[j-nsp] Per next-hop or MAC accounting/firewall/policer on sameinterface

Rafal Szarecki (WA/EPO) rafal.szarecki at ericsson.com
Tue Aug 2 04:31:04 EDT 2005 

Kevin,

1) You can make MAC-level filtering and rate-limiting on GE-IQ and GE-SFP PIC. This is not supported on GE PIC with fixed optics such P-GE-SX-B.

2) You can use DCU/SCU mechanism to classyfy packet in firewall filter base on information where/from thay go. This is not direct but work generaly this way:

I assune you has BGP session to each neighbor on LAN.
You choud write BGP import Policy which add to each lerned prefic router-internal market - "destination-class"
Then you can write firewall filter which match on destination-class and them execure action modifier like cout ore policer.


Rafal




> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Kevin Day
> Sent: Tuesday, August 02, 2005 7:51 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Per next-hop or MAC 
> accounting/firewall/policer on sameinterface
> 
> 
> 
> Does anyone have a solution for measuring / rate-limiting traffic  
> going to different destinations on the same interface?
> 
> For example: If I'm connected to an layer 2 exchange-style switch  
> with 50 different peers, and I want to measure how much I'm sending/ 
> receiving to/from each one and rate limit how much I send to 
> a few of  
> them.
> 
> Is there anyway to see from a firewall{} block where the packet will  
> go? Being able to apply firewall actions depending on the 
> next-hop or  
> the source/dest mac address would be great, but I can't seem to find  
> a way to make the connection between routing/layer 2 and firewall  
> actions.
> 
> As an alternate route, CoS classifiers looked promising, but most of  
> what it looked like I needed wasn't possible on an M5 without IQ  
> pics, which are out of our budget. (Or I'm just understanding the  
> examples incorrectly)
> 
> I know moving each peer to a separate vlan would work, but isn't  
> practical in this situation.
> 
> Anyone been in this situation before?
> 
> Thanks,
> 
> Kevin
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list