[j-nsp] Dual Stack Aggregate Policing via Firewall Filter
Krasimir Avramski
krasi at smartcom.bg
Thu Mar 1 11:15:50 EST 2012
Hi,
It is possible to reference logical-interface-policer in interface-specific
filters for inet and inet6 families.
Krasi
On 1 Mar 2012 16:11, "Devin Kennedy" <devinkennedy415 at hotmail.com> wrote:
> Hello:
>
>
>
> We are currently testing dual stack CoS on the Juniper platform and we're
> not seeing any way to aggregate the policing applied to IPv4 and IPv6. We
> want to allocate a customer a specific amount of bandwidth, say 10m
> (including both IPv4 and IPv6 traffic in any proportional amount), and have
> the traffic policed to 10m regardless of the amount of IPv4 or IPv6
> traffic.
>
>
>
>
> I see there is an option to use a logical-interface-policer at the unit
> level:
>
>
>
> firewall policer 10M-policing
>
> {
>
> logical-interface-policer;
>
> if-exceeding {
>
> bandwidth-limit 10m;
>
> burst-size-limit 100k;
>
> }
>
> then discard;
>
> }
>
>
>
>
>
> interfaces {
>
> fe-2/0/3 {
>
> vlan-tagging;
>
> unit 200 {
>
> vlan-id 200;
>
> policer {
>
> input 10M-policing;
>
> output 10M-policing;
>
> }
>
>
>
> However, we are policing differently for each CoS queue so we need to call
> policers via MF and BA filters. The problem is that there has to be a
> different filter for each family (inet and inet6), so the two are not able
> to use an aggregate amount. So if we apply the same 10m policer to each
> family it won't aggregate and instead applies an instance of the policer
> for
> each family (so a total of 20m).
>
>
>
> Does anyone know if it's possible to configure an aggregate policer across
> two different firewall filters? Below is an example of what we are
> currently doing:
>
>
>
> ge-0/0/1 {
>
> per-unit-scheduler;
>
> vlan-tagging;
>
> speed 100m;
>
> link-mode full-duplex;
>
> gigether-options {
>
> no-auto-negotiation;
>
> }
>
> unit 2001 {
>
> vlan-id 2001;
>
> family inet {
>
> filter {
>
> output cos_filter;
>
> }
>
> address x.x.x.x/30;
>
> }
>
> family inet6 {
>
> filter {
>
> output cos_filter-v6;
>
> }
>
> address x::x/64;
>
> }
>
> }
>
> }
>
>
>
> The cos_filter then calls BA and MF filters such as:
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall family inet filter cos1_MF
>
> term 1 {
>
> from {
>
> protocol [ udp tcp ];
>
> port 2081;
>
> }
>
> then {
>
> policer cos1_drop_8000K_out_medium;
>
> count COS1_MF_counter;
>
> forwarding-class cos1;
>
> accept;
>
> }
>
> }
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall family inet filter cos1_ba
>
> term 1 {
>
> from {
>
> dscp [ 46 40 ];
>
> }
>
> then {
>
> policer cos1_drop_8000K_out_medium;
>
> count cos1_BA_PLP_Low_counter;
>
> forwarding-class cos1;
>
> accept;
>
> }
>
> }
>
>
>
> And here is the common policer called by both the inet and inet6 filters
> (MF
> and BA for each family):
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall policer cos1_drop_8000K_out_medium
>
> filter-specific;
>
> if-exceeding {
>
> bandwidth-limit 8m;
>
> burst-size-limit 1m;
>
> }
>
> then discard;
>
>
>
>
>
> We need that 8m to apply to both families together. Any pointers?
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Devin
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list