TechLibrary

Navigation

Supported Platforms

Prefix-Specific Counting and Policing Configuration Scenarios

This topic covers the following information:

Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets

Table 1 describes the relationship between the prefix length specified in the prefix-specific action and the prefix length of the addresses matched by the firewall filter term that references the prefix-specific action.

Table 1: Summary of Prefix-Specific Action Scenarios

Counter and Policer Set		Packet-Filtering Criteria	Indexing of Instances
Prefix-specific action scenario: Example: Configuring Prefix-Specific Counting and Policing
	`source-prefix-length = 32 subnet-prefix-length = 24` Set size: 2^8 = 256 Instance numbers: 0 - 255	`source-address = 10.10.10.0/24`	Instance 0	10.10.10.0
			Instance 1:	10.10.10.1
			...	...
			Instance 255:	10.10.10.255
Prefix-specific action scenario: Scenario 1: Firewall Filter Term Matches on Multiple Addresses
	`source-prefix-length = 32 subnet-prefix-length = 24` Set size: 2^8 = 256 Instance numbers: 0 - 255	`source-address = 10.10.10.0/24` `source-address = 10.11.0.0/16`	Instance 0	10.10.10.0, 10.11.x.0
			Instance 1:	10.10.10.1, 10.11.x.1
			...	...
			Instance 255:	10.10.10.255, 10.11.x.255
		For addresses in the /16 subnet, x ranges from 0 through 255.
Prefix-specific action scenario: Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition
	`source-prefix-length = 32 subnet-prefix-length = 25` Set size: 2^7 = 128 Instance numbers: 0 - 127	`source-address = 10.10.10.0/24`	Instance 0	10.10.10.0, 10.10.10.128
			Instance 1:	10.10.10.1, 10.10.10.120
			...	...
			Instance 127:	10.10.10.255, 10.10.10.127
Prefix-specific action scenario: Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition
	`source-prefix-length = 32 subnet-prefix-length = 24` Set size: 2^8 = 256 Instance numbers: 0 - 255	`source-address = 10.10.10.0/25` Note: Only packets with source addresses ranging from 10.10.10.0 through 10.10.10.127 are passed to the prefix-specific action.	Instance 0	10.10.10.0
			Instance 1:	10.10.10.1
			...	...
			Instance 127:	10.10.10.127
			Instances 128 – 255: unused

Scenario 1: Firewall Filter Term Matches on Multiple Addresses

The complete example, Example: Configuring Prefix-Specific Counting and Policing, shows the simplest case of prefix-specific actions, in which a single-term firewall filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action. Unlike the example, this scenario describes a configuration in which a single-term firewall filter matches on two IPv4 source addresses. In addition, the additional condition matches on a source address with a prefix length that is different from the subnet prefix length defined in the prefix-specific action. In this case, the additional condition matches on the /16 subnet of the source address 10.11.0.0.

Note: Unlike packets that match the source address 10.10.10.0/24, packets that match the source address 10.11.0.0/16 are in a many-to-one correspondence with the instances in the counter and policer set.

The filter-matched packets that are passed to the prefix-specific action index into the counter and policer set in such a way that the counting and policing instances are shared by packets that contain source addresses across the 10.10.10.0/24 and 10.11.0.0/16 subnets as follows:

The first counter and policer in the set are indexed by packets with source addresses 10.10.10.0 and 10.11.x.0, where x ranges from 0 through 255.
The second counter and policer in the set are indexed by packets with source addresses 10.10.10.1 and 10.11.x.1, where x ranges from 0 through 255.
The 256th (last) counter and policer in the set are indexed by packets with source addresses 10.10.10.255 and 10.11.x.255, where x ranges from 0 through 255.

