SRX Services Gateway
SRX Services Gateway

download limit policer issue

‎06-03-2017 05:36 PM

Hi

 

My internet bandwidth is 30 Mbps.

I have the policer configured  to limit upload  and download bandwidth to 2 Mbps to  certain user groups.

My LAN is  connected  to  ge-0/0/0  and  WAN  is connected  to ge-0/0/2 interfaces.

The folowing  is my policer  and  filter configured.

 

set policy-options prefix-list 2mb_group 192.168.1.211/32
set policy-options prefix-list 2mb_group 192.168.1.213/32
set policy-options prefix-list 2mb_group 192.168.1.218/32

 

set firewall policer limit_2mbps if-exceeding bandwidth-limit 2m
set firewall policer limit_2mbps if-exceeding burst-size-limit 62k
set firewall policer limit_2mbps then discard 

 

Filter for upload traffic

 

set firewall filter input-limit term 1 from source-prefix-list 2mb_group
set firewall filter input-limit term 1 then policer limit_2mbps
set firewall filter input-limit term 1 then accept
set firewall filter input-limit term last then accept

 

Filter for download tarffic

 

set firewall filter output-limit term 1 from destination-prefix-list 2mb_group
set firewall filter output-limit term 1 then policer limit_2mbps
set firewall filter output-limit term 1 then accept
set firewall filter output-limit term last then accept

 

Upload Filter applied on Input direction in LAN interface

 

set interfaces ge-0/0/0 unit 0 description Local-LAN
set interfaces ge-0/0/0 unit 0 family inet filter input input-limit
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

 

Download Filter applied on Input direction in WAN interface

 

set interfaces ge-0/0/2 unit 0 description "WAN"
set interfaces ge-0/0/2 unit 0 family inet filter input output-limit
set interfaces ge-0/0/2 unit 0 family inet address 111.139.102.80/30

 

Am able to suceed for the upload limit (nearing 2 mbps) but could not control the download limit. Am getting the full bandwidth.

 

If i applied the download filter in the output direction on LAN interface, then am getting very low download less than 128kbps..

 

Let me have your suggestion to fine tune the errors.

 

Regards,

AN

 

3 REPLIES 3
SRX Services Gateway

Re: download limit policer issue

‎06-03-2017 09:49 PM

Based on your configuration, I assume you are using source nat for the LAN traffic. In that case, you have to change the destination ip address in the download traffic filter to reflect the natted ip. You may add the 'action log'  to see if any matching traffic hits your filter.(show firewall log)

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: download limit policer issue

‎06-04-2017 05:01 AM

Hi,

 

Your assumption is right. Source nat  is enabled for  internet  traffic. For one policer , we can  use the  WAN  interface  IP.

 

Let me have  your  suggestion  in case  of  multiple  policers involved.

 

Regards,

AN

SRX Services Gateway

Re: download limit policer issue

‎06-09-2017 05:40 AM

WIth current config what happens is "192.168.1.211+192.168.1.213+192.168.1.218" gets the 2M cap. For example if .211 is sending/reciving 1.5M data the other 2 will get only .5M

 

So you have to create 3 seperate terms on the firewall filter for these 3 IPs and apply Policer on each terms

 

 

Something like below and apply it on Output direction on LAN interface

 

set firewall filter Policer term 1 from destination-address 192.168.1.211/32
set firewall filter Policer term 1 then policer Limit-2M
set firewall filter Policer term 2 from destination-address 192.168.1.213/32
set firewall filter Policer term 2 then policer Limit-2M
set firewall filter Policer term 3 from destination-address 192.168.1.218/32
set firewall filter Policer term 3 then policer Limit-2M
set firewall filter Policer term 4 then accept

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too