Scenario 1: Firewall Filter Term Matches on Multiple Addresses
The complete example,
“Example: Configuring Prefix-Specific Counting and Policing” on
, shows the simplest case of prefix-specific actions, in which a single-term firewall
filter matches on one address with a prefix length that is the same as the subnet prefix
length specified in the prefix-specific action. Unlike the example, this scenario describes
a configuration in which a single-term firewall filter matches on two IPv4 source addresses.
In addition, the additional condition matches on a source address with a prefix length
that is different from the subnet prefix length defined in the prefix-specific action. In this
case, the additional condition matches on the
/16
subnet of the source address
10.11.0.0
.
NOTE:
Unlike packets that match the source address
10.10.10.0/24
, packets
that match the source address
10.11.0.0/16
are in a many-to-one
correspondence with the instances in the counter and policer set.
The filter-matched packets that are passed to the prefix-specific action index into the
counter and policer set in such a way that the counting and policing instances are shared
by packets that contain source addresses across the
10.10.10.0/24
and
10.11.0.0/16
subnets
as follows:
•
The first counter and policer in the set are indexed by packets with source addresses
10.10.10.0
and
10.11.
x
.0
, where
x
ranges from
0
through
255
.
•
The second counter and policer in the set are indexed by packets with source addresses
10.10.10.1
and
10.11.
x
.1
, where
x
ranges from
0
through
255
.
•
The 256th (last) counter and policer in the set are indexed by packets with source
addresses
10.10.10.255
and
10.11.
x
.255
, where
x
ranges from
0
through
255
.
The following configuration shows the statements for configuring the single-rate two-color
policer, the prefix-specific action that references the policer, and the IPv4 standard
stateless firewall filter that references the prefix-specific action:
[edit]
firewall {
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
family inet {
prefix-action psa-1Mbps-per-source-24-32-256 {
policer 1Mbps-policer;
subnet-prefix-length 24;
source-prefix-length 32;
}
filter limit-source-two-24-16 {
term one {
from {
109
Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Prefix-Specific Counting and Policing Actions
Summary of Contents for EX9200 Series
Page 8: ...Copyright 2016 Juniper Networks Inc viii Traffic Policers Feature Guide for EX9200 Switches ...
Page 10: ...Copyright 2016 Juniper Networks Inc x Traffic Policers Feature Guide for EX9200 Switches ...
Page 12: ...Copyright 2016 Juniper Networks Inc xii Traffic Policers Feature Guide for EX9200 Switches ...
Page 20: ...Copyright 2016 Juniper Networks Inc 2 Traffic Policers Feature Guide for EX9200 Switches ...
Page 32: ...Copyright 2016 Juniper Networks Inc 14 Traffic Policers Feature Guide for EX9200 Switches ...
Page 34: ...Copyright 2016 Juniper Networks Inc 16 Traffic Policers Feature Guide for EX9200 Switches ...
Page 42: ...Copyright 2016 Juniper Networks Inc 24 Traffic Policers Feature Guide for EX9200 Switches ...
Page 54: ...Copyright 2016 Juniper Networks Inc 36 Traffic Policers Feature Guide for EX9200 Switches ...
Page 56: ...Copyright 2016 Juniper Networks Inc 38 Traffic Policers Feature Guide for EX9200 Switches ...
Page 72: ...Copyright 2016 Juniper Networks Inc 54 Traffic Policers Feature Guide for EX9200 Switches ...
Page 132: ...Copyright 2016 Juniper Networks Inc 114 Traffic Policers Feature Guide for EX9200 Switches ...
Page 152: ...Copyright 2016 Juniper Networks Inc 134 Traffic Policers Feature Guide for EX9200 Switches ...
Page 162: ...Copyright 2016 Juniper Networks Inc 144 Traffic Policers Feature Guide for EX9200 Switches ...
Page 178: ...Copyright 2016 Juniper Networks Inc 160 Traffic Policers Feature Guide for EX9200 Switches ...
Page 186: ...Copyright 2016 Juniper Networks Inc 168 Traffic Policers Feature Guide for EX9200 Switches ...
Page 188: ...Copyright 2016 Juniper Networks Inc 170 Traffic Policers Feature Guide for EX9200 Switches ...
Page 202: ...Copyright 2016 Juniper Networks Inc 184 Traffic Policers Feature Guide for EX9200 Switches ...
Page 212: ...Copyright 2016 Juniper Networks Inc 194 Traffic Policers Feature Guide for EX9200 Switches ...
Page 214: ...Copyright 2016 Juniper Networks Inc 196 Traffic Policers Feature Guide for EX9200 Switches ...
Page 278: ...Copyright 2016 Juniper Networks Inc 260 Traffic Policers Feature Guide for EX9200 Switches ...