帮助我们改善您的体验。

让我们了解您的想法。

您是否能抽出两分钟的时间完成一份问卷调查?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos OS 路由策略、防火墙过滤器和流量监管器用户指南 配置流量监管器 在第 3 层配置逻辑和物理接口流量监管器

路由策略、防火墙过滤器和流量监管器用户指南

keyboard_arrow_up
close
keyboard_arrow_left
路由策略、防火墙过滤器和流量监管器用户指南
Table of Contents Expand all
list Table of Contents
在本页
keyboard_arrow_right

机器翻译对您有帮助吗?

starstarstarstarstar
Go to English page
免责声明:

我们将使用第三方机器翻译软件翻译本页面。瞻博网络虽已做出相当大的努力提供高质量译文,但无法保证其准确性。如果对译文信息的准确性有任何疑问,请参阅英文版本. 可下载的 PDF 仅提供英文版.

双色和三色物理接口监管器

date_range 18-Jan-25
arrow_backward
arrow_forward

物理接口监管器概述

物理接口监管器是一种双色或三色监管器,用于定义流量速率限制,您可以将其应用于物理接口上配置的所有逻辑接口和协议家族的输入或输出流量,即使这些逻辑接口属于不同的路由实例也是如此。如果要对同一物理接口上的不同协议家族和不同逻辑接口执行聚合监管,此功能非常有用。

例如,假设提供商边缘 (PE) 路由器具有多个逻辑接口,每个接口对应于不同的客户,这些接口配置在与客户边缘 (CE) 设备的同一链路上。现在,假设客户希望对单个物理接口上的某些类型的流量应用一组聚合速率限制。为此,您可以对物理接口应用单个物理接口监管器,对接口上配置的所有逻辑接口以及这些接口所属的所有路由实例进行速率限制。

要配置单速率双色物理接口监管器,请将语句包含在 physical-interface-policer 以下层次结构级别之一:

要配置单速率或双速率三色物理接口监管器,请将语句包含在 physical-interface-policer 以下层次结构级别之一:

通过从无状态 防火墙过滤器 术语引用监管器,然后将过滤器应用于 逻辑接口,可以将物理接口监管器应用于第 3 层流量。您不能将物理接口应用于第 3 层流量,直接应用于接口配置。

要从无状态防火墙过滤器术语引用单速率双色监管器,请使用 policer 非终止操作。要从无状态防火墙过滤器术语引用单速率或双速率三色监管器,请使用 three-color-policer 非终止操作。

以下要求适用于引用物理接口监管器的无状态防火墙过滤器:

  • 您必须为受支持的特定协议系列配置防火墙过滤器:ipv4ipv6mplsvpls或电路交叉连接 (ccc),但不适用于 family any

  • 您必须通过在层次结构级别包含physical-interface-filter[edit firewall family family-name filter filter-name]语句来将防火墙过滤器配置为物理接口过滤器

  • 定义为物理接口过滤器的防火墙过滤器只能引用物理接口监管器。

  • 在全局(非逻辑)系统上定义的防火墙过滤器不能在逻辑系统中用于特定于接口的过滤器实例。更具体地说,不能将全局系统上创建的模板 physical-interface-filter 与在逻辑系统上创建的筛选器附件一起使用。模板和附件都必须驻留在逻辑系统上,筛选才能正常工作。这是因为,对于逻辑系统,筛选器实例命名派生自物理接口,但对于特定于接口的筛选器实例,情况并非如此。

  • 定义为物理接口过滤器的防火墙过滤器不能引用使用该语句配置的 interface-specific 监管器。

  • 您不能将防火墙过滤器既配置为物理接口过滤器,也配置为包含 interface-specific 该语句的逻辑接口过滤器。

另请参阅

示例:为物理接口上的聚合流量配置物理接口监管器

此示例说明如何将单速率双色监管器配置为物理接口监管器。

要求

配置此示例之前,不需要除设备初始化之外的特殊配置。

概述

物理接口监管器为聚合流量指定速率限制,该流量包含在物理接口上配置的所有协议家族和逻辑接口,即使这些接口属于不同的路由实例也是如此。

只有从为特定协议家族(而非 ) family any配置并配置为物理接口过滤器的无状态防火墙过滤器引用监管器,才能将物理接口监管器应用于第 3 层输入或输出流量。您可以使用匹配条件配置过滤器条款,以选择要限制速率的数据包类型,并将物理接口监管器指定为要应用于匹配数据包的操作。

注:

列表过滤器不支持物理接口监管器/过滤器。

拓扑学

此示例 shared-policer-A中的物理接口监管器 将速率限制为 10,000,000 bps,并允许最大 500,000 字节的流量突发。您可以将监管器配置为丢弃不符合要求的流量中的数据包,但您可以将监管器配置为使用转发类和/或数据包丢失优先级 (PLP) 级别重新标记不符合的流量。

