Rate Limit Per IP in JUNOS

If you want to rate limit certain IP’s in JUNOS, here’s an easy way to do it!

This policer will set each IP to a bandwidth limit of 64 Kbps and allow up to 128 KBps of burst. Remember that burst-size is BYTES whereas bandwidth is BITS.

 


Leave a Reply

Responses to “Rate Limit Per IP in JUNOS”

  1. Hi Ben,

    How do you calculate the burst-size , I have found some links but never convinced with calculation.
    Was wondering if you have an explanation for the same ?

    -Sky

    • Hey Sky! Thanks for the comment.

      I generally like to use Juniper’s guidelines found here: http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/policer-mx-m120-m320-burstsize-determining.html. (No lower than 5ms of line rate traffic and no lower than 10x the MTU.
      )

      I typically use a burst-size tailored for 10ms of rated bandwidth. For a 100M bandwidth limit, your burst size will be 125,000 Bytes (100 Mbps / 8 * .01). Also, be sure to remember that burst-size is BYTES whereas bandwidth is bits.

  2. Hi Ben,

    We just installed an SRX550 in our company to implement BGP for multihoming. We have two vendors who we have assigned a /28 public IP range.

    Vendor A: lets say 192.168.1.0/28.
    Vendor B : 192.168.1.16/28.

    I have 192.168.1.1 and 192.168.1.17 assigned to the reth 2 unit 0 interface(LAN interface) of the router acting as default gateways for the respective vendor servers.

    I need to limit the inbound and the outbound traffic of Vendor A to 10MBps and similarly limit the inbound and outbound traffic of vendor B to 5Mbps.

    I need to apply this filter on this particular interface. The reason I dont want to do it on the untrust interface is because it might pull 10 Mbps from both the ISPs and eventually end up with 20 Mbps.

    Could you please help me in this regard and provide me a configuration? Thanks.

    -Ramey

    • Also for limiting download speed I need to configure on the LAN interface and for limiting upload is it necessary to place the policer on the WAN interface. Can I place it on the same interface for both incoming and outgoing traffic?

      -Ramsey

      • Ramsey,

        If you place the policer on the WAN interface outgoing, you’ll end up policing ALL traffic. If that’s what you want, you can do it. Typically you control outgoing traffic by policing it at the ingress point.

    • Hey Ramey,

      For some reason I’m just now seeing this comment…. WordPress fail! Hopefully you got this settled. If not, shoot me an e-mail and lets get this worked out!

  3. Ben,

    great! this looks works for NATed ode with inet, how about if the interface is a bridge which the firewall running under transparent mode? how can have the rate limit? thank you!

    • Bill,

      Try using a bridge-mode filter:

      set firewall family bridge filter xyz term 1 then policer xyz

      • Hi ben,

        it looks not working.
        can you please help showing more details?

        i cannot define rules.
        **********
        root@SRX-3600-1# set interfaces ge-1/0/0 unit 0 family bridge fil
        ^
        *********

        i cannot apply firewall

        ******
        root@SRX-3600-1# set firewall family bridge filter abc term 1 then
        *************

        it all show “syntax error.”

        i am using SRX3600, your help is highly appreciated!

        thank you@

        • Bill,

          What version of JUNOS are you running? On my 3600 running 11.4R3.7 it works.

          • Hi Ben,

            i am running

            root@SRX-3600-1> show version
            node0:
            ————————————————————————–
            Hostname: SRX-3600-1
            Model: srx3600
            JUNOS Software Release [12.1R1.9]

      • Ben,

        cloud you please list me more details how to make the rate limit in bridge mode filter, as i tried your command it looks doesn’t work. thank you!

  4. Hey Techie,

    I read ur blog..really useful. 🙂

    Could you please help me to limit bandwidth on SRX. i have 20 MB upstream, I configured SNAT, I want to limit 10 MB for LAN. I tried but seems its not working…

    Thank you…

    • You could rate limit per IP prefix on the output instead of the input.

      set interfaces ge-0/0/1 unit 0 family inet filter output police-ips
      set firewall family inet filter police-ips term 1st_ip from source-address 192.168.1.0/24
      set firewall family inet filter police-ips term 1st_ip then policer xyz
      set firewall family inet filter police-ips term 2nd_ip from source-address 192.168.2.0/24
      set firewall family inet filter police-ips term 2nd_ip then policer xyz
      set firewall family inet filter police-ips term accept-the-rest then accept
      set firewall policer xyz if-exceeding bandwidth-limit 64k
      set firewall policer xyz if-exceeding burst-size-limit 128k
      set firewall policer xyz then discard