Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Prefix-Specific Counting and Policing Configuration Scenarios

    This topic covers the following information:

    Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets

    Table 1 describes the relationship between the prefix length specified in the prefix-specific action and the prefix length of the addresses matched by the firewall filter term that references the prefix-specific action.

    Table 1: Summary of Prefix-Specific Action Scenarios

    Counter and Policer Set

    Packet-Filtering Criteria

    Indexing of Instances

    Prefix-specific action scenario:
    Example: Configuring Prefix-Specific Counting and Policing

     

    source-prefix-length = 32 
    subnet-prefix-length = 24

    Set size: 2^8 = 256
    Instance numbers: 0 - 255

    source-address = 10.10.10.0/24

    Instance 0

    10.10.10.0

    Instance 1:

    10.10.10.1

    ...

    ...

    Instance 255:

    10.10.10.255

    Prefix-specific action scenario:
    Scenario 1: Firewall Filter Term Matches on Multiple Addresses

    source-prefix-length = 32 
    subnet-prefix-length = 24

    Set size: 2^8 = 256
    Instance numbers: 0 - 255

    source-address = 10.10.10.0/24

    source-address = 10.11.0.0/16

    Instance 0

    10.10.10.0,
    10.11.x.0

    Instance 1:

    10.10.10.1,
    10.11.x.1

    ...

    ...

    Instance 255:

    10.10.10.255,
    10.11.x.255

    For addresses in the /16 subnet, x ranges from 0 through 255.

    Prefix-specific action scenario:
    Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition

    source-prefix-length = 32 
    subnet-prefix-length = 25

    Set size: 2^7 = 128
    Instance numbers: 0 - 127

    source-address = 10.10.10.0/24

    Instance 0

    10.10.10.0,
    10.10.10.128

    Instance 1:

    10.10.10.1,
    10.10.10.120

    ...

    ...

    Instance 127:

    10.10.10.255,
    10.10.10.127

    Prefix-specific action scenario:
    Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition

    source-prefix-length = 32 
    subnet-prefix-length = 24

    Set size: 2^8 = 256
    Instance numbers: 0 - 255

    source-address = 10.10.10.0/25

    Note: Only packets with source addresses ranging from 10.10.10.0 through 10.10.10.127 are passed to the prefix-specific action.

    Instance 0

    10.10.10.0

    Instance 1:

    10.10.10.1

    ...

    ...

    Instance 127:

    10.10.10.127

    Instances 128 – 255: unused

    Scenario 1: Firewall Filter Term Matches on Multiple Addresses

    The complete example, Example: Configuring Prefix-Specific Counting and Policing, shows the simplest case of prefix-specific actions, in which a single-term firewall filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action. Unlike the example, this scenario describes a configuration in which a single-term firewall filter matches on two IPv4 source addresses. In addition, the additional condition matches on a source address with a prefix length that is different from the subnet prefix length defined in the prefix-specific action. In this case, the additional condition matches on the /16 subnet of the source address 10.11.0.0.

    Note: Unlike packets that match the source address 10.10.10.0/24, packets that match the source address 10.11.0.0/16 are in a many-to-one correspondence with the instances in the counter and policer set.

    The filter-matched packets that are passed to the prefix-specific action index into the counter and policer set in such a way that the counting and policing instances are shared by packets that contain source addresses across the 10.10.10.0/24 and 10.11.0.0/16 subnets as follows:

    • The first counter and policer in the set are indexed by packets with source addresses 10.10.10.0 and 10.11.x.0, where x ranges from 0 through 255.
    • The second counter and policer in the set are indexed by packets with source addresses 10.10.10.1 and 10.11.x.1, where x ranges from 0 through 255.
    • The 256th (last) counter and policer in the set are indexed by packets with source addresses 10.10.10.255 and 10.11.x.255, where x ranges from 0 through 255.

