[j-nsp] prefix-specific policers with multiple match conditions

Sean Capshaw capshaw at juniper.net
Fri May 9 07:23:32 EDT 2003


Hello Pekka,

I am not sure if you already received a response on this or not.  The way
I would do this is to create two PSA's:

scapshaw at homer# show firewall
policer 1M-policer {
    if-exceeding {
        bandwidth-limit 1m;
        burst-size-limit 63k;
    }
    then discard;
}
policer 1m-policer2 {
    if-exceeding {
        bandwidth-limit 1m;
        burst-size-limit 63k;
    }
    then discard;
}
family inet {
    prefix-action host-policer {
        policer 1M-policer;
        count;
        filter-specific;
        subnet-prefix-length 24;
        source-prefix-length 32;
    }
    prefix-action host-policer2 {
        policer 1m-policer2;
        count;
        filter-specific;
        subnet-prefix-length 24;
        source-prefix-length 32;
    }
}
filter fair-bw {
    term a {
        from {
            source-address {
                10.10.10.0/24;
            }
        }
        then prefix-action host-policer;
    }
    term b {
        from {
            source-address {
                10.20.30.0/24;
            }
        }
        then prefix-action host-policer2;
    }
    term c {
        then accept;
    }
}

[edit]

Thanks
Sean


On Wed, 7 May 2003, Pekka Savola wrote:

> Hi,
>
> An advanced question on prefix-specific policers.
>
> The example documentation is rather terse about the case of multiple match
> conditions.  That is (example from the docs):
>
> firewall {
> policer 1Mbps-policer {
>         if-exceeding {
>             bandwidth-limit 1m;
>             burst-size-limit 63k;
>         }
>     }
>     family inet {
>         prefix-action per-source-policer {
>             policer 1Mbps-policer;
>             subnet-prefix-length 24;
>             source-prefix-length 32;
>         }
>     }
>     filter limit-all-hosts {
>         term one {
>             from {
>                 source-address {
>                     10.10.10.0/24;
>                 }
>             }
>             then prefix-action per-source-policer;
>         }
>     }
>  }
>
> gives 256 policers.  But now replace the last with:
>
>     filter limit-all-hosts {
>         term one {
>             from {
>                 source-address {
>                     10.10.10.0/24;
> 		    10.20.30.0/24;
>                 }
>             }
>             then prefix-action per-source-policer;
>         }
>     }
>
> , and you still have 256 policers and counters, each of them having
> {10.10.10.0, 10.10.30.0},{10.10.10.1, 10.10.30.1}, etc.
>
> Needless to say, this seems like a completely useless "feature".  It would
> be much more desirable to have 256+256 policers and counters, with no
> overlap.
>
> Is there a way to achieve this effect, "continuing from one match
> condition to another without overlapping" ?
>
> What I'd like to achieve is like:
>
>
>                 source-address {
>                     1.1/16;
>                     2.2/16;
>                 }
>
> and:
>
>             subnet-prefix-length 16;
>             source-prefix-length 24;
>
> that is, be able to monitor how much each /24 (or some other address
> block) in our network is eating capacity, and possibly to police it to a
> lower rate.  This, too, will create an overlap though.
>
> Or would a dirty hack here be using "subnet-prefix-length 15" (to generate
> 2*256 policers/counters) -- even though the match conditions are not
> consecutive -- work?
>
> --
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list