Juniper - Firewall filter and policer

Juniper - Firewall filter and policer

In this post, we are going to see how to filter and rate limit the traffic from JR2 (Juniper) to CR1(Cisco)

OSPF is configured between routers and end to end connectivity is there between JR2 to CR1. We are applying firewall out filter on JR1 ge-0/0/1 which is connected to CR1

Firewall filter: 

Below is the firewall filter configuration

root@JR1# edit firewall family inet filter JR2_TO_CR1 

[edit firewall family inet filter JR2_TO_CR1]
root@JR1# show 
term ALLOW_ICMP {
    from {
        source-address {
            222.222.222.2/32;
        }
        protocol icmp;
    }
    then {
        policer P1;       
        count JR2_CR1;     
        log;              
    }
}
term ALLOW_OSPF {
    from {
        protocol ospf;
    }
    then accept;
}
term CATCH_ALL {
    then {
        reject;
    }
}       

Above filter is applied in ge-0/0/1 towards out

ge-0/0/1 {
    unit 0 {
        family inet {
            filter {
                output JR2_TO_CR1;
            }
            address 10.10.0.1/24;


root@JR1> show firewall filter JR2_TO_CR1    

Filter: JR2_TO_CR1                                             
Counters:
Name                                                Bytes              Packets
JR2_CR1                                             22060                  137

root@JR1# run show firewall log 
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1
22:31:28  pfe       A      ge-0/0/0.0    ICMP            222.222.222.2                    100.100.100.1


From JR2:

root@JR2> ping 100.100.100.1 source 222.222.222.2 rapid 
PING 100.100.100.1 (100.100.100.1): 56 data bytes
!!!!!
--- 100.100.100.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.584/2.919/3.788/0.443 ms

Rate Limiting :

Below configuration is applied in JR1 to rate limit the traffic from JR2 to CR1

[edit firewall policer P1]
root@JR1# show 
if-exceeding {
    bandwidth-limit 64k;
    burst-size-limit 4k;
}
then discard;    

This configuration is applied in the firewall filter as non terminating action . Refer above config under firewall filter

We could see below result while pinging the CR1 from JR2 with high byte size. Intermittent packet loss.

root@JR2> ...ce 222.222.222.2 rapid count 10 size 1600                      
PING 100.100.100.1 (100.100.100.1): 1600 data bytes
!!.!!!.!!.
--- 100.100.100.1 ping statistics ---
10 packets transmitted, 7 packets received, 30% packet loss
round-trip min/avg/max/stddev = 3.128/33.187/88.808/33.498 ms

From JR1:

root@JR1> show firewall filter JR2_TO_CR1            

Filter: JR2_TO_CR1                                             
Counters:
Name                                                Bytes              Packets
JR2_CR1                                             22480                  142
Policers:
Name                                                Bytes              Packets
P1-ALLOW_ICMP                                        4500                    3