Junos
Reply
Regular Visitor
Chintan
Posts: 4
Registered: ‎10-10-2009
0

policer on Dual stack interface

Hi,

 

I have customer having IPv4 access and policer of 10M configured through firewall filter on unit 10 ( i.e. vlan 10) on family inet.

 

Now Customer will have IPv6 also on same interface i.e. Dual stack and want to ensure that total traffic on his link not more than 10M ( i.e. includes IPv4 and IPv6). Can I apply same policer on family inet6 ? if so, will it be 10 for IPv4 and IPv6 individual i.e. 20M total or can be 10M combined. if not, How do i achive 20M total ?

 

Thanks in advance,

 

firewall filter Filter-2M-policing-and-DSCP-MARK-ZERO
{
interface-specific;
term interface-police {
    then {
        policer 2M-policing;
        next term;
    }
}
term DSCP-MARK-ZERO {
    then {
        loss-priority high;
        forwarding-class Internet-Default;
        accept;
    }
}

}

firewall policer 10M-policing
{
filter-specific;
if-exceeding {
    bandwidth-limit 10m;
    burst-size-limit 100k;
}
then discard;
}

 

Regards,

Chintan

Trusted Expert
dpapana
Posts: 282
Registered: ‎04-01-2011
0

Re: policer on Dual stack interface

Hello, 

 

In my understanding if you apply policer to 2 different family then the traffic will be counted separately.

In your case you can apply policy on logical interface and this way you'll get the policing of IPv4 and IPv6 together, those obtain only 10M for both address families.

 

firewall policer 10M-policing

{

logical-interface-policer;

if-exceeding {

    bandwidth-limit 10m;

    burst-size-limit 100k;

}

then discard;

}

 

 

interfaces {

 fe-2/0/3 {

  vlan-tagging;

   unit 200 {

   vlan-id 200;

    policer {

    input 10M-policing;

    output 10M-policing;

}

...................................................

Regards,
Dumitru Papana
Regular Visitor
Chintan
Posts: 4
Registered: ‎10-10-2009
0

Re: policer on Dual stack interface

Hi Dumitru,

 

Thanks for your response. Here I use firewall filter ( which inturn includes policer) than direct policer on interface.

How do take care to apply firewall fiter at unit level for both IPv4+IPV6 together which does also set dscp for ipv4 to zero.

 

Is there any way for filter filter like you mentioned for policer ?

 

Thanks in adavnce,

Regards,

Chintan

Regular Visitor
Chintan
Posts: 4
Registered: ‎10-10-2009
0

Re: policer on Dual stack interface

Hi, 

 

Let me elaborate problem with configuation etc about my requirments.

 

1. I have IPv4 access interface configured for customer and applied Input filter with 5M policing and classify traffic to default Class.

 

 

show configuration interfaces ge-11/1/5
hierarchical-scheduler;
vlan-tagging;
speed 1g;
link-mode full-duplex;
gigether-options {
    auto-negotiation;
}
unit 602 {
    description 5Mlink;
    vlan-id 602;
    family inet {

          filter {
            input Filter-5M-policing-and-DSCP-MARK-ZERO;
        }
        address 80.169.16.225/30;
    }
}

 

firewall filter Filter-5M-policing-and-DSCP-MARK-ZERO

{

interface-specific;
term interface-police {
    then {
        policer 5M-policing;
        next term;
    }
}
term DSCP-MARK-ZERO {
    then {
        loss-priority high;
        forwarding-class Internet-Default;
        accept;
    }
}

 

firewall policer 5M-policing

{
filter-specific;
if-exceeding {
    bandwidth-limit 5m;
    burst-size-limit 50k;
}
then discard;
}

 

This works fine withotu any issue.

 

2. Now customer going to have dual stack access i.e. IPv6 addtional access.

 

 

unit 602 {
    description 10Mlink;
    vlan-id 602;
    family inet {
        filter {
            input Filter-5M-policing-and-DSCP-MARK-ZERO;
        }
        address 80.169.16.225/30;
    }
    family inet6 {
        address 2001:920:0:d::2/127;
    }
}

Question : How do i add filter of 5M on unit 602 such way that both IPv4 + IPv6 traffic taken care through 5M policing and all traffic gets classifed in forwarding-class internet-Default.  Is there a way to use existing Filter itself for both family ?

 

Thanks again,

Chintan

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.