That makes sense Bit and thanks for the clarification. Hey, so at least I was partially correct! Let me run this by my Juniper peers that do not participate here.
On Wed, Oct 13, 2010 at 9:34 AM, Bit Gossip <[email protected]> wrote: > Hi Mac, > what you mention will do the job which is to police ALL traffic ingress > into a physical interface which is: > - ALL address-families of ALL logical units. > This means that I have to create a firewall filter per address-family > because the documentation says: 'You cannot specify family any. You must > configure a specific protocol family for a firewall filter that > references a physical interface policer.' > And then apply it to all address-families of all logical-units. > > This is incredibly cumbersome and error-prone. > > Is there no simple way to apply a soft policer, that is marking not > dropping, just to the physical interface? > Thanks, > Bit. > > > On Wed, 2010-10-13 at 09:23 -0400, Mac GroupStudy wrote: > > Let me position my thoughts as well, I have been out of JUNOS for some > > time but I did get pretty far in my knowledge there along the way. > > Also, this is from the Juniper site for configuring policers on a > > physical interface: > > > > > > Applying Firewall Filters That Reference Physical Interface Policers > > After you configure a firewall filter that references a physical > > interface policer, you apply it as an input or an output filter to a > > logical interface. > > > > To apply a firewall filter that references a physical interface > > policer as an input filter: > > > > * Include the input filter-name statement at the [edit > > interfaces interface-name unit logical-unit-number family > > family-name filter] hierarchy level. > > > > To apply a firewall filter that references a physical interface > > policer as an output filter: > > > > * Include the output filter-name statement at the [edit > > interfaces interface-name unit logical-unit-number family > > family-name] hierarchy level. > > > > In the following example, firewall filter inet-filter is applied to > > family inet on interface ge-1/2/0.0. The filter is applied to incoming > > IPv4 traffic on the interface. > > > > [edit] > > interfaces { > > ge-1/2/0 { > > unit 0 { > > family inet { > > filter { > > input inet-filter; > > } > > address 10.100.16.2/24 > > } > > } > > > > On Wed, Oct 13, 2010 at 9:20 AM, Mac GroupStudy > > <[email protected]> wrote: > > Help me with my JUNOS commands structure and interfaces but > > unit 0 is the physical interface correct? I mean, you always > > have to configure unit 0 so to me that is just part of the > > interface configuration. > > > > > > > > On Wed, Oct 13, 2010 at 8:36 AM, Bit Gossip > > <[email protected]> wrote: > > This is Mx480 Junos10.2R2.11 and DPC. > > Any idea why I can not apply a > > physical-interface-policer to a > > physical-interface? > > While it can be applied to 'unit 0' of the same > > interface. > > > > Thanks, > > bit. > > > > [edit interfaces xe-4/1/0] > > l...@rc2# run show configuration firewall policer L-ECN > > physical-interface-policer; > > if-exceeding { > > bandwidth-percent 90; > > burst-size-limit 64k; > > } > > then loss-priority high; > > > > [edit interfaces xe-4/1/0] > > > > l...@rc2# set layer2-policer ? > > Possible completions: > > + apply-groups Groups from which to inherit > > configuration data > > + apply-groups-except Don't inherit configuration > > data from these > > groups > > > > [edit interfaces xe-4/1/0] > > l...@rc2# set unit 0 layer2-policer ? > > Possible completions: > > + apply-groups Groups from which to inherit > > configuration data > > + apply-groups-except Don't inherit configuration > > data from these > > groups > > input-policer Two-color policer for received > > packets > > input-three-color Color-blind three-color policer > > for received > > packets > > output-policer Two-color policer for > > transmitted packets > > output-three-color Three-color policer for > > transmitted packets > > > > > > _______________________________________________ > > juniper-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > > > > > > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
