Limiting bandwidth per IPv4 address on a Juniper SRX. I’ve not done this for IPv6 as of yet. In this example there is a /29 subnet with two addresses requiring bandwidth limits.

We’ll be configuring the following examples:

  • 172.16.0.2 = 100Mbps symmetrical
  • 172.16.0.3 = 25Mbps symmetrical

Interfaces:

  • WAN = ge-0/0/0
  • DMZ = ge-0/0/1
Configure queues and schedules

Think of the queues as segregated laneways with speed limits. We’re configuring up a queue number and naming it after the speed we’re going to set. This is just a reference name. The SRX already has some queue numbers as default, so we wont interfere with them. We’ll choose some free queues. Queues 6 and 7

set class-of-service forwarding-class queue 6 bandwidth-25mbps
set class-of-service forwarding-class queue 7 bandwidth-100mbps

Now lets set a scheduler to shape the traffic:

set class-of-service schedulers 25mbps shaping rate 25m
set class-of-service schedulers 100mbps shaping rate 100m

set class-of-service scheduler-maps bandwidth-limit forwarding-class bandwidth-25mbps scheduler 25mbps
set class-of-service scheduler-maps bandwidth-limit forwarding-class bandwidth-100mbps scheduler 100mbps

Now that we have set a shaping rate and mapped that to each queue, we need to apply this to an interface as an available option. At this stage no limits are ready to be applied.

set class of service interfaces ge-0/0/0 scheduler-map bandwidth-limit
set class of service interfaces ge-0/0/1 scheduler-map bandwidth-limit
Create your prefix list of hosts as per example:
set policy-options prefix-list pl-ipv4-100mbps-host 172.16.0.2
set policy-options prefix-list pl-ipv4-25mbps-host 172.16.0.3

Now create the firewall filters to cook this all together:

Inbound filter (ingress to SRX from customer)
set firewall family inet filter bandwidth-input term t1 from source-prefix-list pl-ipv4-100mbps-host
set firewall family inet filter bandwidth-input term t1 then forwarding-class bandwidth-100mpbs
set firewall family inet filter bandwidth-input term t1 then count input-100mpbs
set firewall family inet filter bandwidth-input term t1 then accept

set firewall family inet filter bandwidth-input term t2 from source-prefix-list pl-ipv4-25mbps-host
set firewall family inet filter bandwidth-input term t2 then forwarding-class bandwidth-25mbps
set firewall family inet filter bandwidth-input term t2 then count input-25mpbs
set firewall family inet filter bandwidth-input term t2 then accept
Outbound filter (egress from SRX to customer)
set firewall family inet filter bandwidth-output term t1 from destination-prefix-list pl-ipv4-100mbps-host
set firewall family inet filter bandwidth-output term t1 then forwarding-class bandwidth-100mpbs
set firewall family inet filter bandwidth-output term t1 then count input-100mpbs
set firewall family inet filter bandwidth-output term t1 then accept

set firewall family inet filter bandwidth-output term t2 from destination-prefix-list pl-ipv4-25mbps-host
set firewall family inet filter bandwidth-output term t2 then forwarding-class bandwidth-25mbps
set firewall family inet filter bandwidth-output term t2 then count input-25mpbs
set firewall family inet filter bandwidth-output term t2 then accept

(count aids in furture troubleshooting and confirming if the queues are being utilised)

Finally since all that has been configured, the filters can be applied on the interface facing the customer, ge-0/0/1 in our example. This can also be in irb interface.

set interfaces ge-0/0/1 unit 0 family inet filter input bandwidth-input
set interfaces ge-0/0/1 unit 0 family inet filter output bandwidth-output
Confirming class-of service
show interfaces ge-0/0/1 extensive

… will show incrementing packets in the correct queue if packets are sourced from either example IP.

Tagged interfaces?
  • Set interfaces for scheduling:
set interfaces ge-0/0/0 per-unit-scheduler
set interfaces ge-0/0/1 per-unit-scheduler
  • Configure scheduler-map under interface unit within class-of service:
set class of service interfaces ge-0/0/0 unit 10 scheduler-map bandwidth-limit
set class of service interfaces ge-0/0/1 unit 10 scheduler-map bandwidth-limit

That’s it.. commit your config (or commit confirmed 5 if you want to quickly test).