Switching

Expand all | Collapse all

Rate-Limiting Question for ex-4200 by Vlan

  • 1.  Rate-Limiting Question for ex-4200 by Vlan

    Posted 03-03-2011 13:35

    Hi everyone I am trying to figure out how to create a config for a ex4200 that rate-limits the customers on a switch behind the ex4200. Basically all the customers are built on a LRE switch behind the ex4200. We want to rate limit the customers as the packets inter the ex4200, and not in the router. We also only want to do it at layer2 by vlan sinceall the vlans are coming in to the ex4200 on one trunk port. and going out one trunk port to the router. I have got the ex4200 to rate-limit based on the source ip addr. I can not figure out how to rate-limit by vlan.

     

    I am very new to juniper and I know Cisco and Brocade. This is very different and it is frustrating. I don't understand the filter process as a firewall? Also like I said I got it working on ip addresses but we need to do the rate limit at layer 2 by vlan. PLEASE HELP!! Thanks.

     

    Here is my full config, we are only using ports g0/0/0.0 and g0/0/1.0 Please help me what am I doing wrong?

     

    ## Last commit: 2008-07-04 06:07:48 UTC by root
    version 9.1R1.8;
    system {
    root-authentication {
    encrypted-password bJuR5znljWPJI;
    }
    login {
    user admin {
    full-name admin;
    uid 2009;
    class super-user;
    authentication {
    encrypted-password ----------;
    }
    }
    }
    services {
    ssh;
    telnet;
    web-management {
    http;
    }
    }
    syslog {
    user * {
    any emergency;
    }
    file messages {
    any notice;
    authorization info;
    }
    file interactive-commands {
    interactive-commands any;
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    description ManagmentCIP;
    mtu 1524;
    ether-options {
    no-auto-negotiation;
    no-flow-control;
    link-mode full-duplex;
    speed {
    100m;
    }
    }
    unit 0 {
    description ManagementCIP;
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members all;
    }
    native-vlan-id default;
    filter {
    input Rate-Limiting;
    }
    }
    }
    }
    ge-0/0/1 {
    description TrunkTOCat;
    mtu 1524;
    ether-options {
    no-auto-negotiation;
    no-flow-control;
    link-mode full-duplex;
    speed {
    100m;
    }
    }
    unit 0 {
    description TrunkTOCat;
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members all;
    }
    native-vlan-id default;
    filter {
    input Rate-Limiting;
    }
    }
    }
    }
    ge-0/0/2 {
    description 43790002;
    mtu 1524;
    ether-options {
    no-auto-negotiation;
    no-flow-control;
    link-mode full-duplex;
    speed {
    100m;
    }
    }
    unit 0 {
    description 43790002;
    family ethernet-switching {
    port-mode access;
    vlan {
    members Cust2;
    }
    }
    }
    }
    ge-0/0/3 {
    description 43790003;
    mtu 1524;
    ether-options {
    no-auto-negotiation;
    no-flow-control;
    link-mode full-duplex;
    speed {
    100m;
    }
    }
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/4 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/5 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/6 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/7 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/8 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/9 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/10 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/11 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/12 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/13 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/14 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/15 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/16 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/17 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/18 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/19 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/20 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/21 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/22 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/0/23 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/0 {
    unit 0 {
    family ethernet-switching;
    }
    }
    xe-0/1/0 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/1 {
    unit 0 {
    family ethernet-switching;
    }
    }
    xe-0/1/1 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/2 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/3 {
    unit 0 {
    family ethernet-switching;
    }
    }
    vlan {
    unit 0 {
    family inet {
    mtu 1524;
    address 192.168.1.2/24 {
    broadcast 192.168.1.255;
    }
    }
    }
    unit 2 {
    family inet {
    address 192.168.2.5/24;
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.2.1;
    }
    }
    protocols {
    lldp {
    interface all;
    }
    lldp-med {
    interface all;
    }
    rstp;
    }
    firewall {
    policer 1.5MEG {
    if-exceeding {
    bandwidth-limit 1536000;
    burst-size-limit 288k;
    }
    then discard;
    }
    policer 10MEG {
    if-exceeding {
    bandwidth-limit 10m;
    burst-size-limit 128k;
    }
    then discard;
    }
    policer 20MEG {
    if-exceeding {
    bandwidth-limit 20m;
    burst-size-limit 256k;
    }
    then discard;
    }
    family ethernet-switching {
    filter Rate-Limiting {
    term 1.5MEG {
    from {
    dot1q-tag 101;
    }
    then {
    forwarding-class best-effort;
    loss-priority high;
    policer 1.5MEG;
    }
    }
    term 10MEG {
    from {
    source-address {
    10.10.2.0/24;
    }
    }
    then {
    forwarding-class best-effort;
    loss-priority high;
    policer 10MEG;
    }
    }
    term 20MEG {
    from {
    vlan Cust3;
    }
    then {
    forwarding-class best-effort;
    loss-priority high;
    policer 20MEG;
    }
    }
    term ALL {
    then {
    forwarding-class best-effort;
    loss-priority high;
    }
    }
    }
    }
    }
    ethernet-switching-options {
    voip;
    }
    vlans {
    Cust1 {
    description 43790001;
    vlan-id 101;
    }
    Cust2 {
    description 43790002;
    vlan-id 102;
    interface {
    ge-0/0/2.0;
    }
    }
    Cust3 {
    description 43790003;
    vlan-id 103;
    interface {
    ge-0/0/3.0;
    }
    }
    default {
    vlan-id 2;
    l3-interface vlan.2;
    }
    mgmt;
    vln;
    }
    poe {
    interface all;
    }

