Routing
Highlighted
Routing

MX Series - Common policer for few VLANs

2 weeks ago

Hi All, 

 

I have got a mx480 router with aggregate ethernet interfaces (ae0), it is shared interface for multiple customers, splitted by VLANs and routing-instances. Next we assign "logical-interface-policer" per each VLAN.

 

Now I have a situation that for specific customer (single routing-instance) I would like to setup a single/common policer which will be shared between all his VLANs on my ae0.  Question is how to do it?

 

My typical configuration:

 

set firewall policer CUST_A_VLAN_POLICER logical-interface-policer
set firewall policer CUST_A_VLAN_POLICER shared-bandwidth-policer
set firewall policer CUST_A_VLAN_POLICER if-exceeding bandwidth-limit 10m
set firewall policer CUST_A_VLAN_POLICER if-exceeding burst-size-limit 6250000
set firewall policer CUST_A_VLAN_POLICER then discard

set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 interface-specific
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then dscp be
set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 interface-specific
set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER

set interfaces ae0 unit 999 vlan-id 999
set interfaces ae0 unit 999 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
set interfaces ae0 unit 999 family inet filter output-list CUST_A_FF_COS_EGRESS_V4


set routing-instances CUSTOMER_A interface ae0.999

 

 

With this example, if I will apply "firewall family inet filter CUST_A_999_FF_COS_INGRESS_V4" to VLAN 999 and some other one, each VLAN will have own 10 Mbps policer. 

 

That what I need is shared 10 Mbps policer for multiple VLANs.

 

I found this parameter: 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/filter-sp...

 

 

Then I suppose I should configure it in that way:

 

set firewall policer CUST_A_VLAN_POLICER logical-interface-policer
set firewall policer CUST_A_VLAN_POLICER shared-bandwidth-policer
set firewall policer CUST_A_VLAN_POLICER filter-specific
set firewall policer CUST_A_VLAN_POLICER if-exceeding bandwidth-limit 10m
set firewall policer CUST_A_VLAN_POLICER if-exceeding burst-size-limit 6250000
set firewall policer CUST_A_VLAN_POLICER then discard

 

set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 interface-specific
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER
set firewall family inet filter CUST_A_FF_COS_INGRESS_V4 term ALL then dscp be
set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 interface-specific
set firewall family inet filter CUST_A_FF_COS_EGRESS_V4 term ALL then policer CUST_A_VLAN_POLICER

 

set interfaces ae0 unit 999 vlan-id 999
set interfaces ae0 unit 999 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
set interfaces ae0 unit 999 family inet filter output-list CUST_A_FF_COS_EGRESS_V4

set interfaces ae0 unit 1000 vlan-id 1000
set interfaces ae0 unit 1000 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
set interfaces ae0 unit 1000 family inet filter output-list CUST_A_FF_COS_EGRESS_V4

 

set routing-instances CUSTOMER_A interface ae0.999
set routing-instances CUSTOMER_A interface ae0.1000

 

3 REPLIES 3
Highlighted
Routing

Re: MX Series - Common policer for few VLANs

2 weeks ago

Hello,

You need "physical-interface-policer" + "physical-interface-filter" JUNOS features to police dual-stack VLAN set as a whole

https://www.juniper.net/documentation/en_US/junos/topics/example/policer-single-rate-two-color-physi...

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/physical-...

"physical-interface-policer" also includes "logical-interface-policer" functionality so You do NOT need "logical-interface-policer" knob anymore if You want to police multiple dual-stack VLANs as a whole.

HTH

Thx

Alex

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: MX Series - Common policer for few VLANs

2 weeks ago

Yes I was trying that before and I saw a message: 

[edit firewall family inet filter CUST_A_AGGREGATE_FF_COS_INGRESS_BRIDGE term ALL_TRAFFIC then policer]
'policer CUST_A_AGGREGATE_POLICER'
Physical interface policer 'CUST_A_AGGREGATE_POLICER' can be refered only by physical interface filters
commit-check failed
commit-check failed
error: configuration check-out failed

 

However I have just noticed one small difference: 

1) on the configuration for "logical-interface-policer" I must to apply it to interface by commands:
set interfaces ae0 unit 999 family inet filter input-list CUST_A_FF_COS_INGRESS_V4
set interfaces ae0 unit 999 family inet filter output-list CUST_A_FF_COS_EGRESS_V4

2) however on the configuration for "physical-interface-policer"  the syntax is different 
set interfaces ae0 unit 999 family inet filter input CUST_A_FF_COS_INGRESS_V4
set interfaces ae0 unit 999 family inet filter output CUST_A_FF_COS_EGRESS_V4

Now the config is committing. THANK YOU!

 

 

Highlighted
Routing
Solution
Accepted by topic author przema86
2 weeks ago

Re: MX Series - Common policer for few VLANs

2 weeks ago

Hello,

Glad to help. Please accept the solution so others can benefit.

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Feedback