 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
Create a prefix-specific policer operating on the source address and apply it to the input interface:
- [edit]
- firewall {
-
- policer host-policer {
- filter-specific;
-
- if-exceeding {
- bandwidth-limit bps;
- burst-size-limit bytes;
- }
-
- then {
- discard;
- }
- }
-
- family inet {
-
- prefix-action ftp-policer-set {
- count;
- destination-prefix-length 32;
- policer host-policer;
- subnet-prefix-length 24;
- }
-
- filter filter-ftp {
-
- term term1{
-
- from {
- destination-address 10.10.10/24;
- destination-port ftp;
- }
-
- then {
- prefix-action ftp-policer-set;
- }
- }
- }
- }
- }
Filter all packets going to the /24 subnet, letting them pass to the prefix-specific action policers. In the policer set, the last octet of the source address field of the packet is used to index into the respective prefix-specific action policers.
- [edit]
- firewall {
-
- policer 1Mbps-policer {
-
- if-exceeding {
- bandwidth-limit 1m;
- burst-size-limit 63k;
- }
- }
-
- family inet {
-
- prefix-action per-source-policer {
- policer 1Mbps-policer;
- subnet-prefix-length 24;
- source-prefix-length 32;
- }
- }
-
- filter limit-all-hosts {
-
- term one {
-
- from {
-
- source-address {
- 10.10.10.0/24;
- }
- }
- then prefix-action per-source-policer;
- }
- }
- }
In the preceding case, all packets are subjected to the prefix-specific action policing. The last octet of the source address field of the packet is used to index into the corresponding policer. In other words, all packets ending with 0x(xxxx0000) match the first policer and all packets ending in 0x(xxxx0001) match the second policer.
Therefore, 256 policers are created and shared by all addresses. In this case, 10.1.1.1, 10.2.2.1, 10.4.5.1 ... 10.x.x.1 share the same 1-Mbps policer; 10.1.1.2, 10.2.2.2, 10.4.5.2 ... 10.x.x.2 share another 1-Mbps policer, and so on.
Subject packets belonging to the 10.10.10.0/24 subnet are subject to policing by the prefix-specific action policers. Because 128 policers defined in the policer set, the /24 subnet can be thought of as being split into two /25 subnets, both of them sharing the same prefix-specific action set. Therefore, 10.10.10.1 and 10.10.10.129 share the same 1-Mbps policer, 10.10.10.2 and 10.10.10.130 share another 1-Mbps policer, and so on.
- [edit]
- firewall {
-
- policer 1Mbps-policer {
-
- if-exceeding {
- bandwidth-limit 1m;
- burst-size-limit 63k;
- }
- }
-
- family inet {
-
- prefix-action per-source-policer {
- policer 1Mbps-policer;
- subnet-prefix-length 25;
- source-prefix-length 32;
- }
- }
-
- filter limit-all-hosts {
-
- term one {
-
- from {
-
- source-address {
- 10.10.10.0/24;
- }
- }
- then prefix-action per-source-policer;
- }
- }
- }
Define 256 policers based on the last octet of the source address field. However, you are only allowing a subset of that to pass through the match condition. As a result, only the lower half of the set is used.
- [edit]
- firewall {
-
- policer 1Mbps-policer {
-
- if-exceeding {
- bandwidth-limit 1m;
- burst-size-limit 63k;
- }
- }
-
- family inet {
-
- prefix-action per-source-policer {
- policer 1Mbps-policer;
- subnet-prefix-length 24;
- source-prefix-length 32;
- }
- }
-
- filter limit-all-hosts {
-
- term one {
-
- from {
-
- source-address {
- 10.10.10.0/25;
- }
- }
- then prefix-action per-source-policer;
- }
- }
- }
Accept packets from 10.10.10/24 and 10.11/16 subnets and subject them to policing by the same set of prefix-specific action policers. The policers are shared by packets across both subnets. There is a one-to-one correspondence between the 10.10.10/24 subnet. For 10.11/16, there is a many-to-one correspondence, as explained in the previous examples. Each of the 10.11.0/24, 10.11.1/24, 10.11.2/24 ... 10.11.255/24 subnets share the same prefix-specific action set.
Thus, 10.10.10.1, 10.11.1.1, 10.11.2.1 ... 10.11.x.1 share the same 1-Mbps policer; 10.10.10.2, 10.11.1.2, 10.11.2.2 ... 10.11.x.2 share another 1-Mbps policer, and so on.
- [edit]
- firewall {
-
- policer 1Mbps-policer {
-
- if-exceeding {
- bandwidth-limit 1m;
- burst-size-limit 63k;
- }
- }
-
- family inet {
-
- prefix-action per-source-policer {
- policer 1Mbps-policer;
- subnet-prefix-length 24;
- source-prefix-length 32;
- }
- }
-
- filter limit-all-hosts {
-
- term one {
-
- from {
-
- source-address {
- 10.10.10/24;
- 10.11/16;
- }
- }
- then prefix-action per-source-policer;
- }
- }
- }
| Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |