Hi All,
I have got a mx480 router with aggregate ethernet interfaces (ae0), it is shared interface for multiple customers, splitted by VLANs and routing-instances. Next we assign "logical-interface-policer" per each VLAN.
Now I have a situation that for specific customer (single routing-instance) I would like to setup a single/common policer which will be shared between all his VLANs on my ae0. Question is how to do it?
My typical configuration:
set firewall policer CUST_A_VLAN_POLICER logical-interface-policer
set firewall policer CUST_A_VLAN_POLICER shared-bandwidth-policer
set firewall policer CUST_A_VLAN_POLICER if-exceeding bandwidth-limit 10m
set firewall policer CUST_A_VLAN_POLICER if-exceeding burst-size-limit 6250000
set firewall policer CUST_A_VLAN_POLICER then discard
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 interface-specific
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then dscp be
set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 interface-specific
set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER
set interfaces ae0 unit 999 vlan-id 999
set interfaces ae0 unit 999 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
set interfaces ae0 unit 999 family inet filter output-list CUST_A_FF_COS_EGRESS_V4
set routing-instances CUSTOMER_A interface ae0.999
With this example, if I will apply "firewall family inet filter CUST_A_999_FF_COS_INGRESS_V4" to VLAN 999 and some other one, each VLAN will have own 10 Mbps policer.
That what I need is shared 10 Mbps policer for multiple VLANs.
I found this parameter:
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/filter-specific-edit-firewall.html
Then I suppose I should configure it in that way:
set firewall policer CUST_A_VLAN_POLICER logical-interface-policer
set firewall policer CUST_A_VLAN_POLICER shared-bandwidth-policer
set firewall policer CUST_A_VLAN_POLICER filter-specific
set firewall policer CUST_A_VLAN_POLICER if-exceeding bandwidth-limit 10m
set firewall policer CUST_A_VLAN_POLICER if-exceeding burst-size-limit 6250000
set firewall policer CUST_A_VLAN_POLICER then discard
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 interface-specific
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then dscp be
set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 interface-specific
set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER
set interfaces ae0 unit 999 vlan-id 999
set interfaces ae0 unit 999 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
set interfaces ae0 unit 999 family inet filter output-list CUST_A_FF_COS_EGRESS_V4
set interfaces ae0 unit 1000 vlan-id 1000
set interfaces ae0 unit 1000 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
set interfaces ae0 unit 1000 family inet filter output-list CUST_A_FF_COS_EGRESS_V4
set routing-instances CUSTOMER_A interface ae0.999
set routing-instances CUSTOMER_A interface ae0.1000