Ethernet Switching
Highlighted
Ethernet Switching

Rate-Limiting Question for ex-4200 by Vlan

‎03-03-2011 01:35 PM

Hi everyone I am trying to figure out how to create a config for a ex4200 that rate-limits the customers on a switch behind the ex4200. Basically all the customers are built on a LRE switch behind the ex4200. We want to rate limit the customers as the packets inter the ex4200, and not in the router. We also only want to do it at layer2 by vlan sinceall the vlans are coming in to the ex4200 on one trunk port. and going out one trunk port to the router. I have got the ex4200 to rate-limit based on the source ip addr. I can not figure out how to rate-limit by vlan.

 

I am very new to juniper and I know Cisco and Brocade. This is very different and it is frustrating. I don't understand the filter process as a firewall? Also like I said I got it working on ip addresses but we need to do the rate limit at layer 2 by vlan. PLEASE HELP!! Thanks.

 

Here is my full config, we are only using ports g0/0/0.0 and g0/0/1.0 Please help me what am I doing wrong?

 

## Last commit: 2008-07-04 06:07:48 UTC by root
version 9.1R1.8;
system {
root-authentication {
encrypted-password bJuR5znljWPJI;
}
login {
user admin {
full-name admin;
uid 2009;
class super-user;
authentication {
encrypted-password ----------;
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
}
interfaces {
ge-0/0/0 {
description ManagmentCIP;
mtu 1524;
ether-options {
no-auto-negotiation;
no-flow-control;
link-mode full-duplex;
speed {
100m;
}
}
unit 0 {
description ManagementCIP;
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
native-vlan-id default;
filter {
input Rate-Limiting;
}
}
}
}
ge-0/0/1 {
description TrunkTOCat;
mtu 1524;
ether-options {
no-auto-negotiation;
no-flow-control;
link-mode full-duplex;
speed {
100m;
}
}
unit 0 {
description TrunkTOCat;
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
native-vlan-id default;
filter {
input Rate-Limiting;
}
}
}
}
ge-0/0/2 {
description 43790002;
mtu 1524;
ether-options {
no-auto-negotiation;
no-flow-control;
link-mode full-duplex;
speed {
100m;
}
}
unit 0 {
description 43790002;
family ethernet-switching {
port-mode access;
vlan {
members Cust2;
}
}
}
}
ge-0/0/3 {
description 43790003;
mtu 1524;
ether-options {
no-auto-negotiation;
no-flow-control;
link-mode full-duplex;
speed {
100m;
}
}
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
xe-0/1/1 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching;
}
}
vlan {
unit 0 {
family inet {
mtu 1524;
address 192.168.1.2/24 {
broadcast 192.168.1.255;
}
}
}
unit 2 {
family inet {
address 192.168.2.5/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.2.1;
}
}
protocols {
lldp {
interface all;
}
lldp-med {
interface all;
}
rstp;
}
firewall {
policer 1.5MEG {
if-exceeding {
bandwidth-limit 1536000;
burst-size-limit 288k;
}
then discard;
}
policer 10MEG {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 128k;
}
then discard;
}
policer 20MEG {
if-exceeding {
bandwidth-limit 20m;
burst-size-limit 256k;
}
then discard;
}
family ethernet-switching {
filter Rate-Limiting {
term 1.5MEG {
from {
dot1q-tag 101;
}
then {
forwarding-class best-effort;
loss-priority high;
policer 1.5MEG;
}
}
term 10MEG {
from {
source-address {
10.10.2.0/24;
}
}
then {
forwarding-class best-effort;
loss-priority high;
policer 10MEG;
}
}
term 20MEG {
from {
vlan Cust3;
}
then {
forwarding-class best-effort;
loss-priority high;
policer 20MEG;
}
}
term ALL {
then {
forwarding-class best-effort;
loss-priority high;
}
}
}
}
}
ethernet-switching-options {
voip;
}
vlans {
Cust1 {
description 43790001;
vlan-id 101;
}
Cust2 {
description 43790002;
vlan-id 102;
interface {
ge-0/0/2.0;
}
}
Cust3 {
description 43790003;
vlan-id 103;
interface {
ge-0/0/3.0;
}
}
default {
vlan-id 2;
l3-interface vlan.2;
}
mgmt;
vln;
}
poe {
interface all;
}

 

20 REPLIES 20
Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎03-06-2011 06:25 PM

Hi  viperbmw69,

I don't show you applied the filters on the VLAN, can you show a configuration with the filter applied to the vlan?

