SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Rate-limiting not working

    Posted 11-24-2016 12:11

    Hi,

     

    I am trying to limit both upload and download speeds for a specific host to 1Mbps.  This is my configuration for rate-limiting using a firewall filter:

     

    firewall {
    family inet {
    filter output-limit {
    term 0 {
    from {
    source-address {
    192.168.1.66/32;
    }
    }
    then {
    policer policer-1mb;
    accept;
    }
    }
    }
    }
    policer policer-1mb {
    if-exceeding {
    bandwidth-limit 1m;
    burst-size-limit 625k;
    }
    then discard;
    }
    }

     

    vlan {
    unit 0 {
    family inet {
    filter {
    input output-limit;
    output output-limit;
    }
    address 192.168.1.1/24;
    }
    }

     

     However, not only is the rate-limiting not working, it brings down the entire vlan.0.  All the devices on the vlan loses connectivity, I can not even ping 192.168.1.1 anymore from any device on the vlan.  

     

    Can someone please tell me what I am doing wrong?  

     

    Thanks!



  • 2.  RE: Rate-limiting not working

    Posted 11-24-2016 13:20

    Hi

     

    Firewall filter drops all traffic not explicitly allowed, this is what happens in your case. You might want to add a "then accept" term at the end. More details here: http://www.juniper.net/documentation/en_US/junos16.1/topics/concept/firewall-filter-stateless-evaluate-packets.html#SGlyRw3Rbx7yl15l.97

     



  • 3.  RE: Rate-limiting not working

    Posted 11-24-2016 13:46

    I do have a "then accept" at the end of my term. I'm using the exact configuration shown in the juniper kb (https://kb.juniper.net/InfoCenter/index?page=content&id=KB28161)  with the addition of limiting the download speed as well.

     

    Why is it taking down the entire vlan.0 when I only specified one specific ip address in the term.  It should only be affecting that one ip address.



  • 4.  RE: Rate-limiting not working
    Best Answer

    Posted 11-24-2016 13:57

    You should have something like this

     

     

    family inet {
    filter output-limit {
        term 0 {
            from {
                source-address {
                    192.168.1.66/32;
                }
            }
            then {
                policer policer-1mb; 
                accept;
            }
        }
        term else {
            then accept;
        }
    }
}

    Without that term in the end everything else except 192.168.1.66 will be blocked. They don't focus on that in the KB you refer to. But they have term 1 that allows traffic for all other users.

     



  • 5.  RE: Rate-limiting not working

    Posted 11-30-2016 08:05

    PK, I added the term else accept to the filter.  The vlan.0 was no longer going down, I tested a large file download on Chrome and at first it was working, speeds dropped to about 120KB/s but eventually the download went past the 1Mbps limit I set.  Any idea why that is happening?

     

    EDIT:  I figured out what was wrong and fixed it, now it is working properly.



  • 6.  RE: Rate-limiting not working

    Posted 11-24-2016 21:53

    Dont know your situation, however using App Qos rate limiters would work perfectly in your situation. Check it out.

    http://www.juniper.net/documentation/en_US/junos12.3x48/topics/concept/security-application-qos-understanding.html#4uz55ucdwWyj8ItC.97



  • 7.  RE: Rate-limiting not working

    Posted 11-30-2016 08:32

     

     



  • 8.  RE: Rate-limiting not working

    Posted 11-30-2016 13:55

    Yes it does. I think you could get a trial license though. It is really awesome if it is affordable and you use the other features!