[j-nsp] physical interface policer
Bit Gossip
bit.gossip at chello.nl
Wed Oct 13 09:34:47 EDT 2010
Hi Mac,
what you mention will do the job which is to police ALL traffic ingress
into a physical interface which is:
- ALL address-families of ALL logical units.
This means that I have to create a firewall filter per address-family
because the documentation says: 'You cannot specify family any. You must
configure a specific protocol family for a firewall filter that
references a physical interface policer.'
And then apply it to all address-families of all logical-units.
This is incredibly cumbersome and error-prone.
Is there no simple way to apply a soft policer, that is marking not
dropping, just to the physical interface?
Thanks,
Bit.
On Wed, 2010-10-13 at 09:23 -0400, Mac GroupStudy wrote:
> Let me position my thoughts as well, I have been out of JUNOS for some
> time but I did get pretty far in my knowledge there along the way.
> Also, this is from the Juniper site for configuring policers on a
> physical interface:
>
>
> Applying Firewall Filters That Reference Physical Interface Policers
> After you configure a firewall filter that references a physical
> interface policer, you apply it as an input or an output filter to a
> logical interface.
>
> To apply a firewall filter that references a physical interface
> policer as an input filter:
>
> * Include the input filter-name statement at the [edit
> interfaces interface-name unit logical-unit-number family
> family-name filter] hierarchy level.
>
> To apply a firewall filter that references a physical interface
> policer as an output filter:
>
> * Include the output filter-name statement at the [edit
> interfaces interface-name unit logical-unit-number family
> family-name] hierarchy level.
>
> In the following example, firewall filter inet-filter is applied to
> family inet on interface ge-1/2/0.0. The filter is applied to incoming
> IPv4 traffic on the interface.
>
> [edit]
> interfaces {
> ge-1/2/0 {
> unit 0 {
> family inet {
> filter {
> input inet-filter;
> }
> address 10.100.16.2/24
> }
> }
>
> On Wed, Oct 13, 2010 at 9:20 AM, Mac GroupStudy
> <mac.groupstudy at gmail.com> wrote:
> Help me with my JUNOS commands structure and interfaces but
> unit 0 is the physical interface correct? I mean, you always
> have to configure unit 0 so to me that is just part of the
> interface configuration.
>
>
>
> On Wed, Oct 13, 2010 at 8:36 AM, Bit Gossip
> <bit.gossip at chello.nl> wrote:
> This is Mx480 Junos10.2R2.11 and DPC.
> Any idea why I can not apply a
> physical-interface-policer to a
> physical-interface?
> While it can be applied to 'unit 0' of the same
> interface.
>
> Thanks,
> bit.
>
> [edit interfaces xe-4/1/0]
> l at rc2# run show configuration firewall policer L-ECN
> physical-interface-policer;
> if-exceeding {
> bandwidth-percent 90;
> burst-size-limit 64k;
> }
> then loss-priority high;
>
> [edit interfaces xe-4/1/0]
>
> l at rc2# set layer2-policer ?
> Possible completions:
> + apply-groups Groups from which to inherit
> configuration data
> + apply-groups-except Don't inherit configuration
> data from these
> groups
>
> [edit interfaces xe-4/1/0]
> l at rc2# set unit 0 layer2-policer ?
> Possible completions:
> + apply-groups Groups from which to inherit
> configuration data
> + apply-groups-except Don't inherit configuration
> data from these
> groups
> input-policer Two-color policer for received
> packets
> input-three-color Color-blind three-color policer
> for received
> packets
> output-policer Two-color policer for
> transmitted packets
> output-three-color Three-color policer for
> transmitted packets
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
More information about the juniper-nsp
mailing list