Hi Mac, what you mention will do the job which is to police ALL traffic ingress into a physical interface which is: - ALL address-families of ALL logical units. This means that I have to create a firewall filter per address-family because the documentation says: 'You cannot specify family any. You must configure a specific protocol family for a firewall filter that references a physical interface policer.' And then apply it to all address-families of all logical-units.
This is incredibly cumbersome and error-prone. Is there no simple way to apply a soft policer, that is marking not dropping, just to the physical interface? Thanks, Bit. On Wed, 2010-10-13 at 09:23 -0400, Mac GroupStudy wrote: > Let me position my thoughts as well, I have been out of JUNOS for some > time but I did get pretty far in my knowledge there along the way. > Also, this is from the Juniper site for configuring policers on a > physical interface: > > > Applying Firewall Filters That Reference Physical Interface Policers > After you configure a firewall filter that references a physical > interface policer, you apply it as an input or an output filter to a > logical interface. > > To apply a firewall filter that references a physical interface > policer as an input filter: > > * Include the input filter-name statement at the [edit > interfaces interface-name unit logical-unit-number family > family-name filter] hierarchy level. > > To apply a firewall filter that references a physical interface > policer as an output filter: > > * Include the output filter-name statement at the [edit > interfaces interface-name unit logical-unit-number family > family-name] hierarchy level. > > In the following example, firewall filter inet-filter is applied to > family inet on interface ge-1/2/0.0. The filter is applied to incoming > IPv4 traffic on the interface. > > [edit] > interfaces { > ge-1/2/0 { > unit 0 { > family inet { > filter { > input inet-filter; > } > address 10.100.16.2/24 > } > } > > On Wed, Oct 13, 2010 at 9:20 AM, Mac GroupStudy > <mac.groupst...@gmail.com> wrote: > Help me with my JUNOS commands structure and interfaces but > unit 0 is the physical interface correct? I mean, you always > have to configure unit 0 so to me that is just part of the > interface configuration. > > > > On Wed, Oct 13, 2010 at 8:36 AM, Bit Gossip > <bit.gos...@chello.nl> wrote: > This is Mx480 Junos10.2R2.11 and DPC. > Any idea why I can not apply a > physical-interface-policer to a > physical-interface? > While it can be applied to 'unit 0' of the same > interface. > > Thanks, > bit. > > [edit interfaces xe-4/1/0] > l...@rc2# run show configuration firewall policer L-ECN > physical-interface-policer; > if-exceeding { > bandwidth-percent 90; > burst-size-limit 64k; > } > then loss-priority high; > > [edit interfaces xe-4/1/0] > > l...@rc2# set layer2-policer ? > Possible completions: > + apply-groups Groups from which to inherit > configuration data > + apply-groups-except Don't inherit configuration > data from these > groups > > [edit interfaces xe-4/1/0] > l...@rc2# set unit 0 layer2-policer ? > Possible completions: > + apply-groups Groups from which to inherit > configuration data > + apply-groups-except Don't inherit configuration > data from these > groups > input-policer Two-color policer for received > packets > input-three-color Color-blind three-color policer > for received > packets > output-policer Two-color policer for > transmitted packets > output-three-color Three-color policer for > transmitted packets > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp