I agree with you that this seems like a simple task but in true
Juniper fashion, there's a hundred ways to do it depending on your
needs! :D
NOTE: I've never actually worked with these kinds of policers before
so obviously test any suggestions first.
I think the physical interface policer must be referenced in a
firewall filter. Then the filter is applied to an address family on a
unit.
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policers-physical-interface-aggregate-configuring.html
I don't know everything you'd like to achieve, but an Aggregate
Policer / logical-interface-policer **might** be a better fit since
its designed to be applied to multiple address families.
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-configuring-aggregate-policers.html#id-11078456
I know it this isn't the most graceful solution, but to avoid the
potential typos / human input problems, you could apply the policer
via a group. Kind of like this:
u...@blah> show configuration groups
apply-policer-random-name {
interfaces {
xe-4/1/0 {
unit <*> {
family <*> {
filter L-ECN
}
}
}
}
}
u...@blah> show configuration
<<<snip>>>>
apply-groups apply-policer-random-name
On Oct 13, 2010, at 8:34 AM, Bit Gossip wrote:
Hi Mac,
what you mention will do the job which is to police ALL traffic
ingress
into a physical interface which is:
- ALL address-families of ALL logical units.
This means that I have to create a firewall filter per address-family
because the documentation says: 'You cannot specify family any. You
must
configure a specific protocol family for a firewall filter that
references a physical interface policer.'
And then apply it to all address-families of all logical-units.
This is incredibly cumbersome and error-prone.
Is there no simple way to apply a soft policer, that is marking not
dropping, just to the physical interface?
Thanks,
Bit.
On Wed, 2010-10-13 at 09:23 -0400, Mac GroupStudy wrote:
Let me position my thoughts as well, I have been out of JUNOS for
some
time but I did get pretty far in my knowledge there along the way.
Also, this is from the Juniper site for configuring policers on a
physical interface:
Applying Firewall Filters That Reference Physical Interface Policers
After you configure a firewall filter that references a physical
interface policer, you apply it as an input or an output filter to a
logical interface.
To apply a firewall filter that references a physical interface
policer as an input filter:
* Include the input filter-name statement at the [edit
interfaces interface-name unit logical-unit-number family
family-name filter] hierarchy level.
To apply a firewall filter that references a physical interface
policer as an output filter:
* Include the output filter-name statement at the [edit
interfaces interface-name unit logical-unit-number family
family-name] hierarchy level.
In the following example, firewall filter inet-filter is applied to
family inet on interface ge-1/2/0.0. The filter is applied to
incoming
IPv4 traffic on the interface.
[edit]
interfaces {
ge-1/2/0 {
unit 0 {
family inet {
filter {
input inet-filter;
}
address 10.100.16.2/24
}
}
On Wed, Oct 13, 2010 at 9:20 AM, Mac GroupStudy
<[email protected]> wrote:
Help me with my JUNOS commands structure and interfaces but
unit 0 is the physical interface correct? I mean, you always
have to configure unit 0 so to me that is just part of the
interface configuration.
On Wed, Oct 13, 2010 at 8:36 AM, Bit Gossip
<[email protected]> wrote:
This is Mx480 Junos10.2R2.11 and DPC.
Any idea why I can not apply a
physical-interface-policer to a
physical-interface?
While it can be applied to 'unit 0' of the same
interface.
Thanks,
bit.
[edit interfaces xe-4/1/0]
l...@rc2# run show configuration firewall policer L-ECN
physical-interface-policer;
if-exceeding {
bandwidth-percent 90;
burst-size-limit 64k;
}
then loss-priority high;
[edit interfaces xe-4/1/0]
l...@rc2# set layer2-policer ?
Possible completions:
+ apply-groups Groups from which to inherit
configuration data
+ apply-groups-except Don't inherit configuration
data from these
groups
[edit interfaces xe-4/1/0]
l...@rc2# set unit 0 layer2-policer ?
Possible completions:
+ apply-groups Groups from which to inherit
configuration data
+ apply-groups-except Don't inherit configuration
data from these
groups
input-policer Two-color policer for received
packets
input-three-color Color-blind three-color policer
for received
packets
output-policer Two-color policer for
transmitted packets
output-three-color Three-color policer for
transmitted packets
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
