Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Per IP Rate Limit on EX4500

Posted on 2014-12-10
9
Medium Priority
?
164 Views
Last Modified: 2015-04-07
is there any possible way to apply rate limit per ip address on a Ex4500 switch ?
0
Comment
Question by:FireBall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40493196
it is close to the example on using policer and term then add into the interface config
http://www.tech-recipes.com/rx/2474/rate_limiting_on_juniper_networks/

another from forum

firewall{
 
family ethernet-switching {
filter port-policer {
interface-specific;
term limit-ip {
from {
destination-address {
192.168.3.10/32;
 
}
}
then policer rate-limit-policer;
}
}
}
}
http://forums.juniper.net/t5/Routing/Implement-per-ip-rate-limiting-in-JUNOS/td-p/37518
0
 

Author Comment

by:FireBall
ID: 40493335
is there a rule for all ip's inside but each of them included one by one ?because we have 20.000+ ip addresses
0
 
LVL 64

Expert Comment

by:btan
ID: 40493385
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

 
LVL 64

Expert Comment

by:btan
ID: 40493386
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
 

Author Comment

by:FireBall
ID: 40499802
dear btan we are not looking for forward physical interface all traffic of an ip address
we are looking for an ip address's only 587 port traffic to a port
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40500046
I am thinking it may be the use case for policer (state the rate limit) + firewall filter (state the field such as port, vlan and ip address).

Configuring Policers to Control Traffic Rates (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-policer-cli.html

Configuring Firewall Filters (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-cli.html
Applying a Firewall Filter to a Port on a Switch
Applying a Firewall Filter to a Layer 3 (Routed) Interface
0
 

Author Comment

by:FireBall
ID: 40517041
i do not understand that for ex ;
100 Mbit ingress limit policy if applyed to 10.1.1.1/24  does 100mbit limit applies to each ip address 100Mbit limit or it is a total limit for a C class ip address
0
 

Author Closing Comment

by:FireBall
ID: 40710818
Thank you
0
 
LVL 64

Expert Comment

by:btan
ID: 40711568
Thanks for info on the "from" in the filter policer.
Match packet fields to values specified in a match condition. If the from statement is not included in a firewall filter configuration, all packets are considered to match and the actions and action modifiers in the then statement are taken.
http://www.juniper.net/techpubs/en_US/junos12.2/topics/reference/configuration-statement/from-firewall-filter-ex-series.html

In short it match the range as long as the source falls within it.
Configure rate limiting for the policer:
Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.

Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

burst size = (bandwidth) * (allowable time for burst traffic)

The range for the burst-size limit is 1 through 2,147,450,880 bytes.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question