[j-nsp] JUNOS POLICER
People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS POLICER
You need to put it all in the same term. From: Giuliano Cardozo Medalha giulian...@uol.com.br To: juniper-nsp@puck.nether.net Sent: Thu, September 2, 2010 11:07:08 AM Subject: [j-nsp] JUNOS POLICER People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS POLICER
The accept is what is allowing full bandwidth - you never hit the
policer.
firewall {
family inet {
filter policer {
term 10 {
from {
source-address {
192.168.10.35/32;
}
then {
policer teste;
}
}
}
}
}
On Thu, 02 Sep 2010 13:07:08 -0300, Giuliano Cardozo Medalha
giulian...@uol.com.br wrote:
People,
We are trying to configure policers to logical interfaces created
under IQ2E PIC.
All policers are using firewall filters.
One of them is a different situation ... we cannot rate all interface
but only 3 IPs that pass thought the interface.
But the policer is not worlink correctly:
set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000
set firewall policer teste then discar
set firewall family inet filter policer term 10 from source-address
192.168.10.35/32
set firewall family inet filter policer term 10 then accept
set firewall family inet filter policer term 10 then policer teste
set firewall family inet filter policer term 20 from source-address
192.168.10.36/32
set firewall family inet filter policer term 20 then accept
set firewall family inet filter policer term 20 then policer teste
set firewall family inet filter policer term 30 from source-address
192.168.10.37/32
set firewall family inet filter policer term 30 then accept
set firewall family inet filter policer term 30 then policer teste
set firewall family inet filter policer term 40 then accept
set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer
The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12,
sometimes 18 Mbps.
We need to use some special command for it ? Like - logical
interface under policer ?
What is the correct manner to use it ?
Or we need to put it all in the same term ?
Thanks a lot,
Giuliano
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS POLICER
Derick, And about the following options: filter-specific logical-bandwidth-policer logical-interface-policer Can we to use them ? When you configure the filter-specific statement, a single policer set is created for the entire filter. All traffic matching the terms of the firewall filter with the action policer goes through that single policer. The default is a term-specific policer in which a single policer set is created for each term within the filter. All traffic matching the terms of the firewall filter with the action policer goes through the part of the policer that is specific to that term. Logical-interface-policer option is for use inside logical units (like vlan units) ? Thanks a lot, Giuliano You need to put it all in the same term. *From:* Giuliano Cardozo Medalha giulian...@uol.com.br *To:* juniper-nsp@puck.nether.net *Sent:* Thu, September 2, 2010 11:07:08 AM *Subject:* [j-nsp] JUNOS POLICER People, We are trying to configure policers to logical interfaces created under IQ2E PIC. All policers are using firewall filters. One of them is a different situation ... we cannot rate all interface but only 3 IPs that pass thought the interface. But the policer is not worlink correctly: set firewall policer teste if-exceeding bandwidth limit 10m burst size 1000 set firewall policer teste then discar set firewall family inet filter policer term 10 from source-address 192.168.10.35/32 set firewall family inet filter policer term 10 then accept set firewall family inet filter policer term 10 then policer teste set firewall family inet filter policer term 20 from source-address 192.168.10.36/32 set firewall family inet filter policer term 20 then accept set firewall family inet filter policer term 20 then policer teste set firewall family inet filter policer term 30 from source-address 192.168.10.37/32 set firewall family inet filter policer term 30 then accept set firewall family inet filter policer term 30 then policer teste set firewall family inet filter policer term 40 then accept set interface ge-0/0/0 unit 100 vlan-id 100 family inet filter input policer The problem is ... the 3 chosen IPs are exceeding 10m. Sometimes 12, sometimes 18 Mbps. We need to use some special command for it ? Like - logical interface under policer ? What is the correct manner to use it ? Or we need to put it all in the same term ? Thanks a lot, Giuliano ___ juniper-nsp mailing list juniper-nsp@puck.nether.net mailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
