[j-nsp] SRX-3600 Rate limit

Nikita Shirokov ns.hando at gmail.com
Wed Dec 1 02:21:36 EST 2010 

Good day, Atif.
 High End SRXs supports policing only thru simple-filters (
http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-security-swconfig-interfaces-and-routing/config-simple-filter.html
).
However, when same box also configured to do nat translations (dnat in our
case) -> policers doesn't work at all (even thru simple filters; we have
jtac's case opened, but still no response from the dev team).

---
Nikita Shirokov

2010/12/1 atif naeem <col.atif at gmail.com>

> Hi Ben,
> I configured as per given configuration but i am getting message this is
> not
> supported on SRX-3600.
>
> policer rate-limit-1mb {
>     if-exceeding {
>        bandwidth-limit 1m;
>         burst-size-limit 124k;
>    }
>    then discard;
> }
> filter test {
>    term 1 {
>        from {
>            source-address {
>                0.0.0.0/0;
>            }
>        }
>        then {
>            ##
>            ## Warning: statement ignored: unsupported platform (srx3600)
>            ##
>            policer rate-limit-1mb;
>            accept;
>        }
>    }
> }
>
> BR
> Atif Naeem
>
> On Wed, Dec 1, 2010 at 2:46 AM, DeathPacket <deathpacket at gmail.com> wrote:
>
> > Atif,
> >
> > I put this together to limit itunes traffic to 1mb.
> >
> > Use a firewall filter to police the traffic (I did specify
> www.apple.combut it resolved the address automatically, this may be an issue
> when round
> > robin DNS happens). You can more specific (i.e. Port 80 etc..) but I was
> > just checking base functionality.
> >
> >
> > firewall {
> >     policer Apple {
> >         if-exceeding {
> >             bandwidth-limit 1m;
> >             burst-size-limit 50k;
> >         }
> >         then discard;
> >     }
> >     filter Apple-Rate-Limit {
> >         term 1 {
> >             from {
> >                 destination-address {
> >                     184.85.45.15/32;
> >                 }
> >             }
> >             then {
> >                 policer Apple;
> >                 accept;
> >             }
> >         }
> >         term 2 {
> >             then accept;
> >         }
> >     }
> > }
> >
> >
> > Then add the filter to an interface: (this is my trust interface)
> >
> >
> >     fe-0/0/7 {
> >         unit 0 {
> >             family inet {
> >                 filter {
> >                     input-list Apple-Rate-Limit;
> >                 }
> >                 address 192.168.200.238/24;
> >             }
> >         }
> >     }
> >
> > --Ben
> >
> > On Tue, Nov 30, 2010 at 10:11 AM, atif naeem <col.atif at gmail.com> wrote:
> >
> >> Hi folks ,
> >> Can any one tell me how to implement rate limit on SRX-3600 .I have
> junos
> >> version 10.0R2.10 . i want to restrict user on 1mb.
> >>
> >> BR
> >> Atif Naeem
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list