Screen OS

Hello all,

I have a Juniper SSG5 with firmware version 6.3.0r9.0. I setup two policies to throttle a specific IP address, we'll say 10.0.0.1. So, I did:

Untrust to Trust:

Source: Any

Destination: 10.0.0.1/24

Action: Permit

Advanced: Traffic Shaping Enabled, Maximum Bandwidth 100kbps

Trust to Untrust:

Source: 10.0.0.1/24

Destination: Any

Action: Permit

Advanced: Traffic Shaping Enabled, Maximum Bandwidth 100kbps

However, when I test it I can still download at well over 600kbps. Under Policies > Traffic Shaping it's set to Auto.

Any help is greatly appreciated.

Thanks

I found some strange anomolies with the SSG5 policies when configuring for particular devices or networks. In the "advanced" options for the Pllicy, where the traffic shaping is, I included NATting and it would not work...... However, when I made an address book entry for each location and then assigned them to address groups and added these into the policy, voila, it worked, so it might be an idea to try that.

So, add in the device IP to an address book entry and then add this entry to the policy and see if that works.

For the Untrust to Trust policy instead of Maximum bandwidth use Policing bandwidth (pbw) since this drops traffic at the ingress side.  Shouldn't matter but I always set a Guaranteed bandwidth (normally use 1/2 to 1/4 of desired max) along with a Policing or Maximum bandwidth. Also your example references a /24 subnet which is more than just the 10.0.0.1 IP address.

Jcollazo,

The IP is 10.0.0.37 so I put /8 and also put the Policing bandwidth to 100. However, I still get 10mb down and 500kb up.

This works perfectly fine for me, do you not have a guaranteed BW that is conflicting?

Further more did you try setting "policing BW" to see if that makes a difference at all.

Maybe an obvious question but are you downloading from a pc in that subnet used by policy and if you go into reports -> policies and click on the canon symbol what do you see there if you download and for "Maximum BW" line?

I set policing and I'm going off of speedtest.net. If I'm downloading and I click on the cannon symbol the "maximum" line is at 150 KBits per second, but I don't see any line that's showing exactly where it's running. 

Hi, if you set the maximum bandwidth to 100 kbps then the maximum bandwidth line should be set to 100 kbps if you click on the traffic shaping "cannon" graph. Now while you are on that graph and if you start your download (i.e. something from cnet) and then if you click refresh while downloading, what is the download speed of the traffic?

FYI I did a test here on a policy with 100 kbps set as maximum BW and got a download speed on speedchecker of 0.086 Mb/s = 88 kbps and an upload speed of 0.876 Mb/s = 897 kbps.

When I was working on this I always thought upload restriction is inaccurate/wrong.

Also on the subnet question, yes /24 would include the whole subnet even if it is not the first host address, like 10.0.0.37.

/24 = 255.255.255.0 (the 24 represents the number of bits turned on in each octet)

Stac,

I setup 100kbps as maximum bandwidth and when I go to the traffic shaping graph, the "In traffic" line is at 100kbps. However, when I start to download something and refresh the graph, it doesn't show up on the graph at all. This is using 10.0.0.37/24. I tried using 10.0.0.37/32 with the same result. Under Policy > Policy Elements > Traffic Shaping it's set to Auto.

I've attached a screenshot of the graph.

Thanks

Chris,

Thank you for supplying the cannon.jpg graph, I can see what your problem is now.

You need to set up a new policy from Trust zone to Untrust zone where Source is Trust/10.0.0.37/24

and Destination is Untrust/Any. Then apply the Traffic shaping to that new policy.

You have things the wrong way arround now. 

Stac,

Thanks for the reply. I did what you said and it's still not throttling. I've tried using the maximum bandwidth and policing bandwidth settings with no luck. I've attached a screenshot of my download speed as well as my graph.

I appreciate all your help!

Chris,

When you recreate policy 32, did you check the box "position at top"?

I believe policy 32 is not being reached somehow as when you download there is no traffic.

There must be a policy higher up on the list that is being used when you download.

To proof this we should really go through a debug flow basic and set a src and dst ip, but try "position at top" for now.

Stac,

When I check the "position at top" box, it works but it limits everyone's bandwidth, instead of just the one IP.

Chris,

That's where you need to use 10.0.0.37/32. 

Edit policy 32 and choose as Source 10.0.0.37/32 and it won't limit the other people in subnet 10.0.0.0/24.

As I suspected you have a policy lower down in the list say policy x'and when it wasn't working before 10.0.0.37 was using this policy and it was never reaching policy 32.

If you want to limit individual addresses or a subset in subnet 10.0.0.0/24 you have to make sure that these policies are higher in the list than policy x.

Stac,

That was exactly it. Thank you so much for sticking around and helping!

Just out of curiosity, if you put multiple IP addresses in the "source" and set a maximum bandwidth to 200kbps, does this divide 200kbps amongst the IP addresses? For example, if there are 5 IP's would they have to share 200kbps?

Thanks again,

Chris

If I run ipconfig /all my subnet mask is 255.255.255.0 which is why I had /24. The /24 on the end of 10.0.0.37/24 is correct then right?

I've tested this on one of my netscreens and find you have to define your ingress and egress bandwidth on the interface that connects to the internet, then your traffic shaping policy will work.

Also if you only wont the policy to apply to the single address of 10.0.0.37 then us must use a /32 (255.255.255.255).

Good Luck

cdljel,

If this is the only way to do it can I put a number that's well above what our bandwidth is supposed to be? For example, we pay for 5mb down/1mb up but we get faster than that. If I put something like 50down/50up it won't mess anything up will it? 

I am trying to do something almost identical to this. when creating the policy I dont see "Advance" option anywhere to apply the traffic shapping. I have an ssg20. Your help is much appreicated.