[j-nsp] prefix-specific policers with multiple match conditions
Pekka Savola
pekkas at netcore.fi
Wed May 7 14:34:33 EDT 2003
Hi,
An advanced question on prefix-specific policers.
The example documentation is rather terse about the case of multiple match
conditions. That is (example from the docs):
firewall {
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
}
family inet {
prefix-action per-source-policer {
policer 1Mbps-policer;
subnet-prefix-length 24;
source-prefix-length 32;
}
}
filter limit-all-hosts {
term one {
from {
source-address {
10.10.10.0/24;
}
}
then prefix-action per-source-policer;
}
}
}
gives 256 policers. But now replace the last with:
filter limit-all-hosts {
term one {
from {
source-address {
10.10.10.0/24;
10.20.30.0/24;
}
}
then prefix-action per-source-policer;
}
}
, and you still have 256 policers and counters, each of them having
{10.10.10.0, 10.10.30.0},{10.10.10.1, 10.10.30.1}, etc.
Needless to say, this seems like a completely useless "feature". It would
be much more desirable to have 256+256 policers and counters, with no
overlap.
Is there a way to achieve this effect, "continuing from one match
condition to another without overlapping" ?
What I'd like to achieve is like:
source-address {
1.1/16;
2.2/16;
}
and:
subnet-prefix-length 16;
source-prefix-length 24;
that is, be able to monitor how much each /24 (or some other address
block) in our network is eating capacity, and possibly to police it to a
lower rate. This, too, will create an overlap though.
Or would a dirty hack here be using "subnet-prefix-length 15" (to generate
2*256 policers/counters) -- even though the match conditions are not
consecutive -- work?
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the juniper-nsp
mailing list