    The following configuration shows the statements for configuring the single-rate two-color policer, the prefix-specific action that references the policer, and the IPv4 standard stateless firewall filter that references the prefix-specific action:

    [edit]
    firewall {policer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}family inet {prefix-action psa-1Mbps-per-source-24-32-256 {policer 1Mbps-policer;subnet-prefix-length 24;source-prefix-length 32;}filter limit-source-two-24-16 {term one {from {source-address {10.10.10.0/24;10.11.0.0/16;}}then prefix-action psa-1Mbps-per-source-24-32-256;}}}}
    interfaces {so-0/0/2 {unit 0 {family inet {filter {input limit-source-two-24-16;}address 10.39.1.1/16;}}}}

    Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition

    The complete example, Example: Configuring Prefix-Specific Counting and Policing, shows the simplest case of prefix-specific actions, in which the single-term firewall filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action. Unlike the example, this scenario describes a configuration in which the prefix-specific action defines a subnet prefix length that is longer than the prefix of the source address matched by the firewall filter. In this case, the prefix-specific action defines a subnet-prefix value of 25, while the firewall filter matches on a source address in the /24 subnet.

    Note: The firewall filter passes the prefix-specific action packets with source addresses that range from 10.10.10.0 through 10.10.10.255, while the prefix-specific action specifies a set of only 128 counters and policers, numbered from 0 through 127.

    The filter-matched packets that are passed to the prefix-specific action index into the counter and policer set in such a way that the counting and policing instances are shared by packets that contain either of two source addresses within the 10.10.10.0/24 subnet:

    • The first counter and policer in the set are indexed by packets with source addresses 10.10.10.0 and 10.10.10.128.
    • The second counter and policer in the set are indexed by packets with source addresses 10.10.10.1 and 10.10.10.129.
    • The 128th (last) counter and policer in the set are indexed by packets with source addresses 10.10.10.127 and 10.10.10.255.

    The following configuration shows the statements for configuring the single-rate two-color policer, the prefix-specific action that references the policer, and the IPv4 standard stateless firewall filter that references the prefix-specific action:

    [edit]
    firewall {policer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}family inet {prefix-action psa-1Mbps-per-source-25-32-128 {policer 1Mbps-policer;subnet-prefix-length 25;source-prefix-length 32;}filter limit-source-one-24 {term one {from {source-address {10.10.10.0/24;}}then prefix-action psa-1Mbps-per-source-25-32-128;}}}}
    interfaces {so-0/0/2 {unit 0 {family inet {filter {input limit-source-one-24;}address 10.39.1.1/16;}}}}

    Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition

    The complete example, Example: Configuring Prefix-Specific Counting and Policing, shows the simplest case of prefix-specific actions, in which the single-term firewall filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action. Unlike the example, this scenario describes a configuration in which the prefix-specific action defines a subnet prefix length that is shorter than the prefix of the source address matched by the firewall filter. In this case, the filter term matches on the /25 subnet of the source address 10.10.10.0.

    Note: The firewall filter passes the prefix-specific action only packets with source addresses that range from 10.10.10.0 through 10.10.10.127, while the prefix-specific action specifies a set of 256 counters and policers, numbered from 0 through 255.

    The matched packets that are passed to the prefix-specific action index into the lower half of the counter and policer set only:

    • The first counter and policer in the set are indexed by packets with source address 10.10.10.0.
    • The second counter and policer in the set are indexed by packets with source address 10.10.10.1 and 10.10.10.129.
    • The 128th counter and policer in the set are indexed by packets with source address 10.10.10.127.
    • The upper half of the set (instances numbered from 128 through 255) are not indexed by packets passed to the prefix-specific action from this particular firewall filter.

    The following configuration shows the statements for configuring the single-rate two-color policer, the prefix-specific action that references the policer, and the IPv4 standard stateless firewall filter that references the prefix-specific action:

    [edit]
    firewall {policer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}family inet {prefix-action psa-1Mbps-per-source-24-32-256 {policer 1Mbps-policer;subnet-prefix-length 24;source-prefix-length 32;}filter limit-source-one-25 {term one {from {source-address {10.10.10.0/25;}}then prefix-action psa-1Mbps-per-source-24-32-256;}}}}
    interfaces {so-0/0/2 {unit 0 {family inet {filter {input limit-source-one-25;}address 10.39.1.1/16;}}}}
     

    Related Documentation

     

    Published: 2013-02-11

    Previous Page Next Page