SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Limiting Traffic on an Interface using a policer

    Posted 12-06-2013 19:12

    Hi,

     

       I am trying to limit the ICMP traffic that passes interface fe-0/0/1 when trying to reach Lo0.0. I have created the policer and I have also created the firewall filter and applied it to interface fe-0/0/1 and I still am not seeing any packets hitting the policer filter. Below are the configs for Juniper1 where the firewall filter and policer is applied and the source of the traffic is Juniper2. Below is a simple layout of the network setup.

     

     

    root@Juniper1> show configuration firewall
    family inet {
    filter ALLOW_TELNET {
    term 1 {
    from {
    source-address {
    192.168.23.3/32;
    }
    protocol tcp;
    port telnet;
    }
    then {
    log;
    accept;
    }
    }
    }
    }
    policer limit-icmp {
    if-exceeding {
    bandwidth-limit 1m;
    burst-size-limit 50k;
    }
    then discard;
    }
    filter ALLOW_HTTP_ONLY {
    term ALLOW_HTTP {
    from {
    protocol tcp;
    port http;
    }
    then accept;
    }
    term BLOCK_EVERY {
    then {
    reject;
    }
    }
    }
    filter INCOMING_ICMP_FILTER {
    term 1 {
    from {
    protocol icmp;
    }
    then policer limit-icmp;
    }
    }

    root@Juniper1>

     

     

    root@Juniper1> show configuration interfaces fe-0/0/1
    unit 0 {
    family inet {
    filter {
    input INCOMING_ICMP_FILTER;
    }
    address 192.168.12.1/26;
    }
    }

    root@Juniper1>

     

    root@Juniper1> show firewall filter INCOMING_ICMP_FILTER

    Filter: INCOMING_ICMP_FILTER
    Policers:
    Name Bytes Packets
    limit-icmp-1 0

    root@Juniper1>

     

     

    Juniper1 fe-0/0/1 ------->>>> Juniper2 fe-0/0/1 Source of traffic


    #firewall
    #FirewallFilter
    #routing
    #SRX
    #policer
    #limit
    #Juniper


  • 2.  RE: Limiting Traffic on an Interface using a policer

     
    Posted 12-07-2013 02:12

     

    Hi,

     

    You should define your filter as follows:

     

    filter INCOMING_ICMP_FILTER {
    	term 1 {
    		from {
    			protocol icmp;
    		}
    		then policer limit-icmp;
    	}
    	term default {
    		then accept;
    	}
    }
    

     Without the default accept all traffic will be dropped.

     

    Regards,

    Steven

     



  • 3.  RE: Limiting Traffic on an Interface using a policer

    Posted 12-07-2013 05:33
    Currently the traffic sourced from Juniper 2 is not being dropped. Because I get replies back from Juniper 1 when I send pings. So I am not sure how this will help me maybe I am applying the filter incorrectly? Thank you



  • 4.  RE: Limiting Traffic on an Interface using a policer
    Best Answer

     
    Posted 12-07-2013 10:39

    Yes, ICMP traffic will pass. But all other traffic (e.g. TCP, UDP) won't. This is because the default action for a term is to accept traffic. Term 1 in your filter accepts all matched traffic (ICMP) that isn't affected by the policer. Other traffic will not match term 1 and is discarded by the filter. Your current filter in effect looks like this:

     

    filter INCOMING_ICMP_FILTER {
        term 1 {
            from {
                protocol icmp;
            }
            then {
                policer limit-icmp;
                accept;
            }
        }
        term 2 {
            then {
                discard;
            }
        }
    }
    

    That's why you need the default accept in order to allow traffic not matched by term 1.

    If you're looking to protect the routing engine, it is probably better to put this filter on the loopback interface lo0. That way, it doesn't make a difference from which interface the traffic is arriving.

     

    The reason that the command 'show firewall filter INCOMING_ICMP_FILTER' does show 0 bytes is probably because you didn't generate enough ICMP traffic to hit the policer.

     

    Regards,

    Steven

     



  • 5.  RE: Limiting Traffic on an Interface using a policer

    Posted 12-08-2013 08:59

    Hi Steve,

     

        You were correct the reason why I was not getting any hits for the number packets when I ran the command "show firewall filter xxx" was due to the fact that I was not generating enough traffic. Regarding the implicit deny at the end of firewall filter you are correct I need a permit all to allow the rest of the traffic to flow through that interface. Thank you for your help