带监管功能的入口队列过滤器
从 Junos OS 18.1R1 版开始,在支持入口队列的 MPC 上,您可以在将流量分配给入口队列之前对流量实施监管器操作以及其他过滤操作。入口队列监管过滤器允许您在选择入口队列之前对流量进行速率限制和计数,并设置数据包的转发类和数据包丢失优先级。然后,可以使用服务类 (CoS) 命令来选择入口队列参数。
了解入口队列管制过滤器
入口队列监管过滤器 (iq-policing-filter) 的功能与入口管制过滤器 () 的功能相似,点与入口管制过滤器 (ingress-queuing-filter) 相同,这是在 Junos OS 16.1 版中引入的,但提供了接受几乎所有过滤器操作(包括管制和计数操作)的额外优势。入口队列监管过滤器也更加高效,所需的系统资源更少。
只有在层级将流量管理器模式设置为ingress-and-egress[edit chassis fpc fpc-id pic pic-id traffic-manager mode]时,入口队列过滤器才可用。
配置 iq-policing-filter 语句用于在 [edit interfaces interface-name unit unit-number family family-name] 层次结构级别指定之前配置的防火墙过滤器用作入口队列管制过滤器。以下列表显示了哪些协议家族与语句 iq-policing-filter 兼容:
bridgeinetvpls
另请参阅
示例:配置过滤器以用作入口队列管制过滤器
此示例说明如何配置防火墙过滤器用作入口排队管制过滤器。入口队列过滤器允许您在选择入口队列之前对限制流量进行速率,从而协助入口流量监管操作。防火墙过滤器必须在以下协议家族之一中配置:bridge、或inetvpls。
入口队列监管过滤器只能在具有支持入口队列的 MPC 的 MX 系列路由器上使用。如果入口队列过滤器应用于任何其他类型的端口集中器上的接口,则提交时将生成错误。
要求
此示例使用以下硬件和软件组件:
具有 MPC 的 MX 系列路由器,支持入口排队
为了使入口队列过滤器正常运行, ingress-and-egress 必须配置为 traffic-manager 层级的 [edit chassis fpc slot pic slot traffic-manager mode] 模式。
概述
在此示例中,您将创建一个在协议家族中vpls命名vpls_iqp_filter的防火墙过滤器,用于统计和监管语音和尽力流量。然后,将过滤器vpls_iqp_filter作为入口排队管制过滤器应用于 xe-0/0/0.0 逻辑接口。
要配置防火墙过滤器并将其应用于入口队列过滤器,包括:
可使用以下操作创建一个以协议系列命名
vpls_iqp_filtervpls的防火墙过滤器:countforwarding- class和policer。将防火墙过滤器作为入口排队管制过滤器应用于 xe-0/0/0.0 接口。
配置
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,然后将命令复制并粘贴到层级的 [edit] CLI 中。
set firewall family vpls filter vpls_iqp_filter interface-specific set firewall family vpls filter vpls_iqp_filter term VoiceSum from learn-vlan-1p-priority 5 set firewall family vpls filter vpls_iqp_filter term VoiceSum then count VoiceSum set firewall family vpls filter vpls_iqp_filter term VoiceSum then forwarding-class Voice set firewall family vpls filter vpls_iqp_filter term VoiceSum then next term set firewall family vpls filter vpls_iqp_filter term Voice from learn-vlan-1p-priority 5 set firewall family vpls filter vpls_iqp_filter term Voice then policer Voice-IN set firewall family vpls filter vpls_iqp_filter term Voice then count Voice set firewall family vpls filter vpls_iqp_filter term Voice then accept set firewall family vpls filter vpls_iqp_filter term BestEffortSum then count BestEffortSum set firewall family vpls filter vpls_iqp_filter term BestEffortSum then next term set firewall family vpls filter vpls_iqp_filter term BestEffort then policer BestEffort-IN set firewall family vpls filter vpls_iqp_filter term BestEffort then count BestEffort set firewall family vpls filter vpls_iqp_filter term BestEffort then accept set firewall family vpls filter vpls_iqp_filter policer pol-vpls if-exceeding bandwidth-limit 400m set firewall family vpls filter vpls_iqp_filter policer pol-vpls if-exceeding burst-size-limit 40m set firewall family vpls filter vpls_iqp_filter policer pol-vpls then discard set firewall family vpls filter vpls_iqp_filter policer Voice-IN if-exceeding bandwidth-limit 100m set firewall family vpls filter vpls_iqp_filter policer Voice-IN if-exceeding burst-size-limit 10m set firewall family vpls filter vpls_iqp_filter policer Voice-IN then loss-priority high set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN if-exceeding bandwidth-limit 350m set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN if-exceeding burst-size-limit 30m set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN then loss-priority high set interfaces xe-0/0/0 unit 0 family vpls iq-policing-filter vpls_iqp_filter
