[j-nsp] Dual Stack Aggregate Policing via Firewall Filter

Stefan Fouant sfouant at shortestpathfirst.net
Fri Mar 2 12:54:58 EST 2012


Hi Devin,

Have you tried using a Physical Interface Policer? A Physical Interface
Policer will allow you to apply your policers across different terms across
different firewall filters, that are applied to different protocol families
on a single physical interface, and then it will merge all the filters which
call that policer on the same physical interface. The cool thing is you can
use this across different logical interfaces that might even be in different
routing instances!

Try something along the following:

[edit firewall]
policer cos1_drop_8000K_out_medium {
    physical-interface-policer;  <---- This is required
    if-exceeding {
        bandwidth-limit 8m;
        burst-size-limit 1m;
    }
    then discard;
}
family inet {
    filter filter-ipv4 {
        physical-interface-filter;  <---- This is required
        term 1 {
            from {
                protocol tcp;
                port 80;
            }
            then {
                policer cos1_drop_8000K_out_medium;
                accept;
            }
        }
    }
}
family inet6 {
    filter filter-ipv6 {
        physical-interface-filter;  <---- This is required
        term 1 {
            from {
                protocol tcp;
                port 80;
            }
            then {
                policer cos1_drop_8000K_out_medium;
                accept;
            }
        }
    }
}

HTHs.

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI
Technical Trainer, Juniper Networks

> -----Original Message-----
> From: Devin Kennedy [mailto:devinkennedy415 at hotmail.com]
> Sent: Thursday, March 01, 2012 9:08 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter
> 
> Hello:
> 
> 
> 
> We are currently testing dual stack CoS on the Juniper platform and
> we're not seeing any way to aggregate the policing applied to IPv4 and
> IPv6.  We want to allocate a customer a specific amount of bandwidth,
> say 10m (including both IPv4 and IPv6 traffic in any proportional
> amount), and have the traffic policed to 10m regardless of the amount
> of IPv4 or IPv6 traffic.
> 
> 
> 
> 
> I see there is an option to use a logical-interface-policer at the unit
> level:
> 
> 
> 
> firewall policer 10M-policing
> 
> {
> 
> logical-interface-policer;
> 
> if-exceeding {
> 
>     bandwidth-limit 10m;
> 
>     burst-size-limit 100k;
> 
> }
> 
> then discard;
> 
> }
> 
> 
> 
> 
> 
> interfaces {
> 
>  fe-2/0/3 {
> 
>   vlan-tagging;
> 
>    unit 200 {
> 
>    vlan-id 200;
> 
>     policer {
> 
>     input 10M-policing;
> 
>     output 10M-policing;
> 
> }
> 
> 
> 
> However, we are policing differently for each CoS queue so we need to
> call policers via MF and BA filters.  The problem is that there has to
> be a different filter for each family (inet and inet6), so the two are
> not able to use an aggregate amount.  So if we apply the same 10m
> policer to each family it won't aggregate and instead applies an
> instance of the policer for each family (so a total of 20m).
> 
> 
> 
> Does anyone know if it's possible to configure an aggregate policer
> across two different firewall filters?  Below is an example of what we
> are currently doing:
> 
> 
> 
> ge-0/0/1 {
> 
>     per-unit-scheduler;
> 
>     vlan-tagging;
> 
>     speed 100m;
> 
>     link-mode full-duplex;
> 
>     gigether-options {
> 
>         no-auto-negotiation;
> 
>     }
> 
>     unit 2001 {
> 
>         vlan-id 2001;
> 
>         family inet {
> 
>             filter {
> 
>                 output cos_filter;
> 
>             }
> 
>             address x.x.x.x/30;
> 
>         }
> 
>         family inet6 {
> 
>             filter {
> 
>                 output cos_filter-v6;
> 
>             }
> 
>             address x::x/64;
> 
>         }
> 
>     }
> 
> }
> 
> 
> 
> The cos_filter then calls BA and MF filters such as:
> 
> 
> 
> [edit]
> 
> juniper at SRX210-2-IPV6# show firewall family inet filter cos1_MF
> 
> term 1 {
> 
>     from {
> 
>         protocol [ udp tcp ];
> 
>         port 2081;
> 
>     }
> 
>     then {
> 
>         policer cos1_drop_8000K_out_medium;
> 
>         count COS1_MF_counter;
> 
>         forwarding-class cos1;
> 
>         accept;
> 
>     }
> 
> }
> 
> 
> 
> [edit]
> 
> juniper at SRX210-2-IPV6# show firewall family inet filter cos1_ba
> 
> term 1 {
> 
>     from {
> 
>         dscp [ 46 40 ];
> 
>     }
> 
>     then {
> 
>         policer cos1_drop_8000K_out_medium;
> 
>         count cos1_BA_PLP_Low_counter;
> 
>         forwarding-class cos1;
> 
>         accept;
> 
>     }
> 
> }
> 
> 
> 
> And here is the common policer called by both the inet and inet6
> filters (MF and BA for each family):
> 
> 
> 
> [edit]
> 
> juniper at SRX210-2-IPV6# show firewall policer cos1_drop_8000K_out_medium
> 
> filter-specific;
> 
> if-exceeding {
> 
>     bandwidth-limit 8m;
> 
>     burst-size-limit 1m;
> 
> }
> 
> then discard;
> 
> 
> 
> 
> 
> We need that 8m to apply to both families together.  Any pointers?
> 
> 
> 
> 
> 
> 
> 
> Thanks,
> 
> 
> 
> Devin
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list