[j-nsp] Dual Stack Aggregate Policing via Firewall Filter

Krasimir Avramski krasi at smartcom.bg
Fri Mar 2 13:20:34 EST 2012


Hi,
For sure it is working on MXs and suppose all M - have not enough
expirience regarding srx/j.

Krasi
On 2 Mar 2012 18:17, "Devin Kennedy" <devinkennedy415 at hotmail.com> wrote:

> Thanks for your response Krasi.  Unfortunately it appears it’s not
> supported on the SRX/J series in that way.  It won’t commit stating that
> it’s the wrong platform for using the logical-interface-policer statement
> in that manner.****
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Krasimir Avramski [mailto:krasi at smartcom.bg]
> *Sent:* Thursday, March 01, 2012 11:16 AM
> *To:* Devin Kennedy
> *Cc:* juniper-nsp at puck.nether.net
> *Subject:* Re: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter**
> **
>
> ** **
>
> Hi,
> It is possible to reference logical-interface-policer in
> interface-specific filters for inet and inet6 families.****
>
> Krasi****
>
> On 1 Mar 2012 16:11, "Devin Kennedy" <devinkennedy415 at hotmail.com> wrote:*
> ***
>
> Hello:
>
>
>
> We are currently testing dual stack CoS on the Juniper platform and we're
> not seeing any way to aggregate the policing applied to IPv4 and IPv6.  We
> want to allocate a customer a specific amount of bandwidth, say 10m
> (including both IPv4 and IPv6 traffic in any proportional amount), and have
> the traffic policed to 10m regardless of the amount of IPv4 or IPv6
> traffic.
>
>
>
>
> I see there is an option to use a logical-interface-policer at the unit
> level:
>
>
>
> firewall policer 10M-policing
>
> {
>
> logical-interface-policer;
>
> if-exceeding {
>
>    bandwidth-limit 10m;
>
>    burst-size-limit 100k;
>
> }
>
> then discard;
>
> }
>
>
>
>
>
> interfaces {
>
>  fe-2/0/3 {
>
>  vlan-tagging;
>
>   unit 200 {
>
>   vlan-id 200;
>
>    policer {
>
>    input 10M-policing;
>
>    output 10M-policing;
>
> }
>
>
>
> However, we are policing differently for each CoS queue so we need to call
> policers via MF and BA filters.  The problem is that there has to be a
> different filter for each family (inet and inet6), so the two are not able
> to use an aggregate amount.  So if we apply the same 10m policer to each
> family it won't aggregate and instead applies an instance of the policer
> for
> each family (so a total of 20m).
>
>
>
> Does anyone know if it's possible to configure an aggregate policer across
> two different firewall filters?  Below is an example of what we are
> currently doing:
>
>
>
> ge-0/0/1 {
>
>    per-unit-scheduler;
>
>    vlan-tagging;
>
>    speed 100m;
>
>    link-mode full-duplex;
>
>    gigether-options {
>
>        no-auto-negotiation;
>
>    }
>
>    unit 2001 {
>
>        vlan-id 2001;
>
>        family inet {
>
>            filter {
>
>                output cos_filter;
>
>            }
>
>            address x.x.x.x/30;
>
>        }
>
>        family inet6 {
>
>            filter {
>
>                output cos_filter-v6;
>
>            }
>
>            address x::x/64;
>
>        }
>
>    }
>
> }
>
>
>
> The cos_filter then calls BA and MF filters such as:
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall family inet filter cos1_MF
>
> term 1 {
>
>    from {
>
>        protocol [ udp tcp ];
>
>        port 2081;
>
>    }
>
>    then {
>
>        policer cos1_drop_8000K_out_medium;
>
>        count COS1_MF_counter;
>
>        forwarding-class cos1;
>
>        accept;
>
>    }
>
> }
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall family inet filter cos1_ba
>
> term 1 {
>
>    from {
>
>        dscp [ 46 40 ];
>
>    }
>
>    then {
>
>        policer cos1_drop_8000K_out_medium;
>
>        count cos1_BA_PLP_Low_counter;
>
>        forwarding-class cos1;
>
>        accept;
>
>    }
>
> }
>
>
>
> And here is the common policer called by both the inet and inet6 filters
> (MF
> and BA for each family):
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall policer cos1_drop_8000K_out_medium
>
> filter-specific;
>
> if-exceeding {
>
>    bandwidth-limit 8m;
>
>    burst-size-limit 1m;
>
> }
>
> then discard;
>
>
>
>
>
> We need that 8m to apply to both families together.  Any pointers?
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Devin
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp****
>


More information about the juniper-nsp mailing list