SRX Services Gateway
Highlighted
SRX Services Gateway

policer on SRX100

‎06-07-2011 03:53 AM

Hi all,

 

I want to check out whether the policer work which is police to 512K for one Dept

 

firewall {
    policer 512k {
        if-exceeding {
            bandwidth-limit 512k;
            burst-size-limit 25k;
        }
        then discard;
    }
    filter RL-FutureNow {
        term a {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                policer 512k;
                accept;
            }
        }

    }

and we apply it to the vlan interface(internface vlan.900) wich attach to this dept physical interface(interface fe-0/0/6).

 

I want to see(statistic, bandwidth used) whether it really works. which commands or tools should i used to accomplish this ?

Thx

Regards,

Sam
JNCIA-Junos JNCIS-ENT
3 REPLIES 3
Highlighted
SRX Services Gateway

Re: policer on SRX100

‎06-07-2011 04:18 AM

and also if i want to allow only one computer (manger's PC) to be out of 512k, can I filter base on Mac address of that computer and put it on the "from source-address" to except?

 

Regards,

Sam
JNCIA-Junos JNCIS-ENT
Highlighted
SRX Services Gateway

Re: policer on SRX100

‎06-07-2011 05:43 AM

'show firewall filter <filter>' will show you packet statistics on the policier.  I don't believe you can specify MAC address, but you should be able to specify source IP address.

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL
Highlighted
SRX Services Gateway

Re: policer on SRX100

‎06-07-2011 06:38 AM

1. You can monitor traffic on fe-0/0/6 usning "run monitor interface fe-0/0/6", which provides instantaneous stats

 

2. Use jweb interface (monitor section), which provides detailed bandwidth utilzation

 

3. Define SNMP community on SRX and use any good snmp tool like MRTG, PRTG, Orion to get consolidated stats

 

4. You can not define MAC in firewall filter, however,  you can do a trick ... i.e.

 

    Assign IPs to clients through dhcp with static mac binding

    Now apply firewall filter using IPs, as they correspond to a static MAC

 

regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Feedback