[j-nsp] physical interface policer
Brad Fleming
bdflemin at gmail.com
Wed Oct 13 10:35:31 EDT 2010
I agree with you that this seems like a simple task but in true
Juniper fashion, there's a hundred ways to do it depending on your
needs! :D
NOTE: I've never actually worked with these kinds of policers before
so obviously test any suggestions first.
I think the physical interface policer must be referenced in a
firewall filter. Then the filter is applied to an address family on a
unit.
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policers-physical-interface-aggregate-configuring.html
I don't know everything you'd like to achieve, but an Aggregate
Policer / logical-interface-policer **might** be a better fit since
its designed to be applied to multiple address families.
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-configuring-aggregate-policers.html#id-11078456
I know it this isn't the most graceful solution, but to avoid the
potential typos / human input problems, you could apply the policer
via a group. Kind of like this:
user at blah> show configuration groups
apply-policer-random-name {
interfaces {
xe-4/1/0 {
unit <*> {
family <*> {
filter L-ECN
}
}
}
}
}
user at blah> show configuration
<<<snip>>>>
apply-groups apply-policer-random-name
On Oct 13, 2010, at 8:34 AM, Bit Gossip wrote:
> Hi Mac,
> what you mention will do the job which is to police ALL traffic
> ingress
> into a physical interface which is:
> - ALL address-families of ALL logical units.
> This means that I have to create a firewall filter per address-family
> because the documentation says: 'You cannot specify family any. You
> must
> configure a specific protocol family for a firewall filter that
> references a physical interface policer.'
> And then apply it to all address-families of all logical-units.
>
> This is incredibly cumbersome and error-prone.
>
> Is there no simple way to apply a soft policer, that is marking not
> dropping, just to the physical interface?
> Thanks,
> Bit.
>
>
> On Wed, 2010-10-13 at 09:23 -0400, Mac GroupStudy wrote:
>> Let me position my thoughts as well, I have been out of JUNOS for
>> some
>> time but I did get pretty far in my knowledge there along the way.
>> Also, this is from the Juniper site for configuring policers on a
>> physical interface:
>>
>>
>> Applying Firewall Filters That Reference Physical Interface Policers
>> After you configure a firewall filter that references a physical
>> interface policer, you apply it as an input or an output filter to a
>> logical interface.
>>
>> To apply a firewall filter that references a physical interface
>> policer as an input filter:
>>
>> * Include the input filter-name statement at the [edit
>> interfaces interface-name unit logical-unit-number family
>> family-name filter] hierarchy level.
>>
>> To apply a firewall filter that references a physical interface
>> policer as an output filter:
>>
>> * Include the output filter-name statement at the [edit
>> interfaces interface-name unit logical-unit-number family
>> family-name] hierarchy level.
>>
>> In the following example, firewall filter inet-filter is applied to
>> family inet on interface ge-1/2/0.0. The filter is applied to
>> incoming
>> IPv4 traffic on the interface.
>>
>> [edit]
>> interfaces {
>> ge-1/2/0 {
>> unit 0 {
>> family inet {
>> filter {
>> input inet-filter;
>> }
>> address 10.100.16.2/24
>> }
>> }
>>
>> On Wed, Oct 13, 2010 at 9:20 AM, Mac GroupStudy
>> <mac.groupstudy at gmail.com> wrote:
>> Help me with my JUNOS commands structure and interfaces but
>> unit 0 is the physical interface correct? I mean, you always
>> have to configure unit 0 so to me that is just part of the
>> interface configuration.
>>
>>
>>
>> On Wed, Oct 13, 2010 at 8:36 AM, Bit Gossip
>> <bit.gossip at chello.nl> wrote:
>> This is Mx480 Junos10.2R2.11 and DPC.
>> Any idea why I can not apply a
>> physical-interface-policer to a
>> physical-interface?
>> While it can be applied to 'unit 0' of the same
>> interface.
>>
>> Thanks,
>> bit.
>>
>> [edit interfaces xe-4/1/0]
>> l at rc2# run show configuration firewall policer L-ECN
>> physical-interface-policer;
>> if-exceeding {
>> bandwidth-percent 90;
>> burst-size-limit 64k;
>> }
>> then loss-priority high;
>>
>> [edit interfaces xe-4/1/0]
>>
>> l at rc2# set layer2-policer ?
>> Possible completions:
>> + apply-groups Groups from which to inherit
>> configuration data
>> + apply-groups-except Don't inherit configuration
>> data from these
>> groups
>>
>> [edit interfaces xe-4/1/0]
>> l at rc2# set unit 0 layer2-policer ?
>> Possible completions:
>> + apply-groups Groups from which to inherit
>> configuration data
>> + apply-groups-except Don't inherit configuration
>> data from these
>> groups
>> input-policer Two-color policer for received
>> packets
>> input-three-color Color-blind three-color policer
>> for received
>> packets
>> output-policer Two-color policer for
>> transmitted packets
>> output-three-color Three-color policer for
>> transmitted packets
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list