Tuesday, August 13, 2019

[SRX] Implement upload bandwidth-limiting using a firewall filter and a policer



SUMMARY:
This article explains how to implement bandwidth-limiting for trust-to-untrust upload traffic with the help of firewall filters and policers. The below example does not limit download traffic.
SYMPTOMS:
There might be some scenarios where it is necessary to restrict the upload bandwidth rates for one or many hosts. 
SOLUTION:
The example configuration below restricts the maximum bandwidth for two specific users to 1 Mbps and restricts the bandwidth for all other users to 9 Mbps, using only policers and firewall filters. It is recommended that you use this example to guide you in configuring your network. Be sure to make the changes required for your network (for example, interfaces, bandwidth rates, terms, IP address, and so on).

Step 1) Configure a policer to limit the bandwidth to 1 Mbps.
# set firewall policer policer-1mb if-exceeding bandwidth-limit 1m
# set firewall policer policer-1mb if-exceeding burst-size-limit 625000
# set firewall policer policer-1mb then discard
This configuration will limit maximum bandwidth to 1 Mbps with a burst-size-limit of 625000. Anything exceeding this will be dropped.


Step 2) Configure another policer to limit the bandwidth to 9 Mbps.
# set firewall policer policer-9mb if-exceeding bandwidth-limit 9m
# set firewall policer policer-9mb if-exceeding burst-size-limit 625000
# set firewall policer policer-9mb then discard
This configuration will limit maximum bandwidth to 9 Mbps with a burst-size-limit of 625000. Anything exceeding this will be dropped.


Step 3) Configure a firewall filter with a term (term 0) that uses a policer (policer-1mb) to rate-limit traffic to 1 Mbps for particular hosts.
# set firewall family inet filter output-limit term 0 from source-address 10.10.10.10/32
# set firewall family inet filter output-limit term 0 from source-address 10.10.10.11/32
# set firewall family inet filter output-limit term 0 then policer policer-1mb
# set firewall family inet filter output-limit term 0 then accept
The above set of lines identifies the source hosts and applies the 1 Mb policer to them.


Step 4) Configure another term (term 1) in the same filter to apply a policer (policer-9mb) to rate-limit traffic to 9 Mbps for all other users.
# set firewall family inet filter output-limit term 1 from source-address 0.0.0.0/0
# set firewall family inet filter output-limit term 1 then policer policer-9mb
# set firewall family inet filter output-limit term 1 then accept
The above set of lines applies the 9-Mb policer to the rest of the traffic.
It is important to note that the SRX will apply the limit on cumulative traffic from the rest of the network and not per IP. For per-IP policing, individual terms need to be created for each IP and a policer applied on every term.


Step 5) Apply the firewall filter to the logical interface.
# set interfaces ge-0/0/0.0 family inet filter input output-limit
It is recommended to apply policers on the "input" rather than on the "output" because it does not make sense to process traffic if the egress policer will drop it anyway.
Applying the filter on the "input" direction of a trust interface limits the bandwidth for trust-to-untrust traffic only.


Important Note:
  • To rate-limit the traffic so that a specific percentage of available bandwidth can be used by a user/network, use the "bandwidth-percent" option:
     root@SRX# set firewall policer policer-1mb if-exceeding ?
     Possible completions:
        bandwidth-limit Bandwidth limit (32000..50000000000 bits per second)
        bandwidth-percent Bandwidth limit in percentage (1..100 percent)
Posted by at No comments:
Subscribe to: Posts (Atom)