Mailing List Archive

Nothing looks out of sorts.
For the sake of testing, if you give the input direction a different policer, does it show any hits on 'show policer' output?

Eg;
set firewall family inet filter customer-ZZZ-out term default then policer
policer-20m-TEST

set firewall policer policer-20m-TEST if-exceeding bandwidth-limit 22m
...


-----Original Message-----
From: Chris Lee [mailto:chris@datachaos.com.au]
Sent: Wednesday, October 14, 2020 7:05 PM
To: juniper-nsp@puck.nether.net
Subject: Traffic shaping on SRX340

Hi,

We're running an SRX340 in packet mode as a router for customer internet
access on campus, generally providing smaller speed links around
5/10/20/50Mbps symmetric.

We apply a filter to the customers interface on the input and output, with
a policer policy to discard traffic when exceeding the defined
bandwidth limit.

So in the example configuration below, I find that when running a speed
test on the customers IP that the download traffic to them is shaped
nicely, spot on 22Mbps as in the example below, however on the upload test
it's as if the filter as no impact whatsoever and they get 60-70Mbps.

Anyone have any ideas on what I might be doing wrong? JunOS is 18.2R3-S3 in
this case, however this router was previously running a 15 release and we
had the same issue with the filters only seeming to work on the download
and not the upload traffic.

set interfaces ge-0/0/4 unit 3623 description "CUST-INTERNET-ZZZ Internet"
set interfaces ge-0/0/4 unit 3623 vlan-id 3623
set interfaces ge-0/0/4 unit 3623 family inet filter input customer-ZZZ-in
set interfaces ge-0/0/4 unit 3623 family inet filter output customer-ZZZ-out
set interfaces ge-0/0/4 unit 3623 family inet address 192.0.2.133/30

set firewall family inet filter customer-ZZZ-in term allow-icmp from
protocol icmp
set firewall family inet filter customer-ZZZ-in term allow-icmp then accept
set firewall family inet filter customer-ZZZ-in term default then policer
policer-20m
set firewall family inet filter customer-ZZZ-in term default then accept

set firewall family inet filter customer-ZZZ-out term allow-icmp from
protocol icmp
set firewall family inet filter customer-ZZZ-out term allow-icmp then accept
set firewall family inet filter customer-ZZZ-out term default then policer
policer-20m
set firewall family inet filter customer-ZZZ-out term default then accept

set firewall policer policer-20m if-exceeding bandwidth-limit 22m
set firewall policer policer-20m if-exceeding burst-size-limit 625k
set firewall policer policer-20m then discard

Thanks,
Chris
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

For my policers I use family ANY. I don't have experience with doing so on the SRX340 but he's is what my standard deployment looks like, see my notes:

set firewall policer 20M apply-flags omit
set firewall policer 20M if-exceeding bandwidth-limit 21250000
set firewall policer 20M if-exceeding burst-size-limit 6250000
set firewall policer 20M then discard

set firewall family any filter police-20M apply-flags omit
set firewall family any filter police-20M interface-specific <<<<<<<<<<<<<<<<<<<<<<<<< This may be your issue.
set firewall family any filter police-20M term 1 then policer 20M
set firewall family any filter police-20M term 1 then count policer

set interfaces ge-0/0/42 flexible-vlan-tagging
set interfaces ge-0/0/42 encapsulation flexible-ethernet-services
set interfaces ge-0/0/42 unit 500 vlan-id 500
set interfaces ge-0/0/42 unit 500 filter input police-20M
set interfaces ge-0/0/42 unit 500 filter output police-20M
set interfaces ge-0/0/42 unit 500 family inet filter input BCP38_REDACTED
set interfaces ge-0/0/42 unit 500 family inet address REDACTED






Kody Vicknair | Network Engineer III
985.536.1214 | kvicknair@reservetele.com


-----Original Message-----
From: juniper-nsp <juniper-nsp-bounces@puck.nether.net> On Behalf Of Emille Blanc
Sent: Thursday, October 15, 2020 11:16 AM
To: Chris Lee <chris@datachaos.com.au>; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Traffic shaping on SRX340

*External Email: Use Caution*

Nothing looks out of sorts.
For the sake of testing, if you give the input direction a different policer, does it show any hits on 'show policer' output?

Eg;
set firewall family inet filter customer-ZZZ-out term default then policer policer-20m-TEST

set firewall policer policer-20m-TEST if-exceeding bandwidth-limit 22m ...


-----Original Message-----
From: Chris Lee [mailto:chris@datachaos.com.au]
Sent: Wednesday, October 14, 2020 7:05 PM
To: juniper-nsp@puck.nether.net
Subject: Traffic shaping on SRX340

Hi,

We're running an SRX340 in packet mode as a router for customer internet access on campus, generally providing smaller speed links around 5/10/20/50Mbps symmetric.

We apply a filter to the customers interface on the input and output, with a policer policy to discard traffic when exceeding the defined bandwidth limit.

So in the example configuration below, I find that when running a speed test on the customers IP that the download traffic to them is shaped nicely, spot on 22Mbps as in the example below, however on the upload test it's as if the filter as no impact whatsoever and they get 60-70Mbps.

Anyone have any ideas on what I might be doing wrong? JunOS is 18.2R3-S3 in this case, however this router was previously running a 15 release and we had the same issue with the filters only seeming to work on the download and not the upload traffic.

set interfaces ge-0/0/4 unit 3623 description "CUST-INTERNET-ZZZ Internet"
set interfaces ge-0/0/4 unit 3623 vlan-id 3623 set interfaces ge-0/0/4 unit 3623 family inet filter input customer-ZZZ-in set interfaces ge-0/0/4 unit 3623 family inet filter output customer-ZZZ-out set interfaces ge-0/0/4 unit 3623 family inet address 192.0.2.133/30

set firewall family inet filter customer-ZZZ-in term allow-icmp from protocol icmp set firewall family inet filter customer-ZZZ-in term allow-icmp then accept set firewall family inet filter customer-ZZZ-in term default then policer policer-20m set firewall family inet filter customer-ZZZ-in term default then accept

set firewall family inet filter customer-ZZZ-out term allow-icmp from protocol icmp set firewall family inet filter customer-ZZZ-out term allow-icmp then accept set firewall family inet filter customer-ZZZ-out term default then policer policer-20m set firewall family inet filter customer-ZZZ-out term default then accept

set firewall policer policer-20m if-exceeding bandwidth-limit 22m set firewall policer policer-20m if-exceeding burst-size-limit 625k set firewall policer policer-20m then discard

Thanks,
Chris
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net https://link.edgepilot.com/s/0cc801b1/CjcPXRlBiUy8KtRUdVP4AA?u=https://puck.nether.net/mailman/listinfo/juniper-nsp


Links contained in this email have been replaced. If you click on a link in the email above, the link will be analyzed for known threats. If a known threat is found, you will not be able to proceed to the destination. If suspicious content is detected, you will see a warning.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp