[j-nsp] Rate limiting v4 and v6 together
Gordon Smith
gordon at gswsystems.com
Wed Jun 1 23:32:17 EDT 2011
Under your interface, apply a policer:
interfaces {
fe-1/0/1 {
unit 148 {
description "Some Customer";
bandwidth 10m;
vlan-id 148;
family inet {
policer {
input 10meg;
output 10meg;
}
address x.x.x.x/x;
}
}
}
}
and for the policer:
firewall {
policer 10meg {
logical-interface-policer;
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1250000;
}
then discard;
}
to police total bandwidth per interface
On Wed, 1 Jun 2011 20:07:48 -0500, Chris Adams wrote:
> I'm currently using interface, policer, and filter config like this
> to
> rate-limit ethernet interfaces to paid bandwidth on an M10i:
>
> interfaces {
> fe-1/0/1 {
> unit 148 {
> description "Some Customer";
> bandwidth 10m;
> vlan-id 148;
> family inet {
> filter {
> input 10meg;
> output 10meg;
> }
> address x.x.x.x/x;
> }
> }
> }
> }
> firewall {
> policer 10meg {
> filter-specific;
> if-exceeding {
> bandwidth-limit 10m;
> burst-size-limit 1250000;
> }
> then discard;
> }
> filter 10meg {
> interface-specific;
> term other {
> then {
> policer 10meg;
> count rate;
> accept;
> }
> }
> }
> }
>
> This gives me SNMP-graphable in/out counters for each interface that
> show after-rate-limiting bits.
>
> Now, I want to add IPv6, but I want to limit (and hopefully graph)
> the
> total bandwidth, not the bandwidth per address family. If I create a
> "10megv6" filter under firewall family inet6, the policer is filter
> specific, so I would expect the interface to allow 10meg of IPv4 plus
> 10meg of IPv6.
>
> I used to put a policer directly on the unit under "family inet" (no
> counters for SNMP though), but I would also assume doing that under
> "family inet" and "family inet6" would also result in separate
> bandwidth
> for IPv4 and IPv6, not shared.
>
> I looked at "family any" filters, but they don't have the same
> options
> (no "interface-specific").
>
> Any suggestions?
More information about the juniper-nsp
mailing list