Hello mate,
a little bit late but hope this helps.
In Junos, if you specify a firewall filter and use it on multiple interfaces, this filter is in nature shared. So, if you apply a policer through this filter, the policer will be shared by every interface that uses the filter. Normally, this behavior is unwanted, so you specify the interface-specific option inside of your firewall filter, which creates a new instance of that filter (as well as all applied resources) for every interface it gets applied to.
What you could do in order to resolve your situation: define a new firewall filter, which is designated to the customer and not interface-specific. Inside of this filter, you simply apply a new policer, specifically made for the customer, which features your desired bandwidth characteristics. You then set this filter as an input filter for all units the customer uses, so two in your specific case. As a result, the maximum bandwidth consumable by both interfaces is what you defined. But this bandwidth could be used by only one interface or shared by both.
I tested the following configuration inside my lab using virtual MX routers, but it should apply to your MX960 as well. In my testings, I used bngblaster to generate two traffic streams, on for each unit. Both units were policed by the specified amount so a combined throughput of 1 Gbps was possible. Please note, that the values for the bandwidth are an example and might need to be adjusted to your specific needs:
interfaces {
xe-0/0/1 {
flexible-vlan-tagging;
unit 10 {
vlan-id 10;
family inet {
filter {
input FILTER_CUSTOMER;
}
address 2.0.0.1/30;
}
}
unit 20 {
vlan-id 20;
family inet {
filter {
input FILTER_CUSTOMER;
}
address 2.0.0.5/30;
}
}
}
}
firewall {
family inet {
filter FILTER_CUSTOMER {
term one {
then policer POLICER_CUSTOMER;
}
}
}
policer POLICER_CUSTOMER {
if-exceeding {
bandwidth-limit 1g;
burst-size-limit 10m;
}
then discard;
}
}
I hope this answers your question well enough. If anything is unclear, just ask me and I will be happy to help!
BR, Johannes
------------------------------
Johannes | Systems Engineer
A computer's attention span is only as long as its power cord.
------------------------------
Original Message:
Sent: 11-10-2023 13:05
From: Rady Mohammed
Subject: MX960 policer
Hello mates,
I have a situation where the customer has two VLANs running on two sub-interfaces (aggregate-ethernet interface) and we need to implement a shared rate limit -lets say 1 Gbps- for both sub-interfaces at same time. We want to ensure that the combined traffic from both sub-interfaces/VLANs does not exceed 1 Gbps, while still allowing each individual VLAN to reach a maximum of 1 Gbps.
Noting that the physical interface is being used by many other customers' VLANs, therefore the physical policer cannot be applied.
I would appreciate it if you could share the syntax for ALL options you have, as well as how to verify if the policer is effective.