SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Unable to get traffic shaping working on a SRX345

    Posted 08-09-2019 03:42

    I'm convinced I've missed something but I can't for the life of me work out where I am going wrong. I would like to shape traffic on a single physical interface (acting as a switch port) to 2Mbps. I have followed the instructions detailed here: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/shaping-rate-edit-class-of-service.html

     

    However when I'm testing the throughput of the port with iperf I am getting near line speed (1Gbps) - I have also checked the throguhput with the monitor command within JunOS and can confirm it reports the same readings.

     

    I've included my current configuration below and would really appreciate if anyone could shed any light on where I am gonig wrong:

     

    version 15.1X49-D150.2;
    system {
        host-name TEST-SRX;
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        services {
            ssh {
                root-login deny;
                protocol-version v2;
                connection-limit 2;
                rate-limit 2;
            }
            web-management {
                https {
                    port 443;
                    system-generated-certificate;
                    interface fxp0.0;
                }
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server 1.2.3.4;
        }
    }
    chassis {
        aggregated-devices {
            ethernet {
                device-count 2;
            }
        }
    }
    security {
        forwarding-options {
            family {
                mpls {
                    mode packet-based;
                }
            }
        }
    }
    interfaces {
        ge-0/0/2 {
            ether-options {
                802.3ad ae1;
            }
        }
        ge-0/0/3 {
            ether-options {
                802.3ad ae1;
            }
        }
        ge-0/0/7 {
            per-unit-scheduler;
            unit 0 {
                description "Internet Uplink";
                family ethernet-switching { 
                    interface-mode access;
                    vlan {
                        members wan-uplink;
                    }
                }
            }
        }
        ae1 {
            per-unit-scheduler;
            aggregated-ether-options {
                lacp {
                    active;
                    periodic slow;
                }
            }
            unit 0 {
                description "Telephony Internet Access";
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members wan-uplink;
                    }
                }
            }
        }
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.1.254/24;  
                }
            }
        }
        irb {
            unit 770 {
                family inet {
                    address 4.5.6.7.8/29;
                }
            }
        }
    }
    routing-options {
        static {
            route 192.168.1.0/24 next-hop 192.168.1.1;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {                              
            interface all;
        }
    }
    class-of-service {
        interfaces {
            ge-0/0/7 {
                unit 0 {
                    shaping-rate 2m;
                }
            }
        }
    }
    routing-instances {
        WAN-RouteTable {
            instance-type virtual-router;
            interface irb.770;
        }
    }
    vlans {
        wan-uplink {
            vlan-id 770;
            l3-interface irb.770;           
        }
    }

    The only slight odditiy is that I'm using the SRX device as a router (Inet and MPLS forwarding mode is set to packet based)

     



  • 2.  RE: Unable to get traffic shaping working on a SRX345

    Posted 08-09-2019 04:20

    Hi Jamie,

     

    I believe you would like to limit the bandwidth of a particular interface to 2 Mbps. Please correct me if I'm wrong.

     

    If that's your requirement, please follow the KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB28161 where you can achieve this using policer.

     

    Let me know if you face any difficulties.



  • 3.  RE: Unable to get traffic shaping working on a SRX345

    Posted 08-09-2019 04:29

    Hi, thanks for the suggestion - unfortuantely though I've already tried this 😞 

     

    The policer is configured as below:

     

     

    policer policer-2mb {
        if-exceeding {
            bandwidth-limit 2m;
            burst-size-limit 625k;
        }
        then discard;
    }

    and applied as follows:

     

     

    per-unit-scheduler;
    unit 0 {
        description "Internet Uplink";
        bandwidth 2m;
        family ethernet-switching {
            interface-mode access;
            vlan {
                members wan-uplink;
            }
            policer {
                input policer-2mb;
                output policer-2mb;
            }
        }
    }

    But unfortunately this does not take effect



  • 4.  RE: Unable to get traffic shaping working on a SRX345

    Posted 08-09-2019 05:16

    Hi Jamie,

     

    Have you created the firewall filter to call the policer?

     

    Please share me the output for the following commands:

     

    user@host> show configuration firewall | display set

    user@host> show configuration interfaces | display set

    user@host> show configuration class-of-service | display set

     



  • 5.  RE: Unable to get traffic shaping working on a SRX345

    Posted 08-09-2019 06:02

    Hi, yes I've created it (however I also assumed that you could just directly apply the policer without a filter e.g. set interface ge-0/0/7 unit 0 family ethernet-switching police input xyz)? However I applied it anyway just to be sure

     

    show configuration firewall | display set

    set firewall family ethernet-switching filter filter1 term 0 from ether-type ipv4
    set firewall family ethernet-switching filter filter1 term 0 then accept
    set firewall family ethernet-switching filter filter1 term 0 then policer policer-2mb
    set firewall policer policer-2mb if-exceeding bandwidth-limit 2m
    set firewall policer policer-2mb if-exceeding burst-size-limit 625k
    set firewall policer policer-2mb then discard

    show configuration interfaces | display set

    set interfaces ge-0/0/2 ether-options 802.3ad ae1
    set interfaces ge-0/0/3 ether-options 802.3ad ae1
    set interfaces ge-0/0/7 per-unit-scheduler
    set interfaces ge-0/0/7 unit 0 description "Internet Uplink"
    set interfaces ge-0/0/7 unit 0 bandwidth 2m
    set interfaces ge-0/0/7 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members wan-uplink
    set interfaces ge-0/0/7 unit 0 family ethernet-switching filter input filter1
    set interfaces ge-0/0/7 unit 0 family ethernet-switching filter output filter1
    set interfaces ge-0/0/7 unit 0 family ethernet-switching policer input policer-2mb
    set interfaces ge-0/0/7 unit 0 family ethernet-switching policer output policer-2mb
    set interfaces ae1 per-unit-scheduler
    set interfaces ae1 aggregated-ether-options lacp active
    set interfaces ae1 aggregated-ether-options lacp periodic slow
    set interfaces ae1 unit 0 description "Telephony Internet Access"
    set interfaces ae1 unit 0 family ethernet-switching interface-mode access
    set interfaces ae1 unit 0 family ethernet-switching vlan members wan-uplink
    set interfaces fxp0 unit 0 family inet address 192.168.0.254/24
    set interfaces irb unit 770 family inet address 4.5.6.7/29

    show configuration class-of-service | display set

    set class-of-service interfaces ge-0/0/7 unit 0 shaping-rate 2m

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     



  • 6.  RE: Unable to get traffic shaping working on a SRX345
    Best Answer

    Posted 08-09-2019 20:01
    Jamie,

    I think we can't apply policing on a switch port and I don't find any document related to SRX.

    Could you please try policing on a L3 interface? In this case, it's irb.770


  • 7.  RE: Unable to get traffic shaping working on a SRX345

    Posted 08-14-2019 08:46

    You are right. After a lot of trial and error it is not possible - however it is quite frsutrating that the CLI lets you configure it quite happily without any warnings. Thanks for your help



  • 8.  RE: Unable to get traffic shaping working on a SRX345

    Posted 08-14-2019 09:36

    Hey Jamie,

     

    I'm glad the policing is working fine.

     

    Well, mostly I prefer to work in CLI rather than J-Web. So, not much aware about J-Web.

     

    Cheers!!!