The following configuration shows the statements for configuring the single-rate two-color policer, the prefix-specific action that references the policer, and the IPv4 standard stateless firewall filter that references the prefix-specific action:

[edit]firewall {policer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}family inet {prefix-action psa-1Mbps-per-source-24-32-256 {policer 1Mbps-policer;subnet-prefix-length 24;source-prefix-length 32;}filter limit-source-two-24-16 {term one {from {source-address {10.10.10.0/24;10.11.0.0/16;}}then prefix-action psa-1Mbps-per-source-24-32-256;}}}}interfaces {so-0/0/2 {unit 0 {family inet {filter {input limit-source-two-24-16;}address 10.39.1.1/16;}}}}

Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition

The complete example, Example: Configuring Prefix-Specific Counting and Policing, shows the simplest case of prefix-specific actions, in which the single-term firewall filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action. Unlike the example, this scenario describes a configuration in which the prefix-specific action defines a subnet prefix length that is longer than the prefix of the source address matched by the firewall filter. In this case, the prefix-specific action defines a subnet-prefix value of 25, while the firewall filter matches on a source address in the /24 subnet.

Note: The firewall filter passes the prefix-specific action packets with source addresses that range from 10.10.10.0 through 10.10.10.255, while the prefix-specific action specifies a set of only 128 counters and policers, numbered from 0 through 127.

The filter-matched packets that are passed to the prefix-specific action index into the counter and policer set in such a way that the counting and policing instances are shared by packets that contain either of two source addresses within the 10.10.10.0/24 subnet:

The first counter and policer in the set are indexed by packets with source addresses 10.10.10.0 and 10.10.10.128.
The second counter and policer in the set are indexed by packets with source addresses 10.10.10.1 and 10.10.10.129.
The 128th (last) counter and policer in the set are indexed by packets with source addresses 10.10.10.127 and 10.10.10.255.

[edit]firewall {policer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}family inet {prefix-action psa-1Mbps-per-source-25-32-128 {policer 1Mbps-policer;subnet-prefix-length 25;source-prefix-length 32;}filter limit-source-one-24 {term one {from {source-address {10.10.10.0/24;}}then prefix-action psa-1Mbps-per-source-25-32-128;}}}}interfaces {so-0/0/2 {unit 0 {family inet {filter {input limit-source-one-24;}address 10.39.1.1/16;}}}}

Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition

The complete example, Example: Configuring Prefix-Specific Counting and Policing, shows the simplest case of prefix-specific actions, in which the single-term firewall filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action. Unlike the example, this scenario describes a configuration in which the prefix-specific action defines a subnet prefix length that is shorter than the prefix of the source address matched by the firewall filter. In this case, the filter term matches on the /25 subnet of the source address 10.10.10.0.

Note: The firewall filter passes the prefix-specific action only packets with source addresses that range from 10.10.10.0 through 10.10.10.127, while the prefix-specific action specifies a set of 256 counters and policers, numbered from 0 through 255.

The matched packets that are passed to the prefix-specific action index into the lower half of the counter and policer set only:

The first counter and policer in the set are indexed by packets with source address 10.10.10.0.
The second counter and policer in the set are indexed by packets with source address 10.10.10.1 and 10.10.10.129.
The 128th counter and policer in the set are indexed by packets with source address 10.10.10.127.
The upper half of the set (instances numbered from 128 through 255) are not indexed by packets passed to the prefix-specific action from this particular firewall filter.

[edit]firewall {policer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}family inet {prefix-action psa-1Mbps-per-source-24-32-256 {policer 1Mbps-policer;subnet-prefix-length 24;source-prefix-length 32;}filter limit-source-one-25 {term one {from {source-address {10.10.10.0/25;}}then prefix-action psa-1Mbps-per-source-24-32-256;}}}}interfaces {so-0/0/2 {unit 0 {family inet {filter {input limit-source-one-25;}address 10.39.1.1/16;}}}}

TechLibrary

Supported Platforms

Related Documentation

Prefix-Specific Counting and Policing Configuration Scenarios

Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets

Scenario 1: Firewall Filter Term Matches on Multiple Addresses

Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition

Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition

Related Documentation

Published: 2012-11-16

Supported Platforms

Related Documentation

Published: 2012-11-16