配置防火墙过滤器并将其应用于接口作为输入队列监管过滤器
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关导航 CLI 的信息,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
要配置防火墙过滤器, vpls_iqp_filter并将其应用于逻辑接口 xe-0/0/0 单元 0:
创建名为的
vpls_iqp_filter防火墙过滤器。[edit firewall family vpls filter vpls_iqp_filter]user@router# set interface-specific user@router# set term VoiceSum from learn-vlan-1p-priority 5 user@router# set term VoiceSum then count VoiceSum user@router# set term VoiceSum then forwarding-class Voice user@router# set term VoiceSum then next term user@router# set term Voice from learn-vlan-1p-priority 5 user@router# set term Voice then policer Voice-IN user@router# set term Voice then count Voice user@router# set term Voice then accept user@router# set term BestEffortSum then count BestEffortSum user@router# set term BestEffortSum then next term user@router# set term BestEffort then policer BestEffort-IN user@router# set term BestEffort then count BestEffort user@router# set term BestEffort then accept user@router# set policer pol-vpls if-exceeding bandwidth-limit 400m user@router# set policer pol-vpls if-exceeding burst-size-limit 40m user@router# set policer pol-vpls then discard user@router# set policer Voice-IN if-exceeding bandwidth-limit 100m user@router# set policer Voice-IN if-exceeding burst-size-limit 10m user@router# set policer Voice-IN then loss-priority high user@router# set policer BestEffort-IN if-exceeding bandwidth-limit 350m user@router# set policer BestEffort-IN if-exceeding burst-size-limit 30m user@router# set policer BestEffort-IN then loss-priority high将防火墙过滤器应用于逻辑接口。
[edit interfaces xe-0/0/0]user@router# set unit 0 family vpls iq-policing-filter vpls_iqp_filter
结果
在配置模式下,输入和命令以确认show firewallshow interfaces xe-0/0/0.0您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以更正配置。
user@router# show firewall family vpls filter vpls_iqp_filter
interface-specific;
term VoiceSum {
from {
learn-vlan-1p-priority 5;
}
then {
count VoiceSum;
forwarding-class Voice;
next term;
}
}
term Voice {
from {
learn-vlan-1p-priority 5;
}
then {
policer Voice-IN;
count Voice;
accept;
}
}
term BestEffortSum {
then {
count BestEffortSum;
next term;
}
}
term BestEffort {
then {
policer BestEffort-IN;
count BestEffort;
accept;
}
}
policer pol_vpls {
if-exceeding {
bandwidth-limit 400m;
burst-size-limit 40m;
}
then discard;
}
policer Voice-IN {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 10m;
}
then loss-priority high;
}
policer BestEffort-IN {
if-exceeding {
bandwidth-limit 350m;
burst-size-limit 30m;
}
then loss-priority high;
}
user@router# show interfaces xe-0/0/0 unit 0
family vpls {
iq-policing-filter vpls_iqp_filter;
}
完成设备配置后,请从配置模式进入 commit 。
user@router# commit