SRX Services Gateway
Highlighted
SRX Services Gateway

Bandwidth limiting on Downlink on SRX 340

‎11-12-2019 12:29 PM

Hi any one implemented an bandwidth limiter on downlink? I have a policier to limit bandwidth however it is only applied as input as a result only uplink has restricted bandwith. When filter with bandwidth policier is applied as "output" it seems the egress policier drops all traffic and other way to restrict downlink bandwidth other than using app secure.

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Bandwidth limiting on Downlink on SRX 340

‎11-13-2019 02:47 AM

Hi

You have to create two filter one for upload and one for download;

on the download filter you have to  use destination-address(local-hosts) as matching condition;

apply as output in the internal interface(lan facing).

Best regards,

AN

Highlighted
SRX Services Gateway

Re: Bandwidth limiting on Downlink on SRX 340

[ Edited ]
‎11-13-2019 07:18 AM

Thanks for the pointer, i did create 2 filter and applied them as input and output it worked partially and its applying to all hosts i have a specific set of host that i need this to be applied here's what i have configured.

 

Filter and Policier
set firewall family inet filter A-UPLINK term a from source-address 10.1.22.88/32
set firewall family inet filter A-UPLINK term a from source-address 10.1.22.89/32
set firewall family inet filter A-UPLINK term a from source-address 10.1.22.85/32
set firewall family inet filter A-UPLINK term a then policer policer-10mb
set firewall family inet filter A-UPLINK term a then accept
set firewall family inet filter A-UPLINK term b from source-address 0.0.0.0/0
set firewall family inet filter A-UPLINKterm b then accept
set firewall family inet filter A-DOWN term a from source-address 10.1.22.88/32
set firewall family inet filter A-DOWN term a from source-address 10.1.22.89/32
set firewall family inet filter A-DOWN term a from source-address 10.1.22.85/32
set firewall family inet filter A-DOWN term a from destination-address 0.0.0.0/0
set firewall family inet filter A-DOWN term a then policer policer-10mb
set firewall family inet filter A-DOWN term a then accept
set firewall family inet filter A-DOWN term b from source-address 0.0.0.0/0
set firewall family inet filter A-DOWN term b then policer policer-10mb
set firewall family inet filter A-DOWN term b then accept
set firewall policer policer-10mb if-exceeding bandwidth-limit 12m
set firewall policer policer-10mb if-exceeding burst-size-limit 625k
set firewall policer policer-10mb then discard

 

Filter on Internal interface

set interfaces ge-0/0/1 unit 998 family inet filter input A-UPLINK
set interfaces ge-0/0/1 unit 998 family inet filter output A-DOWN

 

With this configuration there is no more egress traffic drop but the polcier is now applied to all hosts in 10.1.22 subnet what am i missing?

Highlighted
SRX Services Gateway

Re: Bandwidth limiting on Downlink on SRX 340

a week ago

@nanu4u21 were you able to get this working? I would like to accomplish something similar by limiting download bandwidth to 15Mbit and Upload limit to 2Mbit at my internal interface ge-0/0/0-7 traffic destined for external interface ge-0/0/0 which is Internet circuit.

Highlighted
SRX Services Gateway

Re: Bandwidth limiting on Downlink on SRX 340

[ Edited ]
5 hours ago

@nanu4u21 were you able to get this working? I would like to accomplish something similar by limiting download bandwidth to 15Mbit and Upload limit to 2Mbit at my internal interface ge-0/0/0-7 traffic destined for external interface ge-0/0/0 which is Internet circuit.

 

This works for me nicely in both directions; modify for your own needs as described i.e. create a second filter for asynchronous limiting:-

 

firewall {
    family inet {
        filter Bandwidth-limit {
            term 0 {
                then {
                    policer policer-15mb;
                    accept;
                }
            }
        }
    }
    policer policer-15mb {
        if-exceeding {
            bandwidth-limit 15m;
            burst-size-limit 625k;
        }
        then discard;
    }
}

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                filter {
                    input Bandwidth-limit;
                    output Bandwidth-limit;
                }
                address 192.168.1.254/24;
            }
        }
    }
}

 

Hope this helps.