Hello, thank you both for your feedback. Both versions work for me as far as I see.
If the 200MBit are included in the total bandwidth does not matter in my case, I just want to make sure a 15GBit ddos to a 1 GBit customer does not impact the 10GBit uplink of the access switch, so I will it be set to something between 1GBit and 10Gbit. kind regards Rolf > To nitpick, policing is terminating (implicit accept for conforming > traffic), so you'd need "the next-term" to pass conforming traffic to next > term. Otherwise you'd pass 200m of ntp plus 1g of other traffic. > Cascaded policing: > > term agg > then policer 1g > then next-term > term ntp > from ntp > then policer 200m > term non-ntp > then accept > > BR, > > +Dragan > > On Thu, May 4, 2017 at 12:02 PM, Sebastian Wiesinger > <sebast...@karotte.org> > wrote: > >> * Sebastian Wiesinger <sebast...@karotte.org> [2017-05-04 11:23]: >> > * "Rolf HanÃen" <n...@rhanssen.de> [2017-05-03 15:13]: >> > > But as long as the filter for family inet/inet6 is set, the logical >> > > interface filter is ignored for that family. >> > > If I remove the family filter, the logical interface filter is used. >> > > >> > > How do I combine that on a Juniper MX? >> > >> > You need two firewall filters for IPv4 and IPv6. Make two terms, one >> > for your 200MBit traffic and one for your 1GBit Traffic (Catch-All). >> > >> > The Policers need to be logical-interface-policer and will be used for >> > both traffic at the same time. Like this: >> > >> > set firewall family inet6 filter filter-customer-ipv6 >> interface-specific >> > set firewall family inet6 filter filter-customer-ipv6 term ntp from >> next-header udp >> > set firewall family inet6 filter filter-customer-ipv6 term ntp from >> port >> ntp >> > set firewall family inet6 filter filter-customer-ipv6 term ntp then >> policer limit-200mbit >> > set firewall family inet6 filter filter-customer-ipv6 term ntp then >> accept >> > set firewall family inet6 filter filter-customer-ipv6 term default >> then >> policer limit-1gbit >> > set firewall family inet6 filter filter-customer-ipv6 term default >> then >> accept >> >> >> Hi, I just noticed that I might have misunderstood you. You want to >> shape the customer to 1g and the ntp traffic to 200m part of that 1g. >> >> In that case it should be enough to just remove the "then accept" from >> the ntp term. As the police action is non-terminating ntp traffic >> should first be policed by the 200mbit policer and after that by the >> 1g policer. Like this: >> >> set firewall family inet filter filter-customer-ipv4 interface-specific >> set firewall family inet filter filter-customer-ipv4 term ntp from >> protocol udp >> set firewall family inet filter filter-customer-ipv4 term ntp from port >> ntp >> set firewall family inet filter filter-customer-ipv4 term ntp then >> policer >> limit-200mbit >> set firewall family inet filter filter-customer-ipv4 term default then >> policer limit-1gbit >> set firewall family inet filter filter-customer-ipv4 term default then >> accept >> >> Regards >> Sebastian >> >> -- >> GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) >> 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE >> SCYTHE. >> -- Terry Pratchett, The Fifth Elephant >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp