Routing

Expand all | Collapse all

MX Series - Common policer for few VLANs

Jump to Best Answer
  • 1.  MX Series - Common policer for few VLANs

    Posted 07-30-2020 02:42

    Hi All, 

     

    I have got a mx480 router with aggregate ethernet interfaces (ae0), it is shared interface for multiple customers, splitted by VLANs and routing-instances. Next we assign "logical-interface-policer" per each VLAN.

     

    Now I have a situation that for specific customer (single routing-instance) I would like to setup a single/common policer which will be shared between all his VLANs on my ae0.  Question is how to do it?

     

    My typical configuration:

     

    set firewall policer CUST_A_VLAN_POLICER logical-interface-policer
    set firewall policer CUST_A_VLAN_POLICER shared-bandwidth-policer
    set firewall policer CUST_A_VLAN_POLICER if-exceeding bandwidth-limit 10m
    set firewall policer CUST_A_VLAN_POLICER if-exceeding burst-size-limit 6250000
    set firewall policer CUST_A_VLAN_POLICER then discard

    set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 interface-specific
    set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER
    set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then dscp be
    set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 interface-specific
    set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER

    set interfaces ae0 unit 999 vlan-id 999
    set interfaces ae0 unit 999 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
    set interfaces ae0 unit 999 family inet filter output-list CUST_A_FF_COS_EGRESS_V4


    set routing-instances CUSTOMER_A interface ae0.999

     

     

    With this example, if I will apply "firewall family inet filter CUST_A_999_FF_COS_INGRESS_V4" to VLAN 999 and some other one, each VLAN will have own 10 Mbps policer. 

     

    That what I need is shared 10 Mbps policer for multiple VLANs.

     

    I found this parameter: 

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/filter-specific-edit-firewall.html

     

     

    Then I suppose I should configure it in that way:

     

    set firewall policer CUST_A_VLAN_POLICER logical-interface-policer
    set firewall policer CUST_A_VLAN_POLICER shared-bandwidth-policer
    set firewall policer CUST_A_VLAN_POLICER filter-specific
    set firewall policer CUST_A_VLAN_POLICER if-exceeding bandwidth-limit 10m
    set firewall policer CUST_A_VLAN_POLICER if-exceeding burst-size-limit 6250000
    set firewall policer CUST_A_VLAN_POLICER then discard

     

    set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 interface-specific
    set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER
    set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then dscp be
    set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 interface-specific
    set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER

     

    set interfaces ae0 unit 999 vlan-id 999
    set interfaces ae0 unit 999 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
    set interfaces ae0 unit 999 family inet filter output-list CUST_A_FF_COS_EGRESS_V4

    set interfaces ae0 unit 1000 vlan-id 1000
    set interfaces ae0 unit 1000 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
    set interfaces ae0 unit 1000 family inet filter output-list CUST_A_FF_COS_EGRESS_V4

     

    set routing-instances CUSTOMER_A interface ae0.999
    set routing-instances CUSTOMER_A interface ae0.1000

     



  • 2.  RE: MX Series - Common policer for few VLANs

    Posted 07-30-2020 04:29

    Hello,

    You need "physical-interface-policer" + "physical-interface-filter" JUNOS features to police dual-stack VLAN set as a whole

    https://www.juniper.net/documentation/en_US/junos/topics/example/policer-single-rate-two-color-physical-interface-example.html

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/physical-interface-filter-edit-firewall.html

    "physical-interface-policer" also includes "logical-interface-policer" functionality so You do NOT need "logical-interface-policer" knob anymore if You want to police multiple dual-stack VLANs as a whole.

    HTH

    Thx

    Alex

     

     



  • 3.  RE: MX Series - Common policer for few VLANs

    Posted 07-30-2020 06:18

    Yes I was trying that before and I saw a message: 

    [edit firewall family inet filter CUST_A_AGGREGATE_FF_COS_INGRESS_BRIDGE term ALL_TRAFFIC then policer]
    'policer CUST_A_AGGREGATE_POLICER'
    Physical interface policer 'CUST_A_AGGREGATE_POLICER' can be refered only by physical interface filters
    commit-check failed
    commit-check failed
    error: configuration check-out failed

     

    However I have just noticed one small difference: 

    1) on the configuration for "logical-interface-policer" I must to apply it to interface by commands:
    set interfaces ae0 unit 999 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
    set interfaces ae0 unit 999 family inet filter output-list CUST_A_FF_COS_EGRESS_V4

    2) however on the configuration for "physical-interface-policer"  the syntax is different 
    set interfaces ae0 unit 999 family inet filter input CUST_A_FF_COS_INGRESS_V4
    set interfaces ae0 unit 999 family inet filter output CUST_A_FF_COS_EGRESS_V4

    Now the config is committing. THANK YOU!

     

     



  • 4.  RE: MX Series - Common policer for few VLANs
    Best Answer

    Posted 07-30-2020 06:27

    Hello,

    Glad to help. Please accept the solution so others can benefit.

    Thx

    Alex