Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 172
  • Last Modified:

Per IP Rate Limit on EX4500

is there any possible way to apply rate limit per ip address on a Ex4500 switch ?
0
FireBall
Asked:
FireBall
  • 5
  • 4
1 Solution
 
btanExec ConsultantCommented:
it is close to the example on using policer and term then add into the interface config
http://www.tech-recipes.com/rx/2474/rate_limiting_on_juniper_networks/

another from forum

firewall{
 
family ethernet-switching {
filter port-policer {
interface-specific;
term limit-ip {
from {
destination-address {
192.168.3.10/32;
 
}
}
then policer rate-limit-policer;
}
}
}
}
http://forums.juniper.net/t5/Routing/Implement-per-ip-rate-limiting-in-JUNOS/td-p/37518
0
 
FireBallAuthor Commented:
is there a rule for all ip's inside but each of them included one by one ?because we have 20.000+ ip addresses
0
 
btanExec ConsultantCommented:
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
btanExec ConsultantCommented:
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
 
FireBallAuthor Commented:
dear btan we are not looking for forward physical interface all traffic of an ip address
we are looking for an ip address's only 587 port traffic to a port
0
 
btanExec ConsultantCommented:
I am thinking it may be the use case for policer (state the rate limit) + firewall filter (state the field such as port, vlan and ip address).

Configuring Policers to Control Traffic Rates (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-policer-cli.html

Configuring Firewall Filters (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-cli.html
Applying a Firewall Filter to a Port on a Switch
Applying a Firewall Filter to a Layer 3 (Routed) Interface
0
 
FireBallAuthor Commented:
i do not understand that for ex ;
100 Mbit ingress limit policy if applyed to 10.1.1.1/24  does 100mbit limit applies to each ip address 100Mbit limit or it is a total limit for a C class ip address
0
 
FireBallAuthor Commented:
Thank you
0
 
btanExec ConsultantCommented:
Thanks for info on the "from" in the filter policer.
Match packet fields to values specified in a match condition. If the from statement is not included in a firewall filter configuration, all packets are considered to match and the actions and action modifiers in the then statement are taken.
http://www.juniper.net/techpubs/en_US/junos12.2/topics/reference/configuration-statement/from-firewall-filter-ex-series.html

In short it match the range as long as the source falls within it.
Configure rate limiting for the policer:
Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.

Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

burst size = (bandwidth) * (allowable time for burst traffic)

The range for the burst-size limit is 1 through 2,147,450,880 bytes.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now