Rate Limiting on SRX 210

LET’S SAY WE HAVE SRX 210 WITH 7 MB UPLINK TO THE INTERNET. WE HAVE SEVERAL CUSTOMERS WHO WE WANT TO GUARANTEE 700 KB EACH (HTTP) AND THE REMAINDER THEY CAN CONTEND FOR AS BURST OR BE TRAFFIC. AS SHOWN IN FIGURE 1 UPLINK AND CUSTOMERS ARE CONNECTED TO VLAN 7 AND SRX 210 ACTS AS A SWITCH. THE SOLUTION OF THIS PROBLEM HAS BEEN DESCRIBED AT HTTP://WWW.GOSSAMER-THREADS.COM/LISTS/NSP/JUNIPER/18291 BUT FOR EX. LET’S SEE HOW IT IS POSSIBLE ON SRX DEVICE:

set version 10.0R3.10

set system root-authentication encrypted-password "$1$paies224$eRSX786TRgzRhp8sjuxKi1"

set system name-server 208.67.222.222

set system name-server 208.67.220.220

set system login user vbogatov uid 2000

set system login user vbogatov class super-user

set system login user vbogatov authentication encrypted-password "$1$3QOQ..0A$UGuqzetWTdauP1U5k9BPg0"

set system services ssh

set system services telnet

set system services web-management http interface vlan.7

set system services web-management https system-generated-certificate

set system syslog archive size 100k

set system syslog archive files 3

set system syslog user * any emergency

set system syslog file messages any critical

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands error

set system max-configurations-on-flash 5

set system max-configuration-rollbacks 5

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

set interfaces ge-0/0/0 unit 0

set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members PC

set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members PC

set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members PC

set interfaces vlan unit 7 family inet filter input Input-From-customer-1

set interfaces vlan unit 7 family inet address 192.168.100.99/24

set routing-options static route 0.0.0.0/0 next-hop 192.168.100.3

set class-of-service forwarding-classes queue 7 Cust-1

set class-of-service forwarding-classes queue 6 Cust-2

set class-of-service forwarding-classes queue 5 Cust-3

set class-of-service forwarding-classes queue 4 Cust-4

set class-of-service forwarding-classes queue 0 BE

set class-of-service forwarding-classes queue 3 Cust-5

set class-of-service interfaces fe-0/0/2 scheduler-map SCHEDULER

set class-of-service scheduler-maps SCHEDULER forwarding-class Cust-1 scheduler CUST-1

set class-of-service scheduler-maps SCHEDULER forwarding-class Cust-2 scheduler CUST-2

set class-of-service scheduler-maps SCHEDULER forwarding-class Cust-3 scheduler CUST-3

set class-of-service scheduler-maps SCHEDULER forwarding-class Cust-4 scheduler CUST-4

set class-of-service scheduler-maps SCHEDULER forwarding-class Cust-5 scheduler CUST-5

set class-of-service scheduler-maps SCHEDULER forwarding-class BE scheduler BE

set class-of-service schedulers CUST-1 transmit-rate 700k

set class-of-service schedulers CUST-1 shaping-rate 7m

set class-of-service schedulers CUST-2 transmit-rate 700k

set class-of-service schedulers CUST-2 shaping-rate 7m

set class-of-service schedulers CUST-3 transmit-rate 700k

set class-of-service schedulers CUST-3 shaping-rate 7m

set class-of-service schedulers BE shaping-rate 7m

set class-of-service schedulers CUST-4 transmit-rate 700k

set class-of-service schedulers CUST-4 shaping-rate 7m

set class-of-service schedulers CUST-5 transmit-rate 700k

set class-of-service schedulers CUST-5 shaping-rate 7m

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0

set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200

set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048

set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp land

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces vlan.7 host-inbound-traffic system-services all

set security zones security-zone trust interfaces vlan.7 host-inbound-traffic protocols all

set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all

set security zones security-zone trust interfaces fe-0/0/4.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces fe-0/0/4.0 host-inbound-traffic protocols all

set security zones security-zone untrust screen untrust-screen

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any

set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any

set security policies from-zone trust to-zone trust policy trust-to-trust match application any

set security policies from-zone trust to-zone trust policy trust-to-trust then permit

set firewall family inet filter Input-From-customer-1 term http from destination-port 80

set firewall family inet filter Input-From-customer-1 term http then count customer1

set firewall family inet filter Input-From-customer-1 term http then loss-priority low

set firewall family inet filter Input-From-customer-1 term http then forwarding-class Cust-1

set firewall family inet filter Input-From-customer-1 term normal then count normal

set firewall family inet filter Input-From-customer-1 term normal then loss-priority low

set firewall family inet filter Input-From-customer-1 term normal then forwarding-class BE

set vlans PC vlan-id 7

set vlans PC l3-interface vlan.7

To check the result just issue the command:

> show firewall

Filter: Input-From-customer-1

Counters:

Name Bytes Packets

customer1 249483 1242

normal 2130123 19162

> The result shows that filter is working but there is a problem with web sites opening, not stably.

> You can test this config by yourself and may be you will find some errors.