Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Limiting the Message Rate and Path Rate for GTP Control Messages

Requirements

• A high-end SRX Series device
• Junos OS Release 12.1x45-D10

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you limit the rate of incoming GTP messages to 300 packets per second and you limit the path rate for GTP control messages in both the forward and reverse directions. You configure the device to limit the rate of network traffic going to a GPRS support node (GSN), and you restrict the maximum packets per second or per minute for specific control messages on a path. For create-req, delete-req, and other GTP messages you restrict the maximum packets per second. However, for an echo-req GTP message, you restrict the maximum packets per minute.

The path-rate-limit function controls specific GTP messages in both the forward and reverse directions. Configure the alarm-threshold parameter to configure the device to raise an alarm when the GTP control messages on a path have reached the configured limit. Configure the drop-threshold to drop traffic when the number of packets per second or per minute exceeds the configured limit.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Specify the GTP profile.
   [edit]user@host# set security gprs gtp profile gtp1
2. Set the GTP message rate limit.
   [edit security gprs gtp profile gtp1]user@host# set rate-limit 300
3. Specify the message type to set the path rate limit for GTP control messages.
   [edit security gprs gtp profile gtp1]user@host# set path-rate-limit message-type
4. Select GTP control message types.
   [edit security gprs gtp profile gtp1]user@host# set path-rate-limit message-type create-requser@host# set path-rate-limit message-type delete-requser@host# set path-rate-limit message-type echo-requser@host# set path-rate-limit message-type other
5. Set the alarm threshold for the GTP control message types.
   [edit security gprs gtp profile gtp1 path-rate-limit]user@host# set message-type create-req alarm threshold user@host# set message-type delete-req alarm thresholduser@host# set message-type echo-req alarm thresholduser@host# set message-type other alarm threshold
6. Limit the control messages in the forward direction.
   [edit security gprs gtp profile gtp1 path-rate-limit message-type]user@host# set create-req alarm threshold forward 50user@host# set delete-req alarm threshold forward 50user@host# set echo-req alarm threshold forward 50user@host# set other alarm threshold forward 50
7. Limit the control messages in the reverse direction.
   [edit security gprs gtp profile gtp1 path-rate-limit message-type]user@host# set create-req alarm threshold reverse 50user@host# set delete-req alarm threshold reverse 50user@host# set echo-req alarm threshold reverse 50user@host# set other alarm threshold reverse 50
8. Set the drop threshold for the GTP control message types.
   [edit security gprs gtp profile gtp1 path-rate-limit]user@host# set message-type create-req drop thresholduser@host# set message-type delete-req drop thresholduser@host# set message-type echo-req drop thresholduser@host# set message-type other drop threshold
9. Limit the control messages in the forward direction.
   [edit security gprs gtp profile gtp1 path-rate-limit message-type]user@host# set create-req drop threshold forward 80user@host# set delete-req drop threshold forward 80user@host# set echo-req drop threshold forward 80user@host# set other drop threshold forward 80
10. Limit the control messages in the reverse direction.
    [edit security gprs gtp profile gtp1 path-rate-limit message-type]user@host# set create-req drop threshold reverse 80user@host# set delete-req drop threshold reverse 80user@host# set echo-req drop threshold reverse 80user@host# set other drop threshold reverse 80

Results

From configuration mode, confirm your configuration by entering the show security gprs gtp profile profile-name command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Configuration

Purpose

Verify that the GTP message rate and path rate limit configuration is correct.

Action

From operational mode, enter the show security gprs gtp counters path-rate-limit command.

Path-rate-limit counters:
                                    Drop                         Alarm
Create Request                       20                           50
Delete Request                       20                           50
Echo Request                         20                           50
Others                               20                           50

Meaning

The show security gprs gtp counters path-rate-limit command displays the number of packets received since the alarm threshold or the drop threshold value was reached. If you configure the alarm-threshold value as 50 and the drop-threshold value as 80 for the Create Request message, and if the device receives 100 packets in a second or minute, then the Drop number will be 20 and the Alarm number will be 50.