Ethernet Switching
Highlighted
Ethernet Switching

Layer 2 filters do not work using 'family bridge'

‎09-11-2014 09:27 AM

I am trying to implement per port rate-limiting on a SRX210H used as a layer 2 switch. I am aware that it is a requirement to use ‘family bridge’ to implement filters as filters are not permitted with ‘family Ethernet-switching’ with an SRX. When I implement them they do not appear to have any effect. Can anyone see what I am doing wrong? I am running Junos 11.4R7.5.

 


interfaces {

    fe-0/0/2 {
        description "Customer 1";
        unit 0 {
            family bridge {
                filter {
                    input filter-25M;
                }
                interface-mode access;
                vlan-id 1005;
            }
        }
    }

firewall {
    family bridge {
        filter filter-25M {
            term all {
                then policer police-25M;
            }
        }
    }
    policer police-25M {
        if-exceeding {
            bandwidth-limit 25m;
            burst-size-limit 62k;
        }
        then discard;
    }

bridge-domains {
    PET-DATA-CUST1 {
        domain-type bridge;
        vlan-id 1005;
    }
}

JNCIE-ENT #552, JNCSP-ENT, JNCIP-SEC, JNCIP-SP, JNCIP-DC, JNCDS-DC, JNCDS-SEC, JNCDS-SP, CCNP, CCDA
5 REPLIES 5
Highlighted
Ethernet Switching

Re: Layer 2 filters do not work using 'family bridge'

‎09-11-2014 09:51 AM

Hi Regalis,

 

 

You can use Layer 2 policers. Follow the guidelines in the link below:

http://www.juniper.net/techpubs/en_US/junos11.4/topics/topic-map/policer-layer2.html

 

 

--
Click the star for kudos if you think I earned it.
If this post solves your problem, please mark this post as "Accepted Solution".

Highlighted
Ethernet Switching

Re: Layer 2 filters do not work using 'family bridge'

‎09-11-2014 01:08 PM

Pantunes,

 

Thanks for the link. Unfortunately it does not appear to be a solution in this case. I get the following response when trying to add 'logical-interface-policer' to the policer.

 

[edit firewall]
admin@acc-sw1.bre1# commit check
[edit firewall family bridge filter filter-25M term all then policer]
  'policer police-25M'
    Filter policer 'police-25M' cannot be configured as logical-interface-policers on this platform
error: configuration check-out failed

Also the 'layer2-policer' option is not available:

 

[edit interfaces fe-0/0/2 unit 0]
admin@acc-sw1.bre1# set l?
No valid completions

 

It claims to be available since Junos 8.2, so I guess it is not on the SRX. Please let me know if you have any other ideas.

 

 

Thanks

 

JNCIE-ENT #552, JNCSP-ENT, JNCIP-SEC, JNCIP-SP, JNCIP-DC, JNCDS-DC, JNCDS-SEC, JNCDS-SP, CCNP, CCDA
Highlighted
Ethernet Switching

Re: Layer 2 filters do not work using 'family bridge'

‎09-11-2014 01:45 PM

Hi,

 

sorry for the previous erroneous post.

I was able to commit the following configuration on a SRX240H:

 

# show | compare                                              
[edit interfaces]
+   ge-0/0/10 {
+       unit 0 {
+           family ethernet-switching;
+       }
+   }
+   ge-0/0/11 {
+       unit 0 {
+           family ethernet-switching;
+       }
+   }
[edit firewall]
+    family any {
+        filter POLICE {
+            term 1 {
+                from {
+                    interface ge-0/0/10.0;
+                }
+                then {
+                    policer POLICER;
+                    accept;
+                }
+            }
+            term 2 {
+                then accept;
+            }
+        }
+    }
[edit firewall]
+   policer POLICER {
+       if-exceeding {
+           bandwidth-limit 10m;
+           burst-size-limit 1500;
+       }
+       then discard;
+   }
[edit]
+  vlans {
+      vlan100 {
+          vlan-id 100;                 
+          interface {
+              ge-0/0/10.0;
+              ge-0/0/11.0;
+          }
+          filter {
+              input POLICE;
+          }
+      }
+  }

 

 

But I didn't test it. Maybe you could?

 

 

 

--
Click the star for kudos if you think I earned it.
If this post solves your problem, please mark this post as "Accepted Solution".

 

Highlighted
Ethernet Switching

Re: Layer 2 filters do not work using 'family bridge'

‎09-11-2014 02:17 PM

I will test this first thing in the morning and let you know how it goes.

 

Thanks

JNCIE-ENT #552, JNCSP-ENT, JNCIP-SEC, JNCIP-SP, JNCIP-DC, JNCDS-DC, JNCDS-SEC, JNCDS-SP, CCNP, CCDA
Highlighted
Ethernet Switching

Re: Layer 2 filters do not work using 'family bridge'

‎09-12-2014 01:11 AM

Pantunes,

 

Unfortunately the filter appears to not be referenced, presumably as the family is not recognised by the VLAN.

 

admin@acc-sw1.bre1# show firewall
family any {
    filter Test1 {
        term 1 {
            from {
                interface fe-0/0/2.0;
            }
            then {
                policer police-25M;
                accept;
            }
        }
    }
}
policer police-25M {
    if-exceeding {
        bandwidth-limit 25m;
        burst-size-limit 62k;
    }
    then discard;
}


[edit]
admin@acc-sw1.bre1# show vlans
PET-DATA {
    vlan-id 1005;
    filter {
        input Test1; ## 'Test1' is not defined
    }
}

Thanks

JNCIE-ENT #552, JNCSP-ENT, JNCIP-SEC, JNCIP-SP, JNCIP-DC, JNCDS-DC, JNCDS-SEC, JNCDS-SP, CCNP, CCDA
Feedback