SRX Services Gateway
SRX Services Gateway

IPSEC VPN St0 Interface rate limit/police traffic

‎10-17-2013 12:49 PM

I am using an IPSEC VPN as a backup connection for traffic and would like to rate limit/police http traffic on the St0 interface if it becomes the primary path. I see that you cannot configure the St0 to have firewall filters  so I am looking for another option. Any assistance would be appreciated.

3 REPLIES 3
SRX Services Gateway

Re: IPSEC VPN St0 Interface rate limit/police traffic

‎10-18-2013 08:04 AM

It is done via firewall filters.

 

Example:

set firewall policer shape if-exceeding bandwidth-limit 3m (or whatever limit)
set firewall policer shape if-exceeding burst-size-limit 300k
set firewall policer shape then discard
set firewall filter download term shaping from destination-address 10.1.0.0/16 (remote VPN subnet possibly)
set firewall filter download term shaping then policer shape
set firewall filter download term shaping then accept
set firewall filter download term all_other_traffic then accept
set firewall filter upload term shaping from source-address 10.1.0.0/16 ((remote VPN subnet)
set firewall filter upload term shaping then policer shape
set firewall filter upload term shaping then accept
set firewall filter upload term all_other_traffic then accept

set interfaces <lan interface> unit 0 family inet filter input upload
set interfaces <lan interface> unit 0 family inet filter output download

 You can set the filters on the physical external interface for the VPN peer, and it should see the traffic's destination and source address and apply the rate you specify. 

 

HTH or leads in the right direction. 

 

 

 

JNCIA, JNCIS-ENT-SEC
SRX Services Gateway

Re: IPSEC VPN St0 Interface rate limit/police traffic

‎10-22-2013 08:17 PM

The st0 interface does not support filters being applied.

 

SO i believe twhat you are looking needs to have a modified setup.

 

Regards,
c_r
 

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be bonus if I earned it!

SRX Services Gateway

Re: IPSEC VPN St0 Interface rate limit/police traffic

‎05-06-2019 05:17 AM

Hi,

 

Just adding a response on this old Forum question for reference to others readers.

 

FF for VPN traffic should be applied on input interface and not on the external interface.

Since VPN traffic would be encrypted inside ESP packets, hence HTTP traffic can be policed on the input interface recieved on the3 SRX.

 

Sample Topology :-

Lan ---- (Lan/Internal/VPN-Source)  ge-0/0/0[SRX]ge-0/0/1 (External interface ) ----(IPSEC).  ----------- INTERNET ------------  (Peer)

 

Note :- In the above sample topology, it should be applied on ge-0/0/0

To prepare a filter, we can follow:-

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28161

 

Regards,

 

Rahul

Regards,
Rahul