SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Download bandwidth for VPN users

    Posted 01-31-2022 10:55
    Hi there!

    I need to limit the download bandwidth of WSUS updates for some VPN ranges.

    I have an SRX cluster. The SRX has Reth interfaces on trust and untrust.

    Behind the interface trust RETH1.1 there is a WSUS server (IP: 10.56.8.1/32)

    And from outside,  users connect to our network via VPN:

    Users in: 10.25.10.0/24 

    The WSUS server sends them (the users) updates (and they download them) but they also eat up all the bandwidth so I need to limit them to 30%.

    This is what I have in mind:

    PREFIX-LIST: WSUS

    set policy-options prefix-list wsus 10.56.8.1/32
    show policy-options prefix-list wsus

    FW POLICE:

    set firewall policer policer-30 if-exceeding bandwidth-percent 30
    set firewall policer policer-30 if-exceeding burst-size-limit 625000
    set firewall policer policer-30 then discard

    set firewall family inet filter download-limit term limt from source-prefix-list wsus
    set firewall family inet filter download-limit term limt then policer policer-30
    set firewall family inet filter download-limit term else-accept then accept

    set interfaces reth1 unit 1 family inet filter input download-limit

    But I have 2 problems:

    1) [edit firewall family inet filter download-limit term limt then policer]
    'police police-30'
    Percentage bandwidth policer 'policer-30' can only be referenced by interface specific and physical interface specific filters
    commit check failed

    NOTE: If I use physical-interface-policer or logical-interface-policer, the same error is shown.

    2) Not sure if Is is correct to apply the filter on the input or must be applied on the oupput (set interfaces reth1 unit 1 family inet filter input download-limit) ?

    3) What would happen if I set up source-prefix-list and destination-prefix-list in the same filter? Will it match both or only if traffic from source to destination?

    Can someone advice on how to handle/acheive this?

    Thanks a lot!


  • 2.  RE: Download bandwidth for VPN users

    Posted 02-02-2022 10:04
    If the filter isnt working you will want to move to rate limiting.
    That is a qos thing. You may have to create more queues.
    Set your standard ones first. If its only a whole interface or 2
    whole interfaces and so on, you dont have to worry.

    class-of-service -> schedulers (for the interface)
    class-of-service -> application-traffic-control (optional, but important)

    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------