[j-nsp] JUNOS POLICER

Gordon Smith gordon at gswsystems.com
Thu Sep 2 16:13:31 EDT 2010 

The "accept" is what is allowing full bandwidth - you never hit the
policer.


firewall {
       family inet {
             filter policer {
                 term 10 {
                     from {
                         source-address {
                                 192.168.10.35/32;
                     }
                     then {
                            policer teste;
                     }
                  }
               }
         }
}

 

On Thu, 02 Sep 2010 13:07:08 -0300, Giuliano Cardozo Medalha
<giulianocm at uol.com.br> wrote:
> People,
> 
> We are trying to configure policers to logical interfaces created
> under IQ2E PIC.
> 
> All policers are using firewall filters.
> 
> One of them is a different situation ... we cannot rate all interface
> but only 3 IPs that pass thought the interface.
> 
> But the policer is not worlink correctly:
> 
> 
> set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000
> set firewall policer teste then discar
> 
> set firewall family inet filter policer term 10 from source-address
> 192.168.10.35/32
> set firewall family inet filter policer term 10 then accept
> set firewall family inet filter policer term 10 then policer teste
> set firewall family inet filter policer term 20 from source-address
> 192.168.10.36/32
> set firewall family inet filter policer term 20 then accept
> set firewall family inet filter policer term 20 then policer teste
> set firewall family inet filter policer term 30 from source-address
> 192.168.10.37/32
> set firewall family inet filter policer term 30 then accept
> set firewall family inet filter policer term 30 then policer teste
> set firewall family inet filter policer term 40 then accept
> 
> set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer
> 
> 
> The problem is ... the 3 chosen IPs are exceeding 10m.  Sometimes 12,
> sometimes 18 Mbps.
> 
> We need to use some special command for it ?  Like - logical
> interface under policer ?
> 
> What is the correct manner to use it ?
> 
> Or we need to put it all in the same term ?
> 
> Thanks a lot,
> 
> Giuliano
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list