On Thu, Apr 21, 2011 at 11:12:35AM +0200, Maarten Carels wrote: > > > > Am trying to add bandwidth limitation on EX3200 on port or vlan using > > firewall policer and it is working as input filter correctly but when I do > > it as output filter it gave me an error " can not be used as policer not > > supported on egress " . > > I ran into the same. It's a limitation of the EX-3200... > > SO, short answer is: You can't.
If you get really bored/desperate, the only way to limit bandwidth outbound is to configure an inbound policer on every ingress interface that packets could come from. You cant't get a single accurate policer this ay of course, but you can do some super ghetto limiting of traffic to a specific destintion, which is better than nothing. We use a commit script to automatially build per interface ingress filters to do this kind of thing, which btw is also the only way to make control plane rate limitng (or filtering of any kind for that matter work). If you don't do it at the interface/input level it doesn't "really" get blocked, making it trivial to kill any EX with a few megabits of traffic directed at any local IP on the box. How people aren't freaking out about this horrible design flaw is completely beyond me, though I guess you could always argue it isn't the worst such mistake on the EX. :) -- Richard A Steenbergen <r...@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp