[j-nsp] configure bandwidth limitation on EX3200
Richard A Steenbergen
ras at e-gerbil.net
Thu Apr 21 06:38:25 EDT 2011
On Thu, Apr 21, 2011 at 11:12:35AM +0200, Maarten Carels wrote:
> >
> > Am trying to add bandwidth limitation on EX3200 on port or vlan using
> > firewall policer and it is working as input filter correctly but when I do
> > it as output filter it gave me an error " can not be used as policer not
> > supported on egress " .
>
> I ran into the same. It's a limitation of the EX-3200...
>
> SO, short answer is: You can't.
If you get really bored/desperate, the only way to limit bandwidth
outbound is to configure an inbound policer on every ingress interface
that packets could come from. You cant't get a single accurate policer
this ay of course, but you can do some super ghetto limiting of traffic
to a specific destintion, which is better than nothing. We use a commit
script to automatially build per interface ingress filters to do this
kind of thing, which btw is also the only way to make control plane rate
limitng (or filtering of any kind for that matter work). If you don't do
it at the interface/input level it doesn't "really" get blocked, making
it trivial to kill any EX with a few megabits of traffic directed at any
local IP on the box. How people aren't freaking out about this horrible
design flaw is completely beyond me, though I guess you could always
argue it isn't the worst such mistake on the EX. :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list