Solved

Per IP Rate Limit on EX4500

Posted on 2014-12-10
9
152 Views
Last Modified: 2015-04-07
is there any possible way to apply rate limit per ip address on a Ex4500 switch ?
0
Comment
Question by:Cahit Eyigunlu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40493196
it is close to the example on using policer and term then add into the interface config
http://www.tech-recipes.com/rx/2474/rate_limiting_on_juniper_networks/

another from forum

firewall{
 
family ethernet-switching {
filter port-policer {
interface-specific;
term limit-ip {
from {
destination-address {
192.168.3.10/32;
 
}
}
then policer rate-limit-policer;
}
}
}
}
http://forums.juniper.net/t5/Routing/Implement-per-ip-rate-limiting-in-JUNOS/td-p/37518
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40493335
is there a rule for all ip's inside but each of them included one by one ?because we have 20.000+ ip addresses
0
 
LVL 64

Expert Comment

by:btan
ID: 40493385
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 64

Expert Comment

by:btan
ID: 40493386
that example state a range with the prefix length, it defaults to /32.
To specify more than one IP address in a filter term, you enter each address in its own match statement.
See http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-ex-series-match-understanding.html#jd0e190
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40499802
dear btan we are not looking for forward physical interface all traffic of an ip address
we are looking for an ip address's only 587 port traffic to a port
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40500046
I am thinking it may be the use case for policer (state the rate limit) + firewall filter (state the field such as port, vlan and ip address).

Configuring Policers to Control Traffic Rates (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-policer-cli.html

Configuring Firewall Filters (CLI Procedure)
http://www.juniper.net/techpubs/en_US/junos12.2/topics/task/configuration/firewall-filter-ex-series-cli.html
Applying a Firewall Filter to a Port on a Switch
Applying a Firewall Filter to a Layer 3 (Routed) Interface
0
 

Author Comment

by:Cahit Eyigunlu
ID: 40517041
i do not understand that for ex ;
100 Mbit ingress limit policy if applyed to 10.1.1.1/24  does 100mbit limit applies to each ip address 100Mbit limit or it is a total limit for a C class ip address
0
 

Author Closing Comment

by:Cahit Eyigunlu
ID: 40710818
Thank you
0
 
LVL 64

Expert Comment

by:btan
ID: 40711568
Thanks for info on the "from" in the filter policer.
Match packet fields to values specified in a match condition. If the from statement is not included in a firewall filter configuration, all packets are considered to match and the actions and action modifiers in the then statement are taken.
http://www.juniper.net/techpubs/en_US/junos12.2/topics/reference/configuration-statement/from-firewall-filter-ex-series.html

In short it match the range as long as the source falls within it.
Configure rate limiting for the policer:
Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
[edit firewall policer policer-one]
user@switch# set if-exceeding bandwidth-limit 300k
The range for the bandwidth limit is 1k through 102.3g bps.

Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
[edit firewall policer policer-one]
user@switch# set if-exceeding burst-size-limit 500k
To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

burst size = (bandwidth) * (allowable time for burst traffic)

The range for the burst-size limit is 1 through 2,147,450,880 bytes.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question