     


    #shaping
    #ex4200
    #rate-limiting


  • 2.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 03-06-2011 18:26

    Hi  viperbmw69,

    I don't show you applied the filters on the VLAN, can you show a configuration with the filter applied to the vlan?

     

    Set vlan "name" filter input "name" output "name".

     

    -Adam



  • 3.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-05-2011 23:27

    Hi

    See the solution on juniperlab.blogspot.com. There you can find explanations and config.....

     

     

    regards,

    Vadim Bogatov

    JNCIA Junos



  • 4.  RE: Rate-Limiting Question for ex-4200 by Vlan

     
    Posted 05-06-2011 05:26

    For rate limiting you will use the "Firewall Filter" feature.  These are not stateful firewall but  similar to Cisco access lists to block or permit access at the packet level.  They also implement policers for bandwidth limiiting.

    The documentation examples for firewall filters are here.

    http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/firewall-filter-ex-series-configuring.html

    http://www.juniper.net/techpubs/en_US/junos10.4/topics/task/configuration/firewall-filter-ex-series-cli.html


    The specific filter for rate limiting is outlined in kb14250 as an example to copy.

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB14250



  • 5.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-06-2011 11:02

    To filter at the VLAN level you simply need to apply the filter to the appropriate VLAN. Just as you would apply it to a logical I/F -

     

    set vlans v11 vlan-id 11 filter Rate-Limiting ......



  • 6.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 12-16-2013 11:30

    From your statement:

     

    "To filter at the VLAN level you simply need to apply the filter to the appropriate VLAN. Just as you would apply it to a logical I/F -

     

    set vlans v11 vlan-id 11 filter Rate-Limiting ......"

     

    I've tried to do some testing, and it seems that the filter cannot be applied to the vlans hierarchy, only under the rvi, and this is because the vlans will only allow an "ethernet-switching" type filter.  is this correct?

     

    now, I've tried the configuration and I can apply the action "then policer" under the ethernet-switching filter but the policer is not applicable under this, it seems like it is not supported on the ethernet-switching filter.

