Tuesday, September 3, 2013

Juniper EX Series Switches - Policing / Ratelimiting traffic

If you are from Cisco world and just been asked to rate limit traffic on Juniper EX series switches then this is how you will accomplish it.

First configure a policer under firewall

policer TEST-POLICER {
    if-exceeding {
        bandwidth-limit 10485760;
        burst-size-limit 1966080;
    }
    then discard;

}

Then you will need to configure firewall filter first just like an ACL in Cisco

family ethernet-switching {
    filter TEST-POLICE {
        term 1 {
            from {
                source-address {
                    0.0.0.0/0;
                }
                destination-address {
                    0.0.0.0/0;
                }
            }
            then policer TEST-POLICER;
        }
    }
}

The firewall filter can have multiple statements and you can apply different policers to "term"s. the above filter will apply the policer to all traffic. If your filters are specific and you want to restrict only few hosts or networks then you can have another term "default" without any action defined which will ensure that rest of the traffic is not policed

term default


Now apply the filter in the ingress on the RVI or the Interface;

show interfaces ge-0/0/42 
unit 0 {
    family ethernet-switching {
        port-mode access;
        vlan {
            members 422;
        }
        filter {
            input TEST-POLICE;
        }
    }
}

Please note that you cannot assign policers on the output direction as this is restricted in Juniper and will throw error when applying it.

You will need to create a shaper and apply it on the interface to shape the traffic to desired rate

show class-of-service 
interfaces {
    ge-0/0/42 {
        shaping-rate 10485760;
    }

}

Have Fun..!!

No comments:

Post a Comment