[j-nsp] Dual Stack Aggregate Policing via Firewall Filter
Devin Kennedy
devinkennedy415 at hotmail.com
Mon Mar 5 16:49:11 EST 2012
Hi Stefan:
Thanks again for your input. It looks like it won't take this command
either on the SRX... See below when configuring the
physical-interface-policer:
juniper at SRX210-1-ipv6# edit firewall policer cos1_drop_800000_out_small
[edit firewall policer cos1_drop_800000_out_small]
juniper at SRX210-1-ipv6# show
filter-specific;
##
## Warning: statement ignored: unsupported platform (srx210he)
##
physical-interface-policer; <<<<<<<<<<<<<<<<<<<<
if-exceeding {
bandwidth-limit 800k;
burst-size-limit 100k;
}
then discard;
We are running Junos 10.4R9.5 as well.
Thanks,
Devin
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Devin Kennedy
Sent: Friday, March 02, 2012 1:17 PM
To: 'Stefan Fouant'; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter
Thanks Stefan! I'll try that out and see if that will work for us.
-----Original Message-----
From: Stefan Fouant [mailto:sfouant at shortestpathfirst.net]
Sent: Friday, March 02, 2012 12:55 PM
To: 'Devin Kennedy'; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter
Hi Devin,
Have you tried using a Physical Interface Policer? A Physical Interface
Policer will allow you to apply your policers across different terms across
different firewall filters, that are applied to different protocol families
on a single physical interface, and then it will merge all the filters which
call that policer on the same physical interface. The cool thing is you can
use this across different logical interfaces that might even be in different
routing instances!
Try something along the following:
[edit firewall]
policer cos1_drop_8000K_out_medium {
physical-interface-policer; <---- This is required
if-exceeding {
bandwidth-limit 8m;
burst-size-limit 1m;
}
then discard;
}
family inet {
filter filter-ipv4 {
physical-interface-filter; <---- This is required
term 1 {
from {
protocol tcp;
port 80;
}
then {
policer cos1_drop_8000K_out_medium;
accept;
}
}
}
}
family inet6 {
filter filter-ipv6 {
physical-interface-filter; <---- This is required
term 1 {
from {
protocol tcp;
port 80;
}
then {
policer cos1_drop_8000K_out_medium;
accept;
}
}
}
}
HTHs.
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI
Technical Trainer, Juniper Networks
> -----Original Message-----
> From: Devin Kennedy [mailto:devinkennedy415 at hotmail.com]
> Sent: Thursday, March 01, 2012 9:08 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter
>
> Hello:
>
>
>
> We are currently testing dual stack CoS on the Juniper platform and
> we're not seeing any way to aggregate the policing applied to IPv4 and
> IPv6. We want to allocate a customer a specific amount of bandwidth,
> say 10m (including both IPv4 and IPv6 traffic in any proportional
> amount), and have the traffic policed to 10m regardless of the amount
> of IPv4 or IPv6 traffic.
>
>
>
>
> I see there is an option to use a logical-interface-policer at the
> unit
> level:
>
>
>
> firewall policer 10M-policing
>
> {
>
> logical-interface-policer;
>
> if-exceeding {
>
> bandwidth-limit 10m;
>
> burst-size-limit 100k;
>
> }
>
> then discard;
>
> }
>
>
>
>
>
> interfaces {
>
> fe-2/0/3 {
>
> vlan-tagging;
>
> unit 200 {
>
> vlan-id 200;
>
> policer {
>
> input 10M-policing;
>
> output 10M-policing;
>
> }
>
>
>
> However, we are policing differently for each CoS queue so we need to
> call policers via MF and BA filters. The problem is that there has to
> be a different filter for each family (inet and inet6), so the two are
> not able to use an aggregate amount. So if we apply the same 10m
> policer to each family it won't aggregate and instead applies an
> instance of the policer for each family (so a total of 20m).
>
>
>
> Does anyone know if it's possible to configure an aggregate policer
> across two different firewall filters? Below is an example of what we
> are currently doing:
>
>
>
> ge-0/0/1 {
>
> per-unit-scheduler;
>
> vlan-tagging;
>
> speed 100m;
>
> link-mode full-duplex;
>
> gigether-options {
>
> no-auto-negotiation;
>
> }
>
> unit 2001 {
>
> vlan-id 2001;
>
> family inet {
>
> filter {
>
> output cos_filter;
>
> }
>
> address x.x.x.x/30;
>
> }
>
> family inet6 {
>
> filter {
>
> output cos_filter-v6;
>
> }
>
> address x::x/64;
>
> }
>
> }
>
> }
>
>
>
> The cos_filter then calls BA and MF filters such as:
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall family inet filter cos1_MF
>
> term 1 {
>
> from {
>
> protocol [ udp tcp ];
>
> port 2081;
>
> }
>
> then {
>
> policer cos1_drop_8000K_out_medium;
>
> count COS1_MF_counter;
>
> forwarding-class cos1;
>
> accept;
>
> }
>
> }
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall family inet filter cos1_ba
>
> term 1 {
>
> from {
>
> dscp [ 46 40 ];
>
> }
>
> then {
>
> policer cos1_drop_8000K_out_medium;
>
> count cos1_BA_PLP_Low_counter;
>
> forwarding-class cos1;
>
> accept;
>
> }
>
> }
>
>
>
> And here is the common policer called by both the inet and inet6
> filters (MF and BA for each family):
>
>
>
> [edit]
>
> juniper at SRX210-2-IPV6# show firewall policer
> cos1_drop_8000K_out_medium
>
> filter-specific;
>
> if-exceeding {
>
> bandwidth-limit 8m;
>
> burst-size-limit 1m;
>
> }
>
> then discard;
>
>
>
>
>
> We need that 8m to apply to both families together. Any pointers?
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Devin
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list