为了能够使用监管器对 IPv4 流量进行速率限制,您需要从 IPv4 物理接口过滤器引用监管器。对于此示例,您将过滤器配置为传递满足以下任一匹配条件的监管器 IPv4 数据包:

  • 通过 TCP 接收且带有 IP 优先级字段 critical-ecp (0xa0)、 immediate (0x40) 或 priority (0x20) 的数据包

  • 通过 TCP 接收且带有 IP 优先级字段 internet-control (0xc0) 或 routine (0x00) 的数据包

您还可以从其他协议家族的物理接口过滤器中引用监管器。

配置

下面的示例要求您在各个配置层级中进行导航。有关导航 CLI 的信息,请参见 在配置模式下使用 CLI 编辑器

要配置此示例,请执行以下操作:

CLI 快速配置

要快速配置此示例,请将以下配置命令复制到文本文件中,删除所有换行符,然后将命令粘贴到层次结构级别的 CLI [edit] 中。

content_copy zoom_out_map
set interfaces so-1/0/0 unit 0 family inet address 192.168.1.1/24
set interfaces so-1/0/0 unit 0 family vpls
set interfaces so-1/0/0 unit 1 family mpls
set firewall policer shared-policer-A physical-interface-policer
set firewall policer shared-policer-A if-exceeding bandwidth-limit 100m burst-size-limit 500k
set firewall policer shared-policer-A then discard
set firewall family inet filter ipv4-filter physical-interface-filter
set firewall family inet filter ipv4-filter term tcp-police-1 from precedence [ critical-ecp immediate priority ]
set firewall family inet filter ipv4-filter term tcp-police-1 from protocol tcp
set firewall family inet filter ipv4-filter term tcp-police-1 then policer shared-policer-A
set firewall family inet filter ipv4-filter term tcp-police-2 from precedence [ internet-control routine ]
set firewall family inet filter ipv4-filter term tcp-police-2 from protocol tcp
set firewall family inet filter ipv4-filter term tcp-police-2 then policer shared-policer-A
set interfaces so-1/0/0 unit 0 family inet filter input ipv4-filter

在物理接口上配置逻辑接口

分步过程

要在物理接口上配置逻辑接口,请执行以下操作:

  1. 启用逻辑接口的配置。

    content_copy zoom_out_map
    [edit]
user@host# edit interfaces so-1/0/0

  2. 在逻辑单元 0 上配置协议族。

    content_copy zoom_out_map
    [edit interfaces so-1/0/0]
user@host# set unit 0 family inet address 192.168.1.1/24
user@host# set unit 0 family vpls

  3. 在逻辑单元 1 上配置协议族。

    content_copy zoom_out_map
    [edit interfaces so-1/0/0]
user@host# set unit 1 family mpls
结果

通过输入 show interfaces 配置模式命令确认防火墙过滤器的配置。如果命令输出未显示预期的配置,请重复此过程中的说明以更正配置。

content_copy zoom_out_map
[edit]
user@host# show interfaces
so-1/0/0 {
    unit 0 {
        family inet {
            address 192.168.1.1/24;
        }
        family vpls;
    }
    unit 1 {
        family mpls;
    }
}

配置物理接口监管器

分步过程

要配置物理接口监管器,请执行以下操作:

  1. 启用双色监管器的配置。

    content_copy zoom_out_map
    [edit]
user@host# edit firewall policer shared-policer-A

  2. 配置双色监管器的类型。

    content_copy zoom_out_map
    [edit firewall policer shared-policer-A]
user@host# set physical-interface-policer

  3. 为不符合流量流中的数据包配置流量限制和操作。

    content_copy zoom_out_map
    [edit firewall policer shared-policer-A]
user@host# set if-exceeding bandwidth-limit 100m burst-size-limit 500k
user@host# set then discard

    对于物理接口过滤器,您可以为不符合信息流中的数据包配置的操作是丢弃数据包、分配转发类、分配 PLP 值或同时分配转发类和 PLP 值。

结果

通过输入 show firewall 配置模式命令确认监管器的配置。如果命令输出未显示预期的配置,请重复此过程中的说明以更正配置。

content_copy zoom_out_map
[edit]
user@host# show firewall
policer shared-policer-A {
    physical-interface-policer;
    if-exceeding {
        bandwidth-limit 100m;
        burst-size-limit 500k;
    }
    then discard;
}

配置 IPv4 物理接口过滤器

分步过程

要将物理接口监管器配置为 IPv4 物理接口监管器中术语的操作,请执行以下操作:

  1. 在特定协议家族下配置标准无状态防火墙过滤器。

    content_copy zoom_out_map
    [edit]
user@host# edit firewall family inet filter ipv4-filter

    不能为 配置 family any物理接口防火墙过滤器。

  2. 将过滤器配置为物理接口过滤器,以便您可以将物理接口监管器作为操作应用。

    content_copy zoom_out_map
    [edit firewall family inet filter ipv4-filter]
user@host# set physical-interface-filter

