[j-nsp] Dual Stack Aggregate Policing via Firewall Filter

Devin Kennedy devinkennedy415 at hotmail.com
Thu Mar 1 09:08:08 EST 2012


Hello:

 

We are currently testing dual stack CoS on the Juniper platform and we're
not seeing any way to aggregate the policing applied to IPv4 and IPv6.  We
want to allocate a customer a specific amount of bandwidth, say 10m
(including both IPv4 and IPv6 traffic in any proportional amount), and have
the traffic policed to 10m regardless of the amount of IPv4 or IPv6 traffic.


 

I see there is an option to use a logical-interface-policer at the unit
level:

 

firewall policer 10M-policing

{

logical-interface-policer;

if-exceeding {

    bandwidth-limit 10m;

    burst-size-limit 100k;

}

then discard;

}

 

 

interfaces {

 fe-2/0/3 {

  vlan-tagging;

   unit 200 {

   vlan-id 200;

    policer {

    input 10M-policing;

    output 10M-policing;

}

 

However, we are policing differently for each CoS queue so we need to call
policers via MF and BA filters.  The problem is that there has to be a
different filter for each family (inet and inet6), so the two are not able
to use an aggregate amount.  So if we apply the same 10m policer to each
family it won't aggregate and instead applies an instance of the policer for
each family (so a total of 20m).  

 

Does anyone know if it's possible to configure an aggregate policer across
two different firewall filters?  Below is an example of what we are
currently doing:

 

ge-0/0/1 {

    per-unit-scheduler;

    vlan-tagging;

    speed 100m;

    link-mode full-duplex;

    gigether-options {

        no-auto-negotiation;

    }

    unit 2001 {

        vlan-id 2001;

        family inet {

            filter {

                output cos_filter;

            }

            address x.x.x.x/30;

        }

        family inet6 {

            filter {

                output cos_filter-v6;

            }

            address x::x/64;

        }

    }

}

 

The cos_filter then calls BA and MF filters such as:

 

[edit]

juniper at SRX210-2-IPV6# show firewall family inet filter cos1_MF 

term 1 {

    from {

        protocol [ udp tcp ];

        port 2081;

    }

    then {

        policer cos1_drop_8000K_out_medium;

        count COS1_MF_counter;

        forwarding-class cos1;

        accept;

    }

}

 

[edit]

juniper at SRX210-2-IPV6# show firewall family inet filter cos1_ba    

term 1 {

    from {

        dscp [ 46 40 ];

    }

    then {

        policer cos1_drop_8000K_out_medium;

        count cos1_BA_PLP_Low_counter;

        forwarding-class cos1;

        accept;

    }

}

 

And here is the common policer called by both the inet and inet6 filters (MF
and BA for each family):

 

[edit]

juniper at SRX210-2-IPV6# show firewall policer cos1_drop_8000K_out_medium 

filter-specific;

if-exceeding {

    bandwidth-limit 8m;

    burst-size-limit 1m;

}

then discard;

 

 

We need that 8m to apply to both families together.  Any pointers?

 

 

 

Thanks,

 

Devin



More information about the juniper-nsp mailing list