SRX Services Gateway
SRX Services Gateway

Bandwidth limiting on Downlink on SRX 340

a month ago

Hi any one implemented an bandwidth limiter on downlink? I have a policier to limit bandwidth however it is only applied as input as a result only uplink has restricted bandwith. When filter with bandwidth policier is applied as "output" it seems the egress policier drops all traffic and other way to restrict downlink bandwidth other than using app secure.

2 REPLIES 2
SRX Services Gateway

Re: Bandwidth limiting on Downlink on SRX 340

a month ago

Hi

You have to create two filter one for upload and one for download;

on the download filter you have to  use destination-address(local-hosts) as matching condition;

apply as output in the internal interface(lan facing).

Best regards,

AN

SRX Services Gateway

Re: Bandwidth limiting on Downlink on SRX 340

[ Edited ]
a month ago

Thanks for the pointer, i did create 2 filter and applied them as input and output it worked partially and its applying to all hosts i have a specific set of host that i need this to be applied here's what i have configured.

 

Filter and Policier
set firewall family inet filter A-UPLINK term a from source-address 10.1.22.88/32
set firewall family inet filter A-UPLINK term a from source-address 10.1.22.89/32
set firewall family inet filter A-UPLINK term a from source-address 10.1.22.85/32
set firewall family inet filter A-UPLINK term a then policer policer-10mb
set firewall family inet filter A-UPLINK term a then accept
set firewall family inet filter A-UPLINK term b from source-address 0.0.0.0/0
set firewall family inet filter A-UPLINKterm b then accept
set firewall family inet filter A-DOWN term a from source-address 10.1.22.88/32
set firewall family inet filter A-DOWN term a from source-address 10.1.22.89/32
set firewall family inet filter A-DOWN term a from source-address 10.1.22.85/32
set firewall family inet filter A-DOWN term a from destination-address 0.0.0.0/0
set firewall family inet filter A-DOWN term a then policer policer-10mb
set firewall family inet filter A-DOWN term a then accept
set firewall family inet filter A-DOWN term b from source-address 0.0.0.0/0
set firewall family inet filter A-DOWN term b then policer policer-10mb
set firewall family inet filter A-DOWN term b then accept
set firewall policer policer-10mb if-exceeding bandwidth-limit 12m
set firewall policer policer-10mb if-exceeding burst-size-limit 625k
set firewall policer policer-10mb then discard

 

Filter on Internal interface

set interfaces ge-0/0/1 unit 998 family inet filter input A-UPLINK
set interfaces ge-0/0/1 unit 998 family inet filter output A-DOWN

 

With this configuration there is no more egress traffic drop but the polcier is now applied to all hosts in 10.1.22 subnet what am i missing?