环境:juniper ex4200
文章简要介绍juniper环境下配置 firewall policer实现带宽限制的步骤,并给出实例,大体思路如下:
1、定义policer,定义流量限速限制策略,其中bandwidth-limit为平均带宽,单位bps;burst-size-limit为突发流量,单位bytes。其中time window=Burst size/bandwidth ,bandwidth即interface data rate。time数量一般为多少milliseconds,如5毫秒即5/1000s。
if the packet does not exceed the policer, the system performs the action in the firewall filters then clause,whereas if the packet does exceed the policer,the system performs the action in the policers then clause
burst-size=bandwidth*allowable burst time
{master:0}[edit firewall]
policer rate-limit-test {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 1m;
}
then discard;
}
2、定义filter,定义限制策略,引用policer
family inet {
filter filter-in-test {
//拒绝来自192.168.2.2 机器的icmp数据包,即拒绝192.168.2.2或192.168.2.4主机 ping 192.168.50.3主机,
//但允许192.168.2.3主机 ping 192.168.50.3主机term block-icmp {
from {
source-address {
192.168.2.2/32;
192.168.2.4/32;
}
protocol icmp;
}
then {
count count-icmp;
reject;
}
}
//在new-instance2的接口ge-0/0/3上限速从192.168.2.0/24过来的数据包,从入口限速term block-packets {
from {
source-address {
192.168.2.0/24;
}
}
then {
policer rate-limit-test;
accept;
}
}
term accept-others {
then accept;
}
}
//在new-instance2的接口ge-0/0/4上限速从192.168.50.0/24过来的数据包,从入口限速
filter filter-in-50 {
term block-packets {
from {
source-address {
192.168.50.0/24;
}
}
then {
policer rate-limit-test;
accept;
}
}
term accept-others {
then accept;
}
}
}
3、定义接口,在接口中引用filter
{master:0}[edit interfaces]
root@ex4200# show
ge-0/0/0 {
ge-0/0/3 {
unit 0 {
family inet {
filter {
input filter-in-test;
}
address 101.7.152.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
filter {
input filter-in-50;
}
address 101.7.156.2/24;
}
}
}
4、用IxChariot 5.4测试速率,可以达到限制的目的,但测试速率不是bandwidth-limit标称速率,但趋势一致,如下表所示:
| bandwidth-limit (bps) | burst-size-limit(bytes) | IxChariot test speed1 | speed2 | speed3 | speed4 | speed avg |
| none | none | 800 | 812 | 820 | 828 | 815 |
| 100M | 1M | 81 | 79 | 80 | 80 | 80 |
| 10M | 100K | 4.1 | 4.3 | 4.2 | 4.2 | 4.2 |
| 5M | 50K | 3.158 | 3.2 | 3.5 | 3.2 | 3.2645 |
| 1M | 10K | 2.3 | 2.2 | 2.1 | 2.2 | 2.2 |
| 100K | 1K | 0.006 | 0.009 | 0.008 | 0.008 | 0.00775 |
使用firewall policer要点:
1)定义policer,其中bandwidth-limit为平均带宽,实际测速带宽达到80%很不错了
2)filter中的term 的定义次序很重要,匹配的规则很重要,影响匹配结果。在from子句中,一个匹配条件里的多个参数间是逻辑或,不同条件间是逻辑与。比如term block-icmp 子句既要判断地址而且要判断协议,匹配的条件是“与”的关系,但地址可以设置多个地址,是“或”的关系。
3)限速最好在filter input上做文章,效果明显,正如对日常生活的限速道理一样,卡住双向的关键入口即可实现限速目的。
4)策略链中,当被执行了一个终结动作时(接受、拒绝、丢弃等)策略链即中止。比如例子中filter filter-in-test 的term block-icmp 若放到 term block-packets的后面,则无效果。
bandwidth-limit (bps)/ burst-size-limit(bytes) :100k/1k
bandwidth-limit (bps)/ burst-size-limit(bytes) :100M/1M
192.168.50.3<--->192.168.2.3
bandwidth-limit (bps)/ burst-size-limit(bytes) :100M/1M
interface’s speed by the amount of time bursts should be allowed at that bandwidth
level. For example, to allow bursts on a Fast Ethernet link for 5 milliseconds (a
reasonable value), use the following calculation:
burst size = bandwidth (=100,000,000 bits/sec) x allowable burst time (=5/1000s)
This calculation yields a burst size of 500,000 bits. You can divide this number by 8 to
convert it to bytes, which gives you a burst size of 62500 bytes.
You specify the bandwidth as a number of bits using the bandwidth-limit
statement or as a percentage of interface bandwidth using the
bandwidth-percent statement. You specify the maximum burst size as a number
of bytes using the burst-size-limit statement.