Per IP Rate Limit on EX4500

is there any possible way to apply rate limit per ip address on a Ex4500 switch ?
FireBallITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
it is close to the example on using policer and term then add into the interface config
http://www.tech-recipes.com/rx/2474/rate_limiting_on_juniper_networks/

another from forum

firewall{
 
family ethernet-switching {
filter port-policer {
interface-specific;
term limit-ip {
from {
destination-address {
192.168.3.10/32;
 
}
}
then policer rate-limit-policer;
}
}
}
}
http://forums.juniper.net/t5/Routing/Implement-per-ip-rate-limiting-in-JUNOS/td-p/37518
0
FireBallITAuthor Commented:
is there a rule for all ip's inside but each of them included one by one ?because we have 20.000+ ip addresses
0
btanExec ConsultantCommented:
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

btanExec ConsultantCommented:
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
FireBallITAuthor Commented:
dear btan we are not looking for forward physical interface all traffic of an ip address
we are looking for an ip address's only 587 port traffic to a port
0
btanExec ConsultantCommented:
I am thinking it may be the use case for policer (state the rate limit) + firewall filter (state the field such as port, vlan and ip address).

Configuring Policers to Control Traffic Rates (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-policer-cli.html

Configuring Firewall Filters (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-cli.html
Applying a Firewall Filter to a Port on a Switch
Applying a Firewall Filter to a Layer 3 (Routed) Interface
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
i do not understand that for ex ;
100 Mbit ingress limit policy if applyed to 10.1.1.1/24  does 100mbit limit applies to each ip address 100Mbit limit or it is a total limit for a C class ip address
0
FireBallITAuthor Commented:
Thank you
0
btanExec ConsultantCommented:
Thanks for info on the "from" in the filter policer.
Match packet fields to values specified in a match condition. If the from statement is not included in a firewall filter configuration, all packets are considered to match and the actions and action modifiers in the then statement are taken.
http://www.juniper.net/techpubs/en_US/junos12.2/topics/reference/configuration-statement/from-firewall-filter-ex-series.html

In short it match the range as long as the source falls within it.
Configure rate limiting for the policer:
Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.

Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

burst size = (bandwidth) * (allowable time for burst traffic)

The range for the burst-size limit is 1 through 2,147,450,880 bytes.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.