[j-nsp] Using IPv4/IPv6 combined filter/policy with layer4 filtering

Sebastian Wiesinger sebastian at karotte.org
Thu May 4 05:23:46 EDT 2017 

* "Rolf Hanßen" <nsp at rhanssen.de> [2017-05-03 15:13]:
> But as long as the filter for family inet/inet6 is set, the logical
> interface filter is ignored for that family.
> If I remove the family filter, the logical interface filter is used.
> 
> How do I combine that on a Juniper MX?

You need two firewall filters for IPv4 and IPv6. Make two terms, one
for your 200MBit traffic and one for your 1GBit Traffic (Catch-All).

The Policers need to be logical-interface-policer and will be used for
both traffic at the same time. Like this:

set firewall family inet6 filter filter-customer-ipv6 interface-specific
set firewall family inet6 filter filter-customer-ipv6 term ntp from next-header udp
set firewall family inet6 filter filter-customer-ipv6 term ntp from port ntp
set firewall family inet6 filter filter-customer-ipv6 term ntp then policer limit-200mbit
set firewall family inet6 filter filter-customer-ipv6 term ntp then accept
set firewall family inet6 filter filter-customer-ipv6 term default then policer limit-1gbit
set firewall family inet6 filter filter-customer-ipv6 term default then accept

set firewall family inet filter filter-customer-ipv4 interface-specific
set firewall family inet filter filter-customer-ipv4 term ntp from protocol udp
set firewall family inet filter filter-customer-ipv4 term ntp from port ntp
set firewall family inet filter filter-customer-ipv4 term ntp then policer limit-200mbit
set firewall family inet filter filter-customer-ipv4 term ntp then accept
set firewall family inet filter filter-customer-ipv4 term default then policer limit-1gbit
set firewall family inet filter filter-customer-ipv4 term default then accept

set firewall policer limit-200mbit filter-specific
set firewall policer limit-200mbit logical-interface-policer
set firewall policer limit-200mbit shared-bandwidth-policer
set firewall policer limit-200mbit if-exceeding bandwidth-limit 200m
set firewall policer limit-200mbit if-exceeding burst-size-limit 625k
set firewall policer limit-200mbit then discard

set firewall policer limit-1gbit filter-specific
set firewall policer limit-1gbit logical-interface-policer
set firewall policer limit-1gbit shared-bandwidth-policer
set firewall policer limit-1gbit if-exceeding bandwidth-limit 1g
set firewall policer limit-1gbit if-exceeding burst-size-limit 625k
set firewall policer limit-1gbit then discard

I also included the shared-bandwidth-policer option as you have an AE
interface. This will make the router carve out lower values per
PFE/member link depending on the number of members in the AE. Please
be aware that this *can* lead to unwanted behaviour (limiting to lower
speeds) if loadbalancing over the AE is not perfect (it never is).

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

More information about the juniper-nsp mailing list