 

Set vlan "name" filter input "name" output "name".

 

-Adam

-Adam
Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-05-2011 11:27 PM

Hi

See the solution on juniperlab.blogspot.com. There you can find explanations and config.....

 

 

regards,

Vadim Bogatov

JNCIA Junos

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-06-2011 05:25 AM

For rate limiting you will use the "Firewall Filter" feature.  These are not stateful firewall but  similar to Cisco access lists to block or permit access at the packet level.  They also implement policers for bandwidth limiiting.

The documentation examples for firewall filters are here.

http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/firewall-filter-ex-series-configuring...

http://www.juniper.net/techpubs/en_US/junos10.4/topics/task/configuration/firewall-filter-ex-series-...


The specific filter for rate limiting is outlined in kb14250 as an example to copy.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14250

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-06-2011 11:02 AM

To filter at the VLAN level you simply need to apply the filter to the appropriate VLAN. Just as you would apply it to a logical I/F -

 

set vlans v11 vlan-id 11 filter Rate-Limiting ......

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎12-16-2013 11:30 AM

From your statement:

 

"To filter at the VLAN level you simply need to apply the filter to the appropriate VLAN. Just as you would apply it to a logical I/F -

 

set vlans v11 vlan-id 11 filter Rate-Limiting ......"

 

I've tried to do some testing, and it seems that the filter cannot be applied to the vlans hierarchy, only under the rvi, and this is because the vlans will only allow an "ethernet-switching" type filter.  is this correct?

 

now, I've tried the configuration and I can apply the action "then policer" under the ethernet-switching filter but the policer is not applicable under this, it seems like it is not supported on the ethernet-switching filter.

 

is this expected behavior, is it correct to say that a policer for rate limiter can be only applied on the RVI and if not, do you know how to configure an ethernet-switching filter and then apply a policer for rate limiting, and even better, has anyone come up with a configuration guide other than the ones already posted??

 

Thanks in advance for the help!

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

[ Edited ]
‎12-16-2013 10:43 PM

 

The policier is only responsible for the rate-limiting of the traffic. It is the firewall filter that you would use to set the match condition for the vlan and when there is a math, the actionis is to apply the policer.

 

How about trying this method? Create the firewall filter and set the match from the vlan and then apply the firewall filter to the trunk port that carries the vlans?

lab@exA-2# show | display set
set firewall family ethernet-switching filter ratelimit-vlans term vlan200 from vlan v200
set firewall family ethernet-switching filter ratelimit-vlans term vlan200 then policer rate-limit-vlan
set firewall family ethernet-switching filter ratelimit-vlans term accept-othervlans then accept
set firewall policer rate-limit-vlan if-exceeding bandwidth-limit 10m
set firewall policer rate-limit-vlan if-exceeding burst-size-limit 200k
set firewall policer rate-limit-vlan then discard (or loss-priority if that is your choice)

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 05:50 PM

i am also looking this solution.

have u got that idea how do we limit bandwith/speed from specific vlan only? not RVI

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 07:02 PM

Hi hendranata,

 

You can use the below config to apply firewall-filter ( with policer config ) to input/output direction for a vlan : 

 

edit vlans

set <vlan name> vlan-id # forwarding-options filter input <ingress filter name>

set <vlan name> vlan-id # forwarding-options filter output <ingress filter name>

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/firewall-filter-ex-serie...

 

https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-ex-series-configuri...

 

 

BR,

Vishal

 

 

PS: Please accept my response as solution if it answers you query, kudos are appreciated too!

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 07:14 PM
Thanks for update
Can u give me example for ex2300

Assume i want limit vlan 101 : 50mbps and vlan 102: 200mbps
Both vlan located under ge-0/0/1

Can u give me the proper configuration for speed limit

Thanks before
Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 08:29 PM

You can use the below config snippet

 

Create the policer config :
==============================
set firewall policer rate-limit-vlan if-exceeding bandwidth-limit 50m
set firewall policer rate-limit-vlan if-exceeding burst-size-limit <choose a burst size if applicable>
set firewall policer rate-limit-vlan then discard


Apply the policer to the vlan
===============================
set vlan101 vlan-id 101 filter input rate-limit-vlan

 

 

BR,

Vishal

 

 

PS: Please accept my response as solution if it answers you query, kudos are appreciated too!

