Hi there!
I need to limit the
download bandwidth of WSUS updates
for some VPN ranges.I have an SRX cluster. The SRX has Reth interfaces on trust and untrust.
Behind the interface trust RETH1.1 there is a WSUS server (IP: 10.56.8.1/32)
And from outside, users connect to our network via VPN:
Users in: 10.25.10.0/24
The WSUS server
sends them (the users) updates (and they download them) but they also eat up all the bandwidth so I need to limit them to 30%.
This is what I have in mind:PREFIX-LIST: WSUS
set policy-options prefix-list wsus 10.56.8.1/32
show policy-options prefix-list wsus
FW POLICE:
set firewall policer policer-30 if-exceeding bandwidth-percent 30
set firewall policer policer-30 if-exceeding burst-size-limit 625000
set firewall policer policer-30 then discard
set firewall family inet filter download-limit term limt from source-prefix-list wsus
set firewall family inet filter download-limit term limt then policer policer-30
set firewall family inet filter download-limit term else-accept then accept
set interfaces reth1 unit 1 family inet filter input download-limit
But I have 2 problems:
1) [edit firewall family inet filter download-limit term limt then policer]
'police police-30'
Percentage bandwidth policer 'policer-30' can only be referenced by interface specific and physical interface specific filters
commit check failed
NOTE: If I use physical-interface-policer or logical-interface-policer, the same error is shown.2) Not sure if Is is correct to apply the filter on the input or must be applied on the oupput (set interfaces reth1 unit 1 family inet filter input download-limit) ?
3) What would happen if I set up source-prefix-list and destination-prefix-list in the same filter? Will it match both or only if traffic from source to destination?
Can someone advice on how to handle/acheive this?
Thanks a lot!