[j-nsp] Using IPv4/IPv6 combined filter/policy with layer4 filtering
"Rolf Hanßen"
nsp at rhanssen.de
Thu May 4 09:15:10 EDT 2017
Hello,
thank you both for your feedback.
Both versions work for me as far as I see.
If the 200MBit are included in the total bandwidth does not matter in my
case, I just want to make sure a 15GBit ddos to a 1 GBit customer does not
impact the 10GBit uplink of the access switch, so I will it be set to
something between 1GBit and 10Gbit.
kind regards
Rolf
> To nitpick, policing is terminating (implicit accept for conforming
> traffic), so you'd need "the next-term" to pass conforming traffic to next
> term. Otherwise you'd pass 200m of ntp plus 1g of other traffic.
> Cascaded policing:
>
> term agg
> then policer 1g
> then next-term
> term ntp
> from ntp
> then policer 200m
> term non-ntp
> then accept
>
> BR,
>
> +Dragan
>
> On Thu, May 4, 2017 at 12:02 PM, Sebastian Wiesinger
> <sebastian at karotte.org>
> wrote:
>
>> * Sebastian Wiesinger <sebastian at karotte.org> [2017-05-04 11:23]:
>> > * "Rolf Hanßen" <nsp at rhanssen.de> [2017-05-03 15:13]:
>> > > But as long as the filter for family inet/inet6 is set, the logical
>> > > interface filter is ignored for that family.
>> > > If I remove the family filter, the logical interface filter is used.
>> > >
>> > > How do I combine that on a Juniper MX?
>> >
>> > You need two firewall filters for IPv4 and IPv6. Make two terms, one
>> > for your 200MBit traffic and one for your 1GBit Traffic (Catch-All).
>> >
>> > The Policers need to be logical-interface-policer and will be used for
>> > both traffic at the same time. Like this:
>> >
>> > set firewall family inet6 filter filter-customer-ipv6
>> interface-specific
>> > set firewall family inet6 filter filter-customer-ipv6 term ntp from
>> next-header udp
>> > set firewall family inet6 filter filter-customer-ipv6 term ntp from
>> port
>> ntp
>> > set firewall family inet6 filter filter-customer-ipv6 term ntp then
>> policer limit-200mbit
>> > set firewall family inet6 filter filter-customer-ipv6 term ntp then
>> accept
>> > set firewall family inet6 filter filter-customer-ipv6 term default
>> then
>> policer limit-1gbit
>> > set firewall family inet6 filter filter-customer-ipv6 term default
>> then
>> accept
>>
>>
>> Hi, I just noticed that I might have misunderstood you. You want to
>> shape the customer to 1g and the ntp traffic to 200m part of that 1g.
>>
>> In that case it should be enough to just remove the "then accept" from
>> the ntp term. As the police action is non-terminating ntp traffic
>> should first be policed by the 200mbit policer and after that by the
>> 1g policer. Like this:
>>
>> set firewall family inet filter filter-customer-ipv4 interface-specific
>> set firewall family inet filter filter-customer-ipv4 term ntp from
>> protocol udp
>> set firewall family inet filter filter-customer-ipv4 term ntp from port
>> ntp
>> set firewall family inet filter filter-customer-ipv4 term ntp then
>> policer
>> limit-200mbit
>> set firewall family inet filter filter-customer-ipv4 term default then
>> policer limit-1gbit
>> set firewall family inet filter filter-customer-ipv4 term default then
>> accept
>>
>> Regards
>> Sebastian
>>
>> --
>> GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
>> 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE
>> SCYTHE.
>> -- Terry Pratchett, The Fifth Elephant
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list