SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
tbjornli
Visitor
tbjornli
Posts: 6
Registered: ‎03-24-2011
0

Traffic Shaping / Bandwidth limit per address

Options

‎06-09-2011 04:24 AM

First of all, I've tried to search the forum bu I can't seem to find any good examples.

We're currently setting up our two SRX3400 (cluster active/passive) but I can't quite figure out how to configure traffic shaping. We need to be able to limit bandwidth per IP-adress and I've tried with both COS and policier.

 

reth0 is configured as internet and reth1 is configured as localnet. On the localnet we've got 192.168.1.0/24 and every single IP (server) has it's own policy. We now need to be able to set an bandwidth-policy for every IP.

 

Can anyone provide me with an example how to configure a basic bandwidth policy for each IP?

192.168.1.2 = 1 Mbit incoming / 1 Mbit outgoing

192.168.1.3 = 2 Mbit incoming / 2 Mbit outgoing

 

If further information is needed please let me know and I will update this post.



Thanks in advance.

 

--

Tom

--
Tom Bjørnli
Message 1 of 5 (3,596 Views)
 
Reply
Recognized Expert
Recognized Expert
rasmus
Posts: 342
Registered: ‎02-28-2010
0

Re: Traffic Shaping / Bandwidth limit per address

[ Edited ]
Options

‎06-09-2011 08:04 AM - edited ‎06-09-2011 08:06 AM

please try

 

set firewall policer policer-1m if-exceeding bandwidth-limit 1m

set firewall policer policer-1m if-exceeding burst-size-limit 15k

set firewall policer policer-1m then discard

 

set firewall policer policer-2m if-exceeding bandwidth-limit 2m

set firewall policer policer-2m if-exceeding burst-size-limit 15k

set firewall policer policer-2m then discard



 

set firewall family ethernet-switching filter input-limit term 1 from source-address 192.168.1.2/24
set firewall family ethernet-switching filter input-limit term 1 then policer policer-1m

set firewall family ethernet-switching filter input-limit term 1 then accept

set firewall family ethernet-switching filter input-limit term 2 from source-address 192.168.1.3/24
set firewall family ethernet-switching filter input-limit term 2 then policer policer-2m

set firewall family ethernet-switching filter input-limit term 2 then accept

set firewall family ethernet-switching filter input-limit term 3 then accept




set firewall family ethernet-switching filter output-limit term 1 from source-address 192.168.1.2/24
set firewall family ethernet-switching filter output-limit term 1 then policer policer-1m

set firewall family ethernet-switching filter output-limit term 1 then accept

set firewall family ethernet-switching filter output-limit term 2 from source-address 192.168.1.3/24
set firewall family ethernet-switching filter output-limit term 2 then policer policer-2m

set firewall family ethernet-switching filter output-limit term 2 then accept

set firewall family ethernet-switching filter output-limit term 3 then accept


set interfaces ge-0/0/x unit 0 family inet source-address 192.168.1.1/24 filter input input-limit

set interfaces ge-0/0/x unit 0 family inet source-address 192.168.1.1/24 filter output output-limit

 

 

regards

Hafiz Muhammad Farooq
JNCIP-SEC, JNCIS-SEC, JNCIS-FWV, JNCIS-SP, JNCIA-JUNOS
RHCE, Oracle Certified Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Message 2 of 5 (3,586 Views)
 
Reply
tbjornli
Visitor
tbjornli
Posts: 6
Registered: ‎03-24-2011
0

Re: Traffic Shaping / Bandwidth limit per address

Options

‎06-10-2011 01:15 AM

Thank you for your quick reply, however not all of those commands are available on our SRX 3400 which runs Junos 10.2S7

 

set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 15k
set firewall policer policer-1m then discard

Works fine



set firewall family ethernet-switching filter input-limit term 1 from source-address 192.168.1.2/24

ethernet-switching is not available, the only possible options are any, bridge, inet, inet6

I tried using inet: set firewall family inet filter input-filter term 1 then policier policier-1m but then policier statement isn't available. After som research I found that the then policier however works with simple-filter so the following commands works fine (I don't know if I can use simple-filter tho')

 

set firewall family inet simple-filter input-limit term 1 from source-address 192.168.1.2
set firewall family inet simple-filter input-limit term 1 then policer policier-1m
set firewall family inet simple-filter input-limit term 1 then accept
set firewall family inet simple-filter input-limit term 2 then accept

 

The source-address is not an option for the set interface-statement.

I've looked through the options for set interfarce reth0 unit 0 family inet (also tried ge-0/0/x) but I can't seem to find a way to define source-address and filter as you did in your example.

 

Any ideas?

 

 

 

--
Tom Bjørnli
Message 3 of 5 (3,568 Views)
 
Reply
tbjornli
Visitor
tbjornli
Posts: 6
Registered: ‎03-24-2011
0

Re: Traffic Shaping / Bandwidth limit per address

Options

‎06-18-2011 05:01 AM

bump

--
Tom Bjørnli
Message 4 of 5 (3,501 Views)
 
Reply
Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: Traffic Shaping / Bandwidth limit per address

Options

‎06-19-2011 02:48 AM

On the SRX3K you will indeed have to use the simple-filter. The config looks good so far, all that needs to be done is applying it on an interface:

 

set interface rethX unit Y family inet simple-filter input <filter name>

Message 5 of 5 (3,490 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.