     

    is this expected behavior, is it correct to say that a policer for rate limiter can be only applied on the RVI and if not, do you know how to configure an ethernet-switching filter and then apply a policer for rate limiting, and even better, has anyone come up with a configuration guide other than the ones already posted??

     

    Thanks in advance for the help!



  • 7.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-28-2020 17:50

    i am also looking this solution.

    have u got that idea how do we limit bandwith/speed from specific vlan only? not RVI



  • 8.  RE: Rate-Limiting Question for ex-4200 by Vlan

     
    Posted 05-28-2020 19:02

    Hi hendranata,

     

    You can use the below config to apply firewall-filter ( with policer config ) to input/output direction for a vlan : 

     

    edit vlans

    set <vlan name> vlan-id # forwarding-options filter input <ingress filter name>

    set <vlan name> vlan-id # forwarding-options filter output <ingress filter name>

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/firewall-filter-ex-series-cli.html

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-ex-series-configuring.html

     

     

    BR,

    Vishal

     

     

    PS: Please accept my response as solution if it answers you query, kudos are appreciated too!



  • 9.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-28-2020 19:14
    Thanks for update
    Can u give me example for ex2300

    Assume i want limit vlan 101 : 50mbps and vlan 102: 200mbps
    Both vlan located under ge-0/0/1

    Can u give me the proper configuration for speed limit

    Thanks before


  • 10.  RE: Rate-Limiting Question for ex-4200 by Vlan

     
    Posted 05-28-2020 20:29

    You can use the below config snippet

     

    Create the policer config :
    ==============================
    set firewall policer rate-limit-vlan if-exceeding bandwidth-limit 50m
    set firewall policer rate-limit-vlan if-exceeding burst-size-limit <choose a burst size if applicable>
    set firewall policer rate-limit-vlan then discard


    Apply the policer to the vlan
    ===============================
    set vlan101 vlan-id 101 filter input rate-limit-vlan

     

     

    BR,

    Vishal

     

     

    PS: Please accept my response as solution if it answers you query, kudos are appreciated too!



  • 11.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-28-2020 21:00

    i got the idea..

     

    however, if we want to speed limit 100mbps both vlan 100 and 101 (together max speed limit 100mbps). how do we achieve that?

    thanks



  • 12.  RE: Rate-Limiting Question for ex-4200 by Vlan

     
    Posted 05-28-2020 21:22

    I don't think we can combine vlans and then apply a policer to it.

     

    The policer can be applied on either a port / vlan or RVI. As a workaround, you can apply the below filter on the ports that have the VLANs allowed : 

     

    + firewall {
    + family ethernet-switching {
    + filter vlan_match {    ############  apply this filter on ports where the vlans are allowed
    + term match_vlan {
    + from {
    + vlan [ 100 200 ];     ########### match for the group of vlans for which you want to police the rate.
    + }
    + then policer test_rate_limit;   ########## apply the policer to incoming traffic that matches the vlans
    + }
    + }
    + }
    + policer test_rate_limit {
    + if-exceeding {
    + bandwidth-limit 100m;
    + burst-size-limit 100k;
    + }
    + then discard;

    The problem is, you will need to apply this config to all the ports where even a single vlan from the group is allowed. So, I am not sure if you will find this scalable enough, but you can try this out and let me know if it works.

     

     

    BR,

    Vishal

     

     

    PS: Please accept my response as solution if it answers you query, kudos are appreciated too!



  • 13.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-28-2020 21:31

    appreciate your idea,

    meanwhile, if i want to speed limit particular vlan 101 with download: 100m and upload: 50m, do u think that is possible? if yes then how do we do that?

    thanks



  • 14.  RE: Rate-Limiting Question for ex-4200 by Vlan

     
    Posted 05-28-2020 21:54

    You can use couple of different filters each for input and output direction : 

     

    set vlan20 vlan-id 20 forwarding-options input ingress-vlan-filter

    set vlan20 vlan-id 20 forwarding-options output ingress-vlan-filter

     

    BR,

    Vishal

     

     

    PS: Please accept my response as solution if it answers you query, kudos are appreciated too!



