[j-nsp] policer question
Lars Erik Gullerud
lerik at nolink.net
Fri Jul 30 04:44:02 EDT 2004
On Fri, 2004-07-30 at 01:04, Wayne E. Bouchard wrote:
> Hi,
>
> Quick question regarding policer configutation. I have a link thats
> got a /29 hanging off of it. The traffic is overwhelmingly inbound to
> the router (like near 10 to 1.) This net has the potential to be a DOS
> target. So to prevent the entire subnet from being unusable, I want to
> set up something to permit only 15 megabits inbound to any individual
> machine but not 15 megs total. Now, I could set this up with an access
> list and a policer like so:
[snip]
Yes - instead of making all the /32 policers individually yourself, use
a prefix-action, like so (inserted into your config snippet):
firewall {
policer 15-meg {
if-exceding {
bandwidth-limit 15m;
burst-size-limit 100k;
}
then discard;
}
family inet {
prefix-action max-15 {
policer 15-meg;
subnet-prefix-length 29;
destination-prefix-length 32;
}
}
filter dos-filter {
term police-subnet {
destination-address {
10.0.0.0/29;
}
then prefix-action max-15;
}
}
This will dynamically generate a policer for each individual IP and
police each of them to max 15M. I think this is supported on all JunOS
6.x, at least this feature is in 6.1 and upwards (which is when we
started using it).
/leg
More information about the juniper-nsp
mailing list