  3. 配置第一个术语以将通过 TCP 接收的 IPv4 数据包与 IP 优先级字段 critical-ecpimmediate进行匹配,或者 priority 将物理接口监管器作为过滤器操作进行应用。

    content_copy zoom_out_map
    [edit firewall family inet filter ipv4-filter]
user@host# set term tcp-police-1 from precedence [ critical-ecp immediate priority ]
user@host# set term tcp-police-1 from protocol tcp
user@host# set term tcp-police-1 then policer shared-policer-A

  4. 配置第一个术语以将通过 TCP 接收的 IPv4 数据包与 IP 优先级字段 internet-control 进行匹配,或者 routine 将物理接口监管器应用为过滤器操作。

    content_copy zoom_out_map
    [edit firewall family inet filter ipv4-filter]
user@host# set term tcp-police-2 from precedence [ internet-control routine ]
user@host# set term tcp-police-2 from protocol tcp
user@host# set term tcp-police-2 then policer shared-policer-A
结果

通过输入 show firewall 配置模式命令确认防火墙过滤器的配置。如果命令输出未显示预期的配置,请重复此过程中的说明以更正配置。

content_copy zoom_out_map
[edit]
user@host# show firewall
family inet {
    filter ipv4-filter {
        physical-interface-filter;
        term tcp-police-1 {
            from {
                precedence [ critical-ecp immediate priority ];
                protocol tcp;
            }
            then policer shared-policer-A;
        }
        term tcp-police-2 {
            from {
                precedence [ internet-control routine ];
                protocol tcp;
            }
            then policer shared-policer-A;
        }
    }
}
policer shared-policer-A {
    physical-interface-policer;
    if-exceeding {
        bandwidth-limit 100m;
        burst-size-limit 500k;
    }
    then discard;
}

应用 IPv4 物理接口过滤器以引用物理接口监管器

分步过程

要应用物理接口过滤器,使其引用物理接口监管器,请执行以下操作:

  1. 在逻辑接口上启用 IPv4 配置。

    content_copy zoom_out_map
    [edit]
user@host# edit interfaces so-1/0/0 unit 0 family inet

  2. 在输入方向上应用 IPv4 物理接口过滤器。

    content_copy zoom_out_map
    [edit interfaces so-1/0/0 unit 0 family inet]
user@host# set filter input ipv4-filter
结果

通过输入 show interfaces 配置模式命令确认防火墙过滤器的配置。如果命令输出未显示预期的配置,请重复此过程中的说明以更正配置。

content_copy zoom_out_map
[edit]
user@host# show interfaces
so-1/0/0 {
    unit 0 {
        family inet {
            filter {
                input ipv4-filter;
            }
            address 192.168.1.1/24;
        }
        family vpls;
    }
    unit 1 {
        family mpls;
    }
}

如果完成设备配置,请从配置模式输入 commit

验证

确认配置工作正常。

显示应用于接口的防火墙过滤器

目的

验证防火墙过滤器 ipv4-filter 是否已应用于逻辑接口 so-1/0/0.0上的 IPv4 输入流量。

操作

show interfaces statistics对逻辑接口 so-1/0/0.0使用操作模式命令,并包括该detail选项。在 Protocol inet 命令输出部分中,该 Input Filters 字段显示防火墙过滤器 ipv4-filter 在输入方向上应用。

content_copy zoom_out_map
user@host> show interfaces statistics so-1/0/0 detail
  Logical interface so-1/0/0.0 (Index 79) (SNMP ifIndex 510) (Generation 149)
    Flags: Hardware-Down Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP
    Protocol inet, MTU: 4470, Generation: 173, Route table: 0
      Flags: Sendbcast-pkt-to-re, Protocol-Down
      Input Filters: ipv4-filter
      Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
        Destination: 10.39/16, Local: 10.39.1.1, Broadcast: 10.39.255.255, Generation: 163

显示监管器在逻辑接口上处理的数据包数

目的

验证通过逻辑接口的信息流,以及在逻辑接口上收到数据包时是否评估监管器。

操作

show firewall对应用于逻辑接口的过滤器使用操作模式命令。

content_copy zoom_out_map
user@host> show firewall filter ipv4-filter
Filter: ipv4-filter                                          
Policers:
Name                                              Packets 
shared-policer-A-tcp-police-1                       32863
shared-policer-A-tcp-police-2                        3870

命令输出显示监管器 (shared-policer-A) 的名称、指定监管器操作的过滤器术语 (police-1) 的名称以及与过滤器术语匹配的数据包数。这只是不规范(不规范)数据包计数,而不是监管器监管的所有数据包。

另请参阅

相关主题

arrow_backward PREVIOUS 双色和三色逻辑接口监管器
NEXT arrow_forward 监管器概述
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top