Juniper speed limit in Vlan
To limit the speed at the vlan level, you need to create a firewall filter in family ethernet-switching, through which you can set the speed:
vitalvas@qfx5120-city17# show firewall family ethernet-switching filter ratelimit-vlan
term vlan-2332 {
from {
user-vlan-id 2332;
}
then {
accept;
count vlan-2332;
policer 20Mbit;
}
}
term accept-other-vlan {
then accept;
}
vitalvas@qfx5120-city17# show firewall policer 20Mbit
if-exceeding {
bandwidth-limit 22m;
burst-size-limit 8m;
}
then discard;
And apply to all necessary ports with this vlan:
vitalvas@qfx5120-city17# show interfaces xe-0/0/10 unit 0 family ethernet-switching filter
input ratelimit-vlan;
output ratelimit-vlan;
vitalvas@qfx5120-city17# show interfaces xe-0/0/12 unit 0 family ethernet-switching filter
input ratelimit-vlan;
output ratelimit-vlan;
In order to understand that everything is working as it should, you can look into the firewall counters. I use a separate counter for each rule to count the traffic.
It turns out that if the values in the Counters section grow, then the VLAN is in use, but if the values in the Policers section start to grow, the VLAN has reached the speed limit, and this is considered to be already cut off traffic.
vitalvas@qfx5120-city17> show firewall filter ratelimit-vlan
Filter: ratelimit-vlan
Counters:
Name Bytes Packets
vlan-2332 610530993 6362892
Policers:
Name Bytes Packets
20Mbit-vlan-2332 0 0
In this configuration, in addition to the speed limit on the vlan, there is also a rule that allows traffic to vlans that do not have a limit.
It is also necessary to take into account that this limitation sums up the input+output. In order to have full duplex, you need to either make a rule for each port separately, or even more complex designs.
p.s. It is better to cut speed on end ports. But in my case, it was necessary to make speed limits for each transit vlan at the junction between different operators.