Junos OS

Hi

I have an policer to police all traffic except any one of the following,

1. source address (111.111.111.111/32) to any destinations

2. any source address to destinations (222.222.222.222/32)

3. icmp

4. tcp source port 4444

I can do most of the above with the following configurations but I cannot fulfill the point 4 above, the following configurations now do not police traffic on tcp AND udp port 4444. I want to police traffic with udp source port 4444.

If I include the protocol-except with tcp too, then all traffic using tcp will not be policed which is not we want.

Would anyone help to provide the method to do such requirements as stated above? Thanks!!

term T10 {
    from {
        source-address {
            111.111.111.111/32 except;

            0.0.0.0/0;
        }
        destination-address {
            222.222.222.222/32 except;
            0.0.0.0/0;
        }
        protocol-except icmp;
        source-port-except [ 4444 ];
    }
    then {
        policer POLICER-1;
        next term;
    }
}

Hi,

I would do something like that:

term T10 {
    from {
        source-address {
            111.111.111.111/32 except;

            0.0.0.0/0;
        }
        destination-address {
            222.222.222.222/32 except;
            0.0.0.0/0;
        }
        protocol-except [icmp tcp];
        source-port-except [ 4444 ];
    }
    then {
        policer POLICER-1;
        next term;
    }
}

term T11 {
    from {
        source-address {
            111.111.111.111/32 except;

            0.0.0.0/0;
        }
        destination-address {
            222.222.222.222/32 except;
            0.0.0.0/0;
        }
        protocol tcp;
        source-port 4444;
    }
    then {
        policer POLICER-1;
        next term;
    }
}

Kind Regards

Michael Pergament

Pasted too fast.

term T10 {
    from {
        source-address {
            111.111.111.111/32 except;

            0.0.0.0/0;
        }
        destination-address {
            222.222.222.222/32 except;
            0.0.0.0/0;
        }
        protocol-except [icmp tcp];
    }
    then {
        policer POLICER-1;
        next term;
    }
}

term T11 {
    from {
        source-address {
            111.111.111.111/32 except;

            0.0.0.0/0;
        }
        destination-address {
            222.222.222.222/32 except;
            0.0.0.0/0;
        }
        protocol tcp;
        source-port-except 4444;
    }
    then {
        policer POLICER-1;
        next term;
    }
}

Hi Mikep

Thanks a lot!!

It is working but it seems it is hard to maintain the filter if I have several hundred of src/dst addresses and several more tcp/udp ports.

Chris

Hi,

then you could use destination-prefix-list LIST1 and source-prefix-list LIST2.

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Kind Regards

Michael Pergament

Thanks!!

Let me tidy up my configurations and add one more conditions,

An policer to police all traffic EXCEPT any one of the following,

1. source address (111.111.111.111/32) to any destinations

2. any source address to destinations (222.222.222.222/32)

3. icmp

4. tcp source and destination port 4444

5. udp source and destination port 3333

6. tcp and udp source and destination port 2222

Then my configuration should be as below, right?

term T10 {
    from {
        source-prefix-list {
            PREFIX-LIST-SRC_1 except;
            PREFIX-LIST-ALL_IP;
        }
        destination-prefix-list {
            PREFIX-LIST-DST_1 except;
            PREFIX-LIST-ALL_IP;
        }
        protocol-except [ icmp udp tcp ];
    }
    then {
        policer WAN-POLICER_1;
        next term;
    }
}
term T20_UDP {
    from {
        source-prefix-list {
            PREFIX-LIST-SRC_1 except;
            PREFIX-LIST-ALL_IP;
        }
        destination-prefix-list {
            PREFIX-LIST-DST_1 except;
            PREFIX-LIST-ALL_IP;
        }
        protocol udp;
        source-port-except [ 3333 2222 ];
        destination-port-except [ 3333 2222 ];
    }
    then {
        policer WAN-POLICER_1;
        next term;
    }
}
term T30_TCP {
    from {
        source-prefix-list {
            PREFIX-LIST-SRC_1 except;
            PREFIX-LIST-ALL_IP;
        }
        destination-prefix-list {
            PREFIX-LIST-DST_1 except;
            PREFIX-LIST-ALL_IP;
        }
        protocol tcp;
        source-port-except [ 4444 2222 ];
        destination-port-except [ 4444 2222 ];
    }
    then {
        policer WAN-POLICER_1;
        next term;
    }
}
prefix-list PREFIX-LIST-ALL_IP {
    0.0.0.0/0;
}
prefix-list PREFIX-LIST-DST_1 {
    222.222.222.222/32;
}
prefix-list PREFIX-LIST-SRC_1 {
    111.111.111.111/32;
}