[j-nsp] prefix-specific policers with multiple match conditions

Pekka Savola pekkas at netcore.fi
Wed May 7 14:34:33 EDT 2003


Hi,

An advanced question on prefix-specific policers.

The example documentation is rather terse about the case of multiple match 
conditions.  That is (example from the docs):

firewall {
policer 1Mbps-policer {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 63k;
        }
    }
    family inet {
        prefix-action per-source-policer {
            policer 1Mbps-policer;
            subnet-prefix-length 24;
            source-prefix-length 32;
        }
    }
    filter limit-all-hosts {
        term one {
            from {
                source-address {
                    10.10.10.0/24;
                }
            }
            then prefix-action per-source-policer;
        }
    }
 }

gives 256 policers.  But now replace the last with:

    filter limit-all-hosts {
        term one {
            from {
                source-address {
                    10.10.10.0/24;
		    10.20.30.0/24;
                }
            }
            then prefix-action per-source-policer;
        }
    }

, and you still have 256 policers and counters, each of them having 
{10.10.10.0, 10.10.30.0},{10.10.10.1, 10.10.30.1}, etc.

Needless to say, this seems like a completely useless "feature".  It would 
be much more desirable to have 256+256 policers and counters, with no 
overlap.

Is there a way to achieve this effect, "continuing from one match 
condition to another without overlapping" ?

What I'd like to achieve is like:


                source-address {
                    1.1/16;
                    2.2/16;
                }

and:

            subnet-prefix-length 16;
            source-prefix-length 24;

that is, be able to monitor how much each /24 (or some other address 
block) in our network is eating capacity, and possibly to police it to a 
lower rate.  This, too, will create an overlap though.

Or would a dirty hack here be using "subnet-prefix-length 15" (to generate
2*256 policers/counters) -- even though the match conditions are not
consecutive -- work?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



More information about the juniper-nsp mailing list