[j-nsp] Using IPv4/IPv6 combined filter/policy with layer4 filtering

Dragan Jovicic draganj84 at gmail.com
Wed May 3 09:46:06 EDT 2017 

> I am wondering how to combine IPv4 and IPv6 traffic in a single policer
> together with protocol-specific filtering.
>

I don't think this is possible. You might match on packet-length in family
'any', but you can't match on specific family header fields.

Is there maybe even a possibility to only use one single filter for both
> families?
>

If you want to simply limit total amount of traffic, you might use a single
logical-interface policer referenced under layer2-policer IFL command.
Otherwise reference logical-interface policer under family-specific filter
and apply under each IFF.

Sounds stupid to me that I need to create everything twice.


It's not that bad.

BR,

+Dragan

On Wed, May 3, 2017 at 3:13 PM, "Rolf Hanßen" <nsp at rhanssen.de> wrote:

> Hello,
>
> I am wondering how to combine IPv4 and IPv6 traffic in a single policer
> together with protocol-specific filtering.
>
> Let's say I want to limit ntp traffic to 200MBit and the total logical
> interface bandwidth to 1GBit.
>
> As far as I see I cannot use a single filter for IPv4 and IPv6 because I
> filter for the protocol/next-header, so I need to create it twice:
> set firewall family inet filter filter-customer-ddos-ipv4
> interface-specific
> set firewall family inet filter filter-customer-ddos-ipv4 term ntp from
> protocol udp
> set firewall family inet filter filter-customer-ddos-ipv4 term ntp from
> port ntp
> set firewall family inet filter filter-customer-ddos-ipv4 term ntp then
> policer limit-200mbit
> set firewall family inet filter filter-customer-ddos-ipv4 term ntp then
> accept
>
> set firewall family inet6 filter filter-customer-ddos-ipv6
> interface-specific
> set firewall family inet6 filter filter-customer-ddos-ipv6 term ntp from
> next-header udp
> set firewall family inet6 filter filter-customer-ddos-ipv6 term ntp from
> port ntp
> set firewall family inet6 filter filter-customer-ddos-ipv6 term ntp then
> policer limit-200mbit
> set firewall family inet6 filter filter-customer-ddos-ipv6 term ntp then
> accept
>
> I wanted to limit at least the total bandwith with a single filter:
> set firewall family any filter filter-customer-1g interface-specific
> set firewall family any filter filter-customer-1g term rest then policer
> limit-1gbit
> set firewall family any filter filter-customer-1g term rest then accept
>
> I can apply+commit that:
> set interface ae0.123 family inet filter output filter-customer-ddos-ipv4
> set interface ae0.123 family inet6 filter output filter-customer-ddos-ipv6
> set interface ae0.123 filter output filter-customer-1g
>
> But as long as the filter for family inet/inet6 is set, the logical
> interface filter is ignored for that family.
> If I remove the family filter, the logical interface filter is used.
>
> How do I combine that on a Juniper MX?
>
> Is there maybe even a possibility to only use one single filter for both
> families?
> Sounds stupid to me that I need to create everything twice.
>
> kind regards
> Rolf
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list