Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Implement upload bandwidth-limiting using a firewall filter and a policer

0

0

Article ID: KB28161 KB Last Updated: 07 Jan 2016Version: 3.0
Summary:

This article explains how to implement bandwidth-limiting for trust-to-untrust upload traffic with the help of firewall filters and policers. The below example does not limit download traffic.

Symptoms:

There might be some scenarios where it is necessary to restrict the upload bandwidth rates for one or many hosts. 

Solution:

The example configuration below restricts the maximum bandwidth for two specific users to 1 Mbps and restricts the bandwidth for all other users to 9 Mbps, using only policers and firewall filters. It is recommended that you use this example to guide you in configuring your network. Be sure to make the changes required for your network (for example, interfaces, bandwidth rates, terms, IP address, and so on).


Step 1) Configure a policer to limit the bandwidth to 1 Mbps.

# set firewall policer policer-1mb if-exceeding bandwidth-limit 1m
# set firewall policer policer-1mb if-exceeding burst-size-limit 625000
# set firewall policer policer-1mb then discard 

This configuration will limit maximum bandwidth to 1 Mbps with a burst-size-limit of 625000. Anything exceeding this will be dropped.


Step 2) Configure another policer to limit the bandwidth to 9 Mbps.

# set firewall policer policer-9mb if-exceeding bandwidth-limit 9m
# set firewall policer policer-9mb if-exceeding burst-size-limit 625000
# set firewall policer policer-9mb then discard 

This configuration will limit maximum bandwidth to 9 Mbps with a burst-size-limit of 625000. Anything exceeding this will be dropped.


Step 3) Configure a firewall filter with a term (term 0) that uses a policer (policer-1mb) to rate-limit traffic to 1 Mbps for particular hosts.

# set firewall family inet filter output-limit term 0 from source-address 10.10.10.10/32
# set firewall family inet filter output-limit term 0 from source-address 10.10.10.11/32
# set firewall family inet filter output-limit term 0 then policer policer-1mb
# set firewall family inet filter output-limit term 0 then accept

The above set of lines identifies the source hosts and applies the 1 Mb policer to them.


Step 4) Configure another term (term 1) in the same filter to apply a policer (policer-9mb) to rate-limit traffic to 9 Mbps for all other users.

# set firewall family inet filter output-limit term 1 from source-address 0.0.0.0/0
# set firewall family inet filter output-limit term 1 then policer policer-9mb
# set firewall family inet filter output-limit term 1 then accept 

The above set of lines applies the 9-Mb policer to the rest of the traffic.
It is important to note that the SRX will apply the limit on cumulative traffic from the rest of the network and not per IP. For per-IP policing, individual terms need to be created for each IP and a policer applied on every term.


Step 5) Apply the firewall filter to the logical interface.

# set interfaces ge-0/0/0.0 family inet filter input output-limit

It is recommended to apply policers on the "input" rather than on the "output" because it does not make sense to process traffic if the egress policer will drop it anyway.
Applying the filter on the "input" direction of a trust interface limits the bandwidth for trust-to-untrust traffic only.


Important Note:

  • To rate-limit the traffic so that a specific percentage of available bandwidth can be used by a user/network, use the "bandwidth-percent" option:

     root@SRX# set firewall policer policer-1mb if-exceeding ?
     Possible completions:
        bandwidth-limit Bandwidth limit (32000..50000000000 bits per second)
        bandwidth-percent Bandwidth limit in percentage (1..100 percent)

Related Links

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search