[j-nsp] Using IPv4/IPv6 combined filter/policy with layer4 filtering
Dragan Jovicic
draganj84 at gmail.com
Thu May 4 08:29:55 EDT 2017
To nitpick, policing is terminating (implicit accept for conforming
traffic), so you'd need "the next-term" to pass conforming traffic to next
term. Otherwise you'd pass 200m of ntp plus 1g of other traffic.
Cascaded policing:
term agg
then policer 1g
then next-term
term ntp
from ntp
then policer 200m
term non-ntp
then accept
BR,
+Dragan
On Thu, May 4, 2017 at 12:02 PM, Sebastian Wiesinger <sebastian at karotte.org>
wrote:
> * Sebastian Wiesinger <sebastian at karotte.org> [2017-05-04 11:23]:
> > * "Rolf Hanßen" <nsp at rhanssen.de> [2017-05-03 15:13]:
> > > But as long as the filter for family inet/inet6 is set, the logical
> > > interface filter is ignored for that family.
> > > If I remove the family filter, the logical interface filter is used.
> > >
> > > How do I combine that on a Juniper MX?
> >
> > You need two firewall filters for IPv4 and IPv6. Make two terms, one
> > for your 200MBit traffic and one for your 1GBit Traffic (Catch-All).
> >
> > The Policers need to be logical-interface-policer and will be used for
> > both traffic at the same time. Like this:
> >
> > set firewall family inet6 filter filter-customer-ipv6 interface-specific
> > set firewall family inet6 filter filter-customer-ipv6 term ntp from
> next-header udp
> > set firewall family inet6 filter filter-customer-ipv6 term ntp from port
> ntp
> > set firewall family inet6 filter filter-customer-ipv6 term ntp then
> policer limit-200mbit
> > set firewall family inet6 filter filter-customer-ipv6 term ntp then
> accept
> > set firewall family inet6 filter filter-customer-ipv6 term default then
> policer limit-1gbit
> > set firewall family inet6 filter filter-customer-ipv6 term default then
> accept
>
>
> Hi, I just noticed that I might have misunderstood you. You want to
> shape the customer to 1g and the ntp traffic to 200m part of that 1g.
>
> In that case it should be enough to just remove the "then accept" from
> the ntp term. As the police action is non-terminating ntp traffic
> should first be policed by the 200mbit policer and after that by the
> 1g policer. Like this:
>
> set firewall family inet filter filter-customer-ipv4 interface-specific
> set firewall family inet filter filter-customer-ipv4 term ntp from
> protocol udp
> set firewall family inet filter filter-customer-ipv4 term ntp from port ntp
> set firewall family inet filter filter-customer-ipv4 term ntp then policer
> limit-200mbit
> set firewall family inet filter filter-customer-ipv4 term default then
> policer limit-1gbit
> set firewall family inet filter filter-customer-ipv4 term default then
> accept
>
> Regards
> Sebastian
>
> --
> GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
> 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE
> SCYTHE.
> -- Terry Pratchett, The Fifth Elephant
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list