[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Prefix-Specific Actions

You can configure prefix-specific actions within the firewall configuration. Prefix-specific actions allow you to configure policers and counters for specific addresses or ranges of addresses. This allows you to essentially create policers and counters on a per-prefix level.

To configure prefix-specific actions, include the prefix-action name statement at the [edit firewall family inet] hierarchy level:

[edit firewall family inet]
prefix-action name {
count;
destination-prefix-length prefix-length;
policer policer-name;
source-prefix-length prefix-length;
subnet-prefix-length prefix-length;
}

The following formula determines the number of prefix-specific actions created:

Number = 2 ^ (source/destination-prefix-length - subnet-prefix-length)

The subnet-prefix-length statement allows for more control for the flexibility offered by prefix-specific actions, allowing the policers to be more applicable and powerful. For example, if you want to filter all Transmission Control Protocol (TCP) packets and define two policers, all packets ending with 0 in the last address bit increment the first policer, while all packets ending with 1 in the address bit increment the second policer. As another example, if you want to filter all TCP packets and define 256 policers, matching is based on the last octet of the destination address field. You achieve both cases by specifying an appropriate subnet prefix length.

Prefix-specific action is supported for the IP version 4 (IPv4) inet address family.

To configure prefix-specific actions, include the prefix-action statement and specify an action name.

To enable a prefix-specific counter, include the count statement.

To configure the destination address range specified for a prefix-specific policer or counter, include the destination-prefix-length statement.

To enable a set of prefix-specific policers, include the policer statement and specify the policer name.

To configure the source address range specified for a prefix-specific policer or counter, include the source-prefix-length statement.

To configure the total address range of the subnet supported, include the subnet-prefix-length statement. The source or destination prefix length must be larger than the subnet prefix length.

Prefix-specific action applies to a specific prefix length, and not to a specific interface. You can add an interface policer polices at the aggregate level for a specific interface. You could also use the next term action to configure all Hypertext Transfer Protocol (HTTP) traffic to each host to transmit at 500 Kbps and have the total HTTP traffic limited to 1 Mbps.

The maximum number of policers you can configure for one subnet is 65,536. If you configure more than 65,536 policers, you receive an error message.

Note: J-series Services Routers do not support prefix-specific actions.

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.