Under your interface, apply a policer:
interfaces {
fe-1/0/1 {
unit 148 {
description "Some Customer";
bandwidth 10m;
vlan-id 148;
family inet {
policer {
input 10meg;
output 10meg;
}
address x.x.x.x/x;
}
}
}
}
and for the policer:
firewall {
policer 10meg {
logical-interface-policer;
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1250000;
}
then discard;
}
to police total bandwidth per interface
On Wed, 1 Jun 2011 20:07:48 -0500, Chris Adams wrote:
I'm currently using interface, policer, and filter config like this
to
rate-limit ethernet interfaces to paid bandwidth on an M10i:
interfaces {
fe-1/0/1 {
unit 148 {
description "Some Customer";
bandwidth 10m;
vlan-id 148;
family inet {
filter {
input 10meg;
output 10meg;
}
address x.x.x.x/x;
}
}
}
}
firewall {
policer 10meg {
filter-specific;
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1250000;
}
then discard;
}
filter 10meg {
interface-specific;
term other {
then {
policer 10meg;
count rate;
accept;
}
}
}
}
This gives me SNMP-graphable in/out counters for each interface that
show after-rate-limiting bits.
Now, I want to add IPv6, but I want to limit (and hopefully graph)
the
total bandwidth, not the bandwidth per address family. If I create a
"10megv6" filter under firewall family inet6, the policer is filter
specific, so I would expect the interface to allow 10meg of IPv4 plus
10meg of IPv6.
I used to put a policer directly on the unit under "family inet" (no
counters for SNMP though), but I would also assume doing that under
"family inet" and "family inet6" would also result in separate
bandwidth
for IPv4 and IPv6, not shared.
I looked at "family any" filters, but they don't have the same
options
(no "interface-specific").
Any suggestions?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp