* Sebastian Wiesinger <sebast...@karotte.org> [2017-05-04 11:23]: > * "Rolf Hanßen" <n...@rhanssen.de> [2017-05-03 15:13]: > > But as long as the filter for family inet/inet6 is set, the logical > > interface filter is ignored for that family. > > If I remove the family filter, the logical interface filter is used. > > > > How do I combine that on a Juniper MX? > > You need two firewall filters for IPv4 and IPv6. Make two terms, one > for your 200MBit traffic and one for your 1GBit Traffic (Catch-All). > > The Policers need to be logical-interface-policer and will be used for > both traffic at the same time. Like this: > > set firewall family inet6 filter filter-customer-ipv6 interface-specific > set firewall family inet6 filter filter-customer-ipv6 term ntp from > next-header udp > set firewall family inet6 filter filter-customer-ipv6 term ntp from port ntp > set firewall family inet6 filter filter-customer-ipv6 term ntp then policer > limit-200mbit > set firewall family inet6 filter filter-customer-ipv6 term ntp then accept > set firewall family inet6 filter filter-customer-ipv6 term default then > policer limit-1gbit > set firewall family inet6 filter filter-customer-ipv6 term default then accept
Hi, I just noticed that I might have misunderstood you. You want to shape the customer to 1g and the ntp traffic to 200m part of that 1g. In that case it should be enough to just remove the "then accept" from the ntp term. As the police action is non-terminating ntp traffic should first be policed by the 200mbit policer and after that by the 1g policer. Like this: set firewall family inet filter filter-customer-ipv4 interface-specific set firewall family inet filter filter-customer-ipv4 term ntp from protocol udp set firewall family inet filter filter-customer-ipv4 term ntp from port ntp set firewall family inet filter filter-customer-ipv4 term ntp then policer limit-200mbit set firewall family inet filter filter-customer-ipv4 term default then policer limit-1gbit set firewall family inet filter filter-customer-ipv4 term default then accept Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp