted-broadcast   Directed broadcast
> unnumbered-address   Unnumbered interface address/destination prefix
  |                    Pipe through a command

wow... this looks like a big omission on Juniper's part... that's weird... is it possible to use another JUNOS version like 12.1

I mean... what CAN YOU apply the policer to on the SRX 3K?

Have you try using the second method in the link I posted? it seems you CAN apply a fliter to an interface, so try to apply the policer to a filter (before the family hiearchy) i.e.:

set firewall filter FILTERNAME term TERNAME then ?

if that's possible, you can then use that filter and apply it to an interface.

If that's not possible, you might have to do a simple CoS/QoS Policy. that will tag all traffics on your local devices and subject them to the same common pool and applying a shaping rate.

With the 3600 you have to use simple filter policing.

set firewall family inet simple-filter <filter name> term 1 then policer <policer name>
set firewall policer <policer name> if-exceeding bandwidth-limit 140m
set firewall policer <policer name> if-exceeding burst-size-limit 10m
set firewall policer <policer name> then discard

set interfaces <interface> unit <unit> family inet simple-filter input <filter name>

Sorry, I didnt read the original post well enough.

The simple filter only works on input. For outpout you will have to configure QOS and use the shaping-rate command.

Hey mkelly do you have a basic example of this?  Seems every way I try I end up not being able to apply the commands either because

a) High End SRX

b) Clustered

And Twei here is the output when I try to create a filter.  Wether the family is declared or not the policer option is not there on High End

{primary:node0}[edit]
root@SRX3600A# set firewall filter test term test then ?
Possible completions:
  accept               Accept the packet
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  count                Count the packet in the named counter
> discard              Discard the packet
  forwarding-class     Classify packet to forwarding class
  log                  Log the packet
  loss-priority        Packet's loss priority
  next                 Continue to next term in a filter
  prefix-action        Police or count packets using named prefix action
> reject               Reject the packet
> routing-instance     Packets are directed to specified routing instance
  sample               Sample the packet
  service-accounting   Count the packets for service accounting
  service-filter-hit   Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters
  syslog               System log (syslog) information about the packet
  topology             Packets are directed to specified topology



root@SRX3600A# set firewall family inet filter test term test then ?
Possible completions:
  accept               Accept the packet
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  count                Count the packet in the named counter
> discard              Discard the packet
  forwarding-class     Classify packet to forwarding class
  log                  Log the packet
  loss-priority        Packet's loss priority
  next                 Continue to next term in a filter
  prefix-action        Police or count packets using named prefix action
> reject               Reject the packet
> routing-instance     Packets are directed to specified routing instance
  sample               Sample the packet
  service-accounting   Count the packets for service accounting
  service-filter-hit   Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters
  syslog               System log (syslog) information about the packet
  topology             Packets are directed to specified topology

Thanks

Sorry  my post may not have been clear as to the direction of the policer needed.  I just need to keep one of my firewalls from eating up all my internet pipe.

So this would mean I need an input filter on my external interface.  I want to give only 5 Mbps ot bandwith to users behind that firewall.

As for your earlier suggestion mkelly, that command does not work on a 3600.  All issues seem to stem that the way to do this is not supported on a 3600.  You cant seem to be able to create a policer of any kind.

root@SRX3600# edit firewall family inet simple-filter TEST-LIMIT term one then ?
Possible completions:
  <[Enter]>            Execute this command
> three-color-policer  Police the packet using a three-color-policer
  |                    Pipe through a command

eadlind@srx3600# set firewall family inet simple-filter aoeu term 1 then policer ?
Possible completions:
<policer> Name of policer to use to rate-limit traffic

Works here, do set instead of edit 🙂

JUNOS Software Release [11.4R2.14]

...Facepalm....

Yep that works....

Thanks!

Hello Guy,

Please am new to Juniper SRX and am having a bit of trouble. Please how do i limit the rate of download on my srx650 firewall, I want to limit the download to as low as 2kbps but surfing the internet should be normal and fast. Its only the download speed that i want to reduced to 2kbps.....Please can i get the step by step configuration (set commands) for the SRX650. thanks