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 08:59 PM

i got the idea..

 

however, if we want to speed limit 100mbps both vlan 100 and 101 (together max speed limit 100mbps). how do we achieve that?

thanks

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

[ Edited ]
‎05-28-2020 09:21 PM

I don't think we can combine vlans and then apply a policer to it.

 

The policer can be applied on either a port / vlan or RVI. As a workaround, you can apply the below filter on the ports that have the VLANs allowed : 

 

+ firewall {
+ family ethernet-switching {
+ filter vlan_match {    ############  apply this filter on ports where the vlans are allowed
+ term match_vlan {
+ from {
+ vlan [ 100 200 ];     ########### match for the group of vlans for which you want to police the rate.
+ }
+ then policer test_rate_limit;   ########## apply the policer to incoming traffic that matches the vlans
+ }
+ }
+ }
+ policer test_rate_limit {
+ if-exceeding {
+ bandwidth-limit 100m;
+ burst-size-limit 100k;
+ }
+ then discard;

The problem is, you will need to apply this config to all the ports where even a single vlan from the group is allowed. So, I am not sure if you will find this scalable enough, but you can try this out and let me know if it works.

 

 

BR,

Vishal

 

 

PS: Please accept my response as solution if it answers you query, kudos are appreciated too!

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 09:30 PM

appreciate your idea,

meanwhile, if i want to speed limit particular vlan 101 with download: 100m and upload: 50m, do u think that is possible? if yes then how do we do that?

thanks

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

[ Edited ]
‎05-28-2020 09:47 PM

@vpathak wrote:

 

The problem is, you will need to apply this config to all the ports where even a single vlan from the group is allowed.

 


assume the vlan is 101 and 102..

then i only applied in 1 port interface (ge-0/0/1).. meanwhile other ports are using different vlan id..

so in this case, i just applied the filter for 1 port (ge-0/0/1). does it right? no need to apply in all ports..

 



interaces {
       ge-0/0/1 {
            description "testt"
             unit 0 {
                   family ethernet-switching {
                   interface-mode trunk;
                    vlan {
                            members [101,102,103,104]
                    }
                    filter {
                           input vlan_match;
                    }
                }
        }
}
}

 

it means only vlan 101 and 102 are filtered with speed 100m.. other vlan 103 and 104 are not affected.

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 09:53 PM

You can use couple of different filters each for input and output direction : 

 

set vlan20 vlan-id 20 forwarding-options input ingress-vlan-filter

set vlan20 vlan-id 20 forwarding-options output ingress-vlan-filter

 

BR,

Vishal

 

 

PS: Please accept my response as solution if it answers you query, kudos are appreciated too!

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 09:56 PM

Yes, you are right.

 

But then, I guess the filter needs to be applied on the trunk ports as well where either vlan 101 or 102 or both are allowed.

 

 

BR,

Vishal

 

 

PS: Please accept my response as solution if it answers you query, kudos are appreciated too!

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 10:00 PM

do u think apply some bandwith limited through filter and policer will cause high load of the switch itself? or it just a light weight..not too much..


Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 10:07 PM

@vpathak wrote:

 

set vlan20 vlan-id 20 forwarding-options input ingress-vlan-filter

set vlan20 vlan-id 20 forwarding-options output ingress-vlan-filter

 


example:

set employee-vlan vlan-id 20 filter input ingress-vlan-filter

set employee-vlan vlan-id 20 forwarding-options input ingress-vlan-filter

 

any differences between using forwarding-options and not ?

Highlighted
Ethernet Switching

Re: Rate-Limiting Question for ex-4200 by Vlan

‎05-28-2020 10:42 PM

I checked on EX4200. I do not see the forwarding-options available in the CLI. Try using the filter option. I do not think there is a difference as far as implementation is concerned.

 

Regarding the impact on switch CPU, these filters will be processed for the transit traffic and will be handled by the PFE. So, the switch CPU should not be impacted.

 

BR,

Vishal

 

 

PS: Please accept my response as solution if it answers you query, kudos are appreciated too!

Feedback