[j-nsp] Dual Stack Aggregate Policing via Firewall Filter
Devin Kennedy
devinkennedy415 at hotmail.com
Fri Mar 2 11:17:51 EST 2012
Thanks for your response Krasi. Unfortunately it appears it's not supported
on the SRX/J series in that way. It won't commit stating that it's the
wrong platform for using the logical-interface-policer statement in that
manner.
From: Krasimir Avramski [mailto:krasi at smartcom.bg]
Sent: Thursday, March 01, 2012 11:16 AM
To: Devin Kennedy
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter
Hi,
It is possible to reference logical-interface-policer in interface-specific
filters for inet and inet6 families.
Krasi
On 1 Mar 2012 16:11, "Devin Kennedy" <devinkennedy415 at hotmail.com> wrote:
Hello:
We are currently testing dual stack CoS on the Juniper platform and we're
not seeing any way to aggregate the policing applied to IPv4 and IPv6. We
want to allocate a customer a specific amount of bandwidth, say 10m
(including both IPv4 and IPv6 traffic in any proportional amount), and have
the traffic policed to 10m regardless of the amount of IPv4 or IPv6 traffic.
I see there is an option to use a logical-interface-policer at the unit
level:
firewall policer 10M-policing
{
logical-interface-policer;
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 100k;
}
then discard;
}
interfaces {
fe-2/0/3 {
vlan-tagging;
unit 200 {
vlan-id 200;
policer {
input 10M-policing;
output 10M-policing;
}
However, we are policing differently for each CoS queue so we need to call
policers via MF and BA filters. The problem is that there has to be a
different filter for each family (inet and inet6), so the two are not able
to use an aggregate amount. So if we apply the same 10m policer to each
family it won't aggregate and instead applies an instance of the policer for
each family (so a total of 20m).
Does anyone know if it's possible to configure an aggregate policer across
two different firewall filters? Below is an example of what we are
currently doing:
ge-0/0/1 {
per-unit-scheduler;
vlan-tagging;
speed 100m;
link-mode full-duplex;
gigether-options {
no-auto-negotiation;
}
unit 2001 {
vlan-id 2001;
family inet {
filter {
output cos_filter;
}
address x.x.x.x/30;
}
family inet6 {
filter {
output cos_filter-v6;
}
address x::x/64;
}
}
}
The cos_filter then calls BA and MF filters such as:
[edit]
juniper at SRX210-2-IPV6# show firewall family inet filter cos1_MF
term 1 {
from {
protocol [ udp tcp ];
port 2081;
}
then {
policer cos1_drop_8000K_out_medium;
count COS1_MF_counter;
forwarding-class cos1;
accept;
}
}
[edit]
juniper at SRX210-2-IPV6# show firewall family inet filter cos1_ba
term 1 {
from {
dscp [ 46 40 ];
}
then {
policer cos1_drop_8000K_out_medium;
count cos1_BA_PLP_Low_counter;
forwarding-class cos1;
accept;
}
}
And here is the common policer called by both the inet and inet6 filters (MF
and BA for each family):
[edit]
juniper at SRX210-2-IPV6# show firewall policer cos1_drop_8000K_out_medium
filter-specific;
if-exceeding {
bandwidth-limit 8m;
burst-size-limit 1m;
}
then discard;
We need that 8m to apply to both families together. Any pointers?
Thanks,
Devin
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list