SRX

Seems like I don't find an answer to this simple question anywhere. What's the correct way to rate-limit interface traffic on a high-end SRX cluster? In this case, SRX 1400.

 

We have been using policers in firewall rules to accomplish this on branch SRX, but they are not supported on high-end. "Exact" keyword in CoS policies doesn't seem to be supported on high-end SRX either, only branch.

 

In short, we would like to limit some VLAN subinterfaces (customer interfaces) to for example 10Mbps connection speed. Per-unit schedulers with per-interface CoS shaping-rate seems to work, but it only shapes outgoing traffic. Both ways would be preferred.

Hi stnz,

 

Simple Filter feature might help you with you requirement.

 

Checkout this following KB:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22712

 

Regards

rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

Thanks, that was what I was looking for. 🙂

 

However.. It doesn't seem to work. 😛

 

Shouldn't this configuration be completely ok?

 

root@srx# show firewall
family inet {
    simple-filter edge-filter {
        term 10Mbps-limit {
            from {
                destination-address 172.16.1.0/24;
            }
            then policer 10Mb-max;
        }
        term Last {
            then accept;
        }
    }
}

policer 10Mb-max {
    if-exceeding {
        bandwidth-limit 10m;
        burst-size-limit 128k;
    }
    then discard;
}

root@srx0# show interfaces reth0.0
description WAN-Link;
family inet {
    simple-filter {
        input edge-filter;
    }
    address 62.183.198.162/27;
}

 

And a workstation at 172.16.1.x can still download and upload at full bandwidth (couple of hundred Mbps).

Hi,

 

I think you are not either not matching the correct destination or not applied to the interface correctly.

 

if destination-address is 172.16.1.0/24 then you cannot apply it on the reth 0.0 interface .

 

I am assuming it as outgoing interface for internet.

 

Apply this filter to the trust interface as outbound filter and test it.

 

if NAT is applied , then destination servers will use Natted ip address as the destination so we cannot use match filter as private ip address and apply it to reth0.0 interface.

 

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

"Apply this filter to the trust interface as outbound filter and test it"

 

Yea, that I would have done, but: "Note: You can apply simple filters to the family inet only, and only in the input direction"

 

http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/cos-firewall-filter-simple-guidelines-for-security-configuring.html

Hi stnz,

 

Then this may not help you because NAT is involved.

 

for internet traffic , you may use same single public ip address so applying on reth1 interface with filter as private ip address does not help.

 

Are you using NAT ? is it source nat Interface or pool based nat?

 

 
Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Both types of NAT, there are a couple of hundred VLAN interfaces with different configurations. In this case it was interface NAT.

Well, I shaped incoming with interface shaping-rate and outgoing with simple filter set on the reth1 customer unit. Good enough I guess, seems to work.

Hi stnz,

 

Thanks for the update.

 

Please mark my update as accepted solution so that we can close this thread.

 

 

Regards,

rparthi