[j-nsp] physical interface policer

Mac GroupStudy mac.groupstudy at gmail.com
Wed Oct 13 09:57:04 EDT 2010 

That makes sense Bit and thanks for the clarification. Hey, so at least I
was partially correct! Let me run this by my Juniper peers that do not
participate here.

On Wed, Oct 13, 2010 at 9:34 AM, Bit Gossip <bit.gossip at chello.nl> wrote:

> Hi Mac,
> what you mention will do the job which is to police ALL traffic ingress
> into a physical interface which is:
> - ALL address-families of ALL logical units.
> This means that I have to create a firewall filter per address-family
> because the documentation says: 'You cannot specify family any. You must
> configure a specific protocol family for a firewall filter that
> references a physical interface policer.'
> And then apply it to all address-families of all logical-units.
>
> This is incredibly cumbersome and error-prone.
>
> Is there no simple way to apply a soft policer, that is marking not
> dropping, just to the physical interface?
> Thanks,
> Bit.
>
>
> On Wed, 2010-10-13 at 09:23 -0400, Mac GroupStudy wrote:
> > Let me position my thoughts as well, I have been out of JUNOS for some
> > time but I did get pretty far in my knowledge there along the way.
> > Also, this is from the Juniper site for configuring policers on a
> > physical interface:
> >
> >
> > Applying Firewall Filters That Reference Physical Interface Policers
> > After you configure a firewall filter that references a physical
> > interface policer, you apply it as an input or an output filter to a
> > logical interface.
> >
> > To apply a firewall filter that references a physical interface
> > policer as an input filter:
> >
> >       * Include the input filter-name statement at the [edit
> >         interfaces interface-name unit logical-unit-number family
> >         family-name filter] hierarchy level.
> >
> > To apply a firewall filter that references a physical interface
> > policer as an output filter:
> >
> >       * Include the output filter-name statement at the [edit
> >         interfaces interface-name unit logical-unit-number family
> >         family-name] hierarchy level.
> >
> > In the following example, firewall filter inet-filter is applied to
> > family inet on interface ge-1/2/0.0. The filter is applied to incoming
> > IPv4 traffic on the interface.
> >
> > [edit]
> > interfaces {
> > ge-1/2/0 {
> > unit 0 {
> > family inet {
> > filter {
> >         input inet-filter;
> > }
> >         address 10.100.16.2/24
> > }
> > }
> >
> > On Wed, Oct 13, 2010 at 9:20 AM, Mac GroupStudy
> > <mac.groupstudy at gmail.com> wrote:
> >         Help me with my JUNOS commands structure and interfaces but
> >         unit 0 is the physical interface correct? I mean, you always
> >         have to configure unit 0 so to me that is just part of the
> >         interface configuration.
> >
> >
> >
> >         On Wed, Oct 13, 2010 at 8:36 AM, Bit Gossip
> >         <bit.gossip at chello.nl> wrote:
> >                 This is Mx480 Junos10.2R2.11 and DPC.
> >                 Any idea why I can not apply a
> >                 physical-interface-policer to a
> >                 physical-interface?
> >                 While it can be applied to 'unit 0' of the same
> >                 interface.
> >
> >                 Thanks,
> >                 bit.
> >
> >                 [edit interfaces xe-4/1/0]
> >                 l at rc2# run show configuration firewall policer L-ECN
> >                 physical-interface-policer;
> >                 if-exceeding {
> >                    bandwidth-percent 90;
> >                    burst-size-limit 64k;
> >                 }
> >                 then loss-priority high;
> >
> >                 [edit interfaces xe-4/1/0]
> >
> >                 l at rc2# set layer2-policer ?
> >                 Possible completions:
> >                 + apply-groups         Groups from which to inherit
> >                 configuration data
> >                 + apply-groups-except  Don't inherit configuration
> >                 data from these
> >                 groups
> >
> >                 [edit interfaces xe-4/1/0]
> >                 l at rc2# set unit 0 layer2-policer ?
> >                 Possible completions:
> >                 + apply-groups         Groups from which to inherit
> >                 configuration data
> >                 + apply-groups-except  Don't inherit configuration
> >                 data from these
> >                 groups
> >                  input-policer        Two-color policer for received
> >                 packets
> >                  input-three-color    Color-blind three-color policer
> >                 for received
> >                 packets
> >                  output-policer       Two-color policer for
> >                 transmitted packets
> >                  output-three-color   Three-color policer for
> >                 transmitted packets
> >
> >
> >                 _______________________________________________
> >                 juniper-nsp mailing list juniper-nsp at puck.nether.net
> >                 https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >
> >
>
>
>

More information about the juniper-nsp mailing list