[j-nsp] policer question
Wayne E. Bouchard
web at typo.org
Thu Jul 29 19:04:24 EDT 2004
Hi,
Quick question regarding policer configutation. I have a link thats
got a /29 hanging off of it. The traffic is overwhelmingly inbound to
the router (like near 10 to 1.) This net has the potential to be a DOS
target. So to prevent the entire subnet from being unusable, I want to
set up something to permit only 15 megabits inbound to any individual
machine but not 15 megs total. Now, I could set this up with an access
list and a policer like so:
interfaces {
ge-1/3/0 {
vlan-tagging;
unit 12 {
vlan-id 12;
family inet {
filter {
output dos-filter;
}
address 10.0.0.1/29;
}
}
}
}
firewall {
policer 15-meg {
if-exceding {
bandwidth-limit 15m;
burst-size-limit 100k;
}
then discard;
}
filter dos-filter {
term host1 {
destination-address {
10.0.0.2/32;
}
then policer 15-meg;
}
term host2 {
destination-address {
10.0.0.3/32;
}
then policer 15-meg;
}
[ etc for 3, 4, 5, or however many ]
term default {
then policer 15-meg;
}
}
}
But this seems kludgy. There a better way to go about it?
---
Wayne Bouchard
web at typo.org
Network Dude
http://www.typo.org/~web/
More information about the juniper-nsp
mailing list