  • 15.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-28-2020 22:01

    do u think apply some bandwith limited through filter and policer will cause high load of the switch itself? or it just a light weight..not too much..




  • 16.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-28-2020 22:08

    @vpathak wrote:

     

    set vlan20 vlan-id 20 forwarding-options input ingress-vlan-filter

    set vlan20 vlan-id 20 forwarding-options output ingress-vlan-filter

     


    example:

    set employee-vlan vlan-id 20 filter input ingress-vlan-filter

    set employee-vlan vlan-id 20 forwarding-options input ingress-vlan-filter

     

    any differences between using forwarding-options and not ?



  • 17.  RE: Rate-Limiting Question for ex-4200 by Vlan

     
    Posted 05-28-2020 22:42

    I checked on EX4200. I do not see the forwarding-options available in the CLI. Try using the filter option. I do not think there is a difference as far as implementation is concerned.

     

    Regarding the impact on switch CPU, these filters will be processed for the transit traffic and will be handled by the PFE. So, the switch CPU should not be impacted.

     

    BR,

    Vishal

     

     

    PS: Please accept my response as solution if it answers you query, kudos are appreciated too!



  • 18.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-28-2020 22:50

    once we have successfully implement bandwith limiter 100m under vlan 101 for example.

    then how do we monitor the traffic vlan 101 ?

    monitor interface port will only measure the port ethernet traffic.. is there a function to monitor the vlan traffic under juniper ex2300 series?

    thanks



  • 19.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 05-28-2020 21:48

    @vpathak wrote:

     

    The problem is, you will need to apply this config to all the ports where even a single vlan from the group is allowed.

     


    assume the vlan is 101 and 102..

    then i only applied in 1 port interface (ge-0/0/1).. meanwhile other ports are using different vlan id..

    so in this case, i just applied the filter for 1 port (ge-0/0/1). does it right? no need to apply in all ports..

     



    interaces {
           ge-0/0/1 {
                description "testt"
                 unit 0 {
                       family ethernet-switching {
                       interface-mode trunk;
                        vlan {
                                members [101,102,103,104]
                        }
                        filter {
                               input vlan_match;
                        }
                    }
            }
    }
    }

     

    it means only vlan 101 and 102 are filtered with speed 100m.. other vlan 103 and 104 are not affected.



  • 20.  RE: Rate-Limiting Question for ex-4200 by Vlan

     
    Posted 05-28-2020 21:56

    Yes, you are right.

     

    But then, I guess the filter needs to be applied on the trunk ports as well where either vlan 101 or 102 or both are allowed.

     

     

    BR,

    Vishal

     

     

    PS: Please accept my response as solution if it answers you query, kudos are appreciated too!



  • 21.  RE: Rate-Limiting Question for ex-4200 by Vlan

    Posted 12-16-2013 22:43

     

    The policier is only responsible for the rate-limiting of the traffic. It is the firewall filter that you would use to set the match condition for the vlan and when there is a math, the actionis is to apply the policer.

     

    How about trying this method? Create the firewall filter and set the match from the vlan and then apply the firewall filter to the trunk port that carries the vlans?

    lab@exA-2# show | display set
    set firewall family ethernet-switching filter ratelimit-vlans term vlan200 from vlan v200
    set firewall family ethernet-switching filter ratelimit-vlans term vlan200 then policer rate-limit-vlan
    set firewall family ethernet-switching filter ratelimit-vlans term accept-othervlans then accept
    set firewall policer rate-limit-vlan if-exceeding bandwidth-limit 10m
    set firewall policer rate-limit-vlan if-exceeding burst-size-limit 200k
    set firewall policer rate-limit-vlan then discard (or loss-priority if that is your choice)