[j-nsp] Using IPv4/IPv6 combined filter/policy with layer4 filtering

"Rolf Hanßen" nsp at rhanssen.de
Wed May 3 09:13:05 EDT 2017


Hello,

I am wondering how to combine IPv4 and IPv6 traffic in a single policer
together with protocol-specific filtering.

Let's say I want to limit ntp traffic to 200MBit and the total logical
interface bandwidth to 1GBit.

As far as I see I cannot use a single filter for IPv4 and IPv6 because I
filter for the protocol/next-header, so I need to create it twice:
set firewall family inet filter filter-customer-ddos-ipv4 interface-specific
set firewall family inet filter filter-customer-ddos-ipv4 term ntp from
protocol udp
set firewall family inet filter filter-customer-ddos-ipv4 term ntp from
port ntp
set firewall family inet filter filter-customer-ddos-ipv4 term ntp then
policer limit-200mbit
set firewall family inet filter filter-customer-ddos-ipv4 term ntp then
accept

set firewall family inet6 filter filter-customer-ddos-ipv6 interface-specific
set firewall family inet6 filter filter-customer-ddos-ipv6 term ntp from
next-header udp
set firewall family inet6 filter filter-customer-ddos-ipv6 term ntp from
port ntp
set firewall family inet6 filter filter-customer-ddos-ipv6 term ntp then
policer limit-200mbit
set firewall family inet6 filter filter-customer-ddos-ipv6 term ntp then
accept

I wanted to limit at least the total bandwith with a single filter:
set firewall family any filter filter-customer-1g interface-specific
set firewall family any filter filter-customer-1g term rest then policer
limit-1gbit
set firewall family any filter filter-customer-1g term rest then accept

I can apply+commit that:
set interface ae0.123 family inet filter output filter-customer-ddos-ipv4
set interface ae0.123 family inet6 filter output filter-customer-ddos-ipv6
set interface ae0.123 filter output filter-customer-1g

But as long as the filter for family inet/inet6 is set, the logical
interface filter is ignored for that family.
If I remove the family filter, the logical interface filter is used.

How do I combine that on a Juniper MX?

Is there maybe even a possibility to only use one single filter for both
families?
Sounds stupid to me that I need to create everything twice.

kind regards
Rolf




More information about the juniper-nsp mailing list