[j-nsp] QPPB SCU DCU

Fri Mar 21 05:09:45 EDT 2008

On Thursday 20 March 2008, Bit Gossip wrote:

> Hi Raymond,
> that is a good one; just one more thing: I would like to
> police traffic to and from the customer, so I should
> match source and destination IP against the community.
> How can I do that?

Not sure I understand your question... but if you want to 
police based on the destination prefix, what Raymond 
offered will work.

However, it would match all traffic coming from all 
customers to the destinations defined by the BGP community. 
If you want to be more specific on which customers this 
feature is applied to (which is what I'd recommend as well, 
unless otherwise), specify the source interface along with 
the destination-class in the filter; to borrow from 
Raymond's example:

[edit firewall]
filter QPPB_Policer-1 {
        term match-dest_class-1 {
            from {
                destination-class dest_class-1;
		interface ge-0/2/0.0; <=== this is the bit you add <===
            }
            then policer police-destination;
        }
        term default {
            then {
                accept;
            }
        }
    }

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part.
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20080321/8c8e904a/attachment.bin 