Solved

Per IP Rate Limit on EX4500

Posted on 2014-12-10
9
129 Views
Last Modified: 2015-04-07
is there any possible way to apply rate limit per ip address on a Ex4500 switch ?
0
Comment
Question by:Cahit Eyigunlu
  • 5
  • 4
9 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40493196
it is close to the example on using policer and term then add into the interface config
http://www.tech-recipes.com/rx/2474/rate_limiting_on_juniper_networks/

another from forum

firewall{
 
family ethernet-switching {
filter port-policer {
interface-specific;
term limit-ip {
from {
destination-address {
192.168.3.10/32;
 
}
}
then policer rate-limit-policer;
}
}
}
}
http://forums.juniper.net/t5/Routing/Implement-per-ip-rate-limiting-in-JUNOS/td-p/37518
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40493335
is there a rule for all ip's inside but each of them included one by one ?because we have 20.000+ ip addresses
0
 
LVL 61

Expert Comment

by:btan
ID: 40493385
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
 
LVL 61

Expert Comment

by:btan
ID: 40493386
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Cahit Eyigunlu
ID: 40499802
dear btan we are not looking for forward physical interface all traffic of an ip address
we are looking for an ip address's only 587 port traffic to a port
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40500046
I am thinking it may be the use case for policer (state the rate limit) + firewall filter (state the field such as port, vlan and ip address).

Configuring Policers to Control Traffic Rates (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-policer-cli.html

Configuring Firewall Filters (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-cli.html
Applying a Firewall Filter to a Port on a Switch
Applying a Firewall Filter to a Layer 3 (Routed) Interface
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40517041
i do not understand that for ex ;
100 Mbit ingress limit policy if applyed to 10.1.1.1/24  does 100mbit limit applies to each ip address 100Mbit limit or it is a total limit for a C class ip address
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40710818
Thank you
0
 
LVL 61

Expert Comment

by:btan
ID: 40711568
Thanks for info on the "from" in the filter policer.
Match packet fields to values specified in a match condition. If the from statement is not included in a firewall filter configuration, all packets are considered to match and the actions and action modifiers in the then statement are taken.
http://www.juniper.net/techpubs/en_US/junos12.2/topics/reference/configuration-statement/from-firewall-filter-ex-series.html

In short it match the range as long as the source falls within it.
Configure rate limiting for the policer:
Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.

Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

burst size = (bandwidth) * (allowable time for burst traffic)

The range for the burst-size limit is 1 through 2,147,450,880 bytes.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now