示例:使用双色监管器和前缀列表
如果向内部或外部客户提供特定数量的带宽,则可以使用监管来确保客户消耗的带宽不会超过他们应该收到的带宽。例如,您可能将许多客户连接到一个 10-Gbps 接口,并希望通过使用的带宽多于分配的带宽来确保这些客户都不会拥塞接口。
您可以通过为每个客户创建类似于以下内容的双色监管器来实现此目的:
firewall {
policer Limit-Customer-1 {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 150m;
}
then discard;
}
然而,为每个客户创建一个监管器显然不是一个可扩展的解决方案。或者,您可以创建对客户类别进行分组的前缀列表,然后为每个前缀列表创建监管器。例如,您可以创建前缀列表(如 Class-A-Customer-Prefixes、 Class-B-Customer-Prefixes和 Class-C-Customer-Prefixes (在 [edit policy-options] 层次结构级别),并创建以下相应的监管器:
firewall {
policer Class-A {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 150m;
}
then discard;
}
policer Class-B {
if-exceeding {
bandwidth-limit 75m;
burst-size-limit 100m;
}
then discard;
}
policer Class-C {
if-exceeding {
bandwidth-limit 50m;
burst-size-limit 75m;
}
then discard;
}
}
您必须创建过滤条件,以在其语句中 from 指定前缀列表,并在其语句中 then 指定相应的监管器,如下所示:
firewall
family inet {
filter Class-A-Customers {
term term-1 {
from {
destination-prefix-list {
Class-A-Customer-Prefixes;
}
}
then policer Class-A;
}
}
filter Class-B-Customers {
term term-1 {
from {
destination-prefix-list {
Class-B-Customer-Prefixes;
}
}
then policer Class-B;
}
}
filter Class-C-Customers {
term term-1 {
from {
destination-prefix-list {
Class-C-Customer-Prefixes;
}
}
then policer Class-C;
}
}
}
以下是创建此防火墙配置的步骤:
创建第一个监管器:
[edit firewall] user@switch# set policer Class-A if-exceeding bandwidth-limit 100m burst-size-limit 150m user@switch# set policer Class-A then discard
创建第二个监管器:
[edit firewall] user@switch# set policer Class-B if-exceeding bandwidth-limit 75m burst-size-limit 100m user@switch# set policer Class-B then discard
创建第三个监管器:
[edit firewall] user@switch# set policer Class-C if-exceeding bandwidth-limit 50m burst-size-limit 75m user@switch# set policer Class-C then discard
为 A 类客户创建筛选条件:
[edit firewall] user@switch# edit family inet filter Class-A-Customers
配置过滤器以将与前缀列表Class-A匹配Class-A-Customer-Prefixes的数据包发送到监管器:
[edit firewall family inet filter Class-A-Customers] user@switch# set term term-1 from source-prefix-list Class-A-Customers user@switch# set term term-1 then policer Class-A
为 B 类客户创建筛选条件:
[edit firewall] user@switch# edit family inet filter Class-B-Customers
配置过滤器以将与前缀列表Class-B匹配Class-B-Customer-Prefixes的数据包发送到监管器:
[edit firewall family inet filter Class-B-Customers] user@switch# set term term-1 from source-prefix-list Class-B-Customers user@switch# set term term-1 then policer Class-B
为 C 类客户创建筛选条件:
[edit firewall] user@switch# edit family inet filter Class-C-Customers
配置过滤器以将与前缀列表Class-C匹配Class-C-Customer-Prefixes的数据包发送到监管器:
[edit firewall family inet filter Class-C-Customers] user@switch# set term term-1 from source-prefix-list Class-C-Customers user@switch# set term term-1 then policer Class-C
将创建的过滤器应用于输出方向上的相应接口。
请注意,此过滤器中的隐式拒绝语句将阻止来自与前缀列表之一不匹配的任何源的流量。如果希望过滤器允许此流量,则必须为此目的包含一个显式术语。