[j-nsp] Using IPv4/IPv6 combined filter/policy with layer4 filtering

Sebastian Wiesinger sebastian at karotte.org
Thu May 4 06:02:30 EDT 2017 

* Sebastian Wiesinger <sebastian at karotte.org> [2017-05-04 11:23]:
> * "Rolf Hanßen" <nsp at rhanssen.de> [2017-05-03 15:13]:
> > But as long as the filter for family inet/inet6 is set, the logical
> > interface filter is ignored for that family.
> > If I remove the family filter, the logical interface filter is used.
> > 
> > How do I combine that on a Juniper MX?
> 
> You need two firewall filters for IPv4 and IPv6. Make two terms, one
> for your 200MBit traffic and one for your 1GBit Traffic (Catch-All).
> 
> The Policers need to be logical-interface-policer and will be used for
> both traffic at the same time. Like this:
> 
> set firewall family inet6 filter filter-customer-ipv6 interface-specific
> set firewall family inet6 filter filter-customer-ipv6 term ntp from next-header udp
> set firewall family inet6 filter filter-customer-ipv6 term ntp from port ntp
> set firewall family inet6 filter filter-customer-ipv6 term ntp then policer limit-200mbit
> set firewall family inet6 filter filter-customer-ipv6 term ntp then accept
> set firewall family inet6 filter filter-customer-ipv6 term default then policer limit-1gbit
> set firewall family inet6 filter filter-customer-ipv6 term default then accept


Hi, I just noticed that I might have misunderstood you. You want to
shape the customer to 1g and the ntp traffic to 200m part of that 1g.

In that case it should be enough to just remove the "then accept" from
the ntp term. As the police action is non-terminating ntp traffic
should first be policed by the 200mbit policer and after that by the
1g policer. Like this:

set firewall family inet filter filter-customer-ipv4 interface-specific
set firewall family inet filter filter-customer-ipv4 term ntp from protocol udp
set firewall family inet filter filter-customer-ipv4 term ntp from port ntp
set firewall family inet filter filter-customer-ipv4 term ntp then policer limit-200mbit
set firewall family inet filter filter-customer-ipv4 term default then policer limit-1gbit
set firewall family inet filter filter-customer-ipv4 term default then accept

Regards
Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

More information about the juniper-nsp mailing list