Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring Prefix-Specific Counting and Policing

This example shows how to configure prefix-specific counting and policing.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you configure prefix-specific counting and policing based on the last octet of the source address field in packets matched by an IPv4 firewall filter.

The single-rate two-color policer named 1Mbps-policer rate-limits traffic to a bandwidth of 1,000,000 bps and a burst-size limit of 63,000 bytes, discarding any packets in a traffic flow that exceeds the traffic limits.

Independent of the IPv4 addresses contained in any packets passed from a firewall filter, the prefix-specific action named psa-1Mbps-per-source-24-32-256 specifies a set of 256 counters and policers, numbered from 0 through 255. For each packet, the last octet of the source address field is used to index into the associated prefix-specific counter and policer in the set:

  • Packets with a source address ending with the octet 0x0000 00000 index the first counter and policer in the set.
  • Packets with a source address ending with the octet 0x0000 0001 index the second counter and policer in the set.
  • Packets with a source address ending with the octet 0x1111 1111 index the last counter and policer in the set.

The limit-source-one-24 firewall filter contains a single term that matches all packets from the /24 subnet of source address 10.10.10.0, passing these packets to the prefix-specific action psa-1Mbps-per-source-24-32-256.

Topology

In this example, because the filter term matches the /24 subnet of a single source address, each counting and policing instance in the prefix-specific set is used for only one source address.

  • Packets with a source address 10.10.10.0 index the first counter and policer in the set.
  • Packets with a source address 10.10.10.1 index the second counter and policer in the set.
  • Packets with a source address 10.10.10.255 index the last counter and policer in the set.

This example shows the simplest case of prefix-specific actions, in which the filter term matches on one address with a prefix length that is the same as the prefix length specified in the prefix-specific action for indexing into the set of prefix-specific counters and policers.

For descriptions of other configurations for prefix-specific counting and policing, see Prefix-Specific Counting and Policing Configuration Scenarios.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

set firewall policer 1Mbps-policer if-exceeding bandwidth-limit 1mset firewall policer 1Mbps-policer if-exceeding burst-size-limit 63kset firewall policer 1Mbps-policer then discardset firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 policer 1Mbps-policerset firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 countset firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 subnet-prefix-length 24set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 source-prefix-length 32set firewall family inet filter limit-source-one-24 term one from source-address 10.10.10.0/24set firewall family inet filter limit-source-one-24 term one then prefix-action psa-1Mbps-per-source-24-32-256set interfaces so-0/0/2 unit 0 family inet filter input limit-source-one-24set interfaces so-0/0/2 unit 0 family inet address 10.39.1.1/16

Configuring a Policer for Prefix-Specific Counting and Policing

Step-by-Step Procedure

To configure a policer to be used for prefix-specific counting and policing:

  1. Enable configuration of a single-rate two-color policer.

    [edit]user@host# edit firewall policer 1Mbps-policer

  2. Define the traffic limit.

    [edit firewall policer 1Mbps-policer]user@host# set if-exceeding bandwidth-limit 1muser@host# set if-exceeding burst-size-limit 63k
    Packets in a traffic flow that conforms to this limit are passed with the PLP set to low.

  3. Define the actions for nonconforming traffic.

    [edit firewall policer 1Mbps-policer]user@host# set then discard
    Packets in a traffic flow that exceeds this limit are discarded. Other configurable actions for a single-rate two-color policer are to set the forwarding class and to set the PLP level.

Results

Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show firewallpolicer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}

Configuring a Prefix-Specific Action Based on the Policer

Step-by-Step Procedure

To configure a prefix-specific action that references the policer and specifies a portion of a source address prefix:

  1. Enable configuration of a prefix-specific action.

    [edit]user@host# edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256
    Prefix-specific counting and policing can be defined for IPv4 traffic only.

  2. Reference the policer for which a prefix-specific set is to be created.

    [edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256]user@host# set policer 1Mbps-policeruser@host# set count

    Note: For aggregated Ethernet interfaces, you can configure a prefix-specific action that references a logical interface policer (also called an aggregate policer). You can reference this type of prefix-specific action from an IPv4 standard firewall filter and then apply the filter at the aggregate level of the interface.

  3. Specify the prefix range on which IPv4 addresses are to be indexed to the counter and policer set.

    [edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256]user@host# set source-prefix-length 32user@host# set subnet-prefix-length 24

Results

Confirm the configuration of the prefix-specific action by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show firewallpolicer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}family inet {prefix-action psa-1Mbps-per-source-24-32-256 {policer 1Mbps-policer;subnet-prefix-length 24;source-prefix-length 32;}}

Configuring an IPv4 Filter That References the Prefix-Specific Action

Step-by-Step Procedure

To configure an IPv4 standard firewall filter that references the prefix-specific action:

  1. Enable configuration of the IPv4 standard firewall filter.

    [edit]user@host# edit firewall family inet filter limit-source-one-24
    Prefix-specific counting and policing can be defined for IPv4 traffic only.

  2. Configure the filter term to match on the packet source address or destination address.

    [edit firewall family inet filter limit-source-one-24]user@host# set term one from source-address 10.10.10.0/24

  3. Configure the filter term to reference the prefix-specific action.

    [edit firewall family inet filter limit-source-one-24]user@host# set term one then prefix-action psa-1Mbps-per-source-24-32-256
    You could also use the next term action to configure all Hypertext Transfer Protocol (HTTP) traffic to each host to transmit at 500 Kbps and have the total HTTP traffic limited to 1 Mbps.

Results

Confirm the configuration of the prefix-specific action by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show firewallpolicer 1Mbps-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 63k;}then discard;}family inet {prefix-action psa-1Mbps-per-source-24-32-256 {policer 1Mbps-policer;subnet-prefix-length 24;source-prefix-length 32;}filter limit-source-one-24 {term one {from {source-address {10.10.10.0/24;}}then prefix-action psa-1Mbps-per-source-24-32-256;}}}

Applying the Firewall Filter to IPv4 Input Traffic at a Logical Interface

Step-by-Step Procedure

To apply the firewall filter to IPv4 input traffic at a logical interface:

  1. Enable configuration of IPv4 on the logical interface.

    [edit]user@host# edit interfaces so-0/0/2 unit 0 family inet

  2. Configure an IP address.

    [edit interfaces so-0/0/2 unit 0 family inet]user@host# set address 10.39.1.1/16

  3. Apply the IPv4 standard stateless firewall filter.

    [edit interfaces so-0/0/2 unit 0 family inet]user@host# set filter input limit-source-one-24

Results

Confirm the configuration of the prefix-specific action by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show interfacesso-0/0/2 {unit 0 {family inet {filter {input limit-source-one-24;}address 10.39.1.1/16;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying the Firewall Filters Applied to an Interface

Purpose

Verify that the firewall filter limit-source-one-24 is applied to the IPv4 input traffic at logical interface so-0/0/2.0.

Action

Use the show interfaces statistics operational mode command for logical interface so-0/0/2.0, and include the detail option. In the command output section for Protocol inet, the Input Filters field displays limit-source-one-24, indicating that the filter is applied to IPv4 traffic in the input direction:

user@host> show interfaces statistics so-0/0/2.0 detail
  Logical interface so-0/0/2.0 (Index 79) (SNMP ifIndex 510) (Generation 149)
    Flags: Hardware-Down Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP
    Protocol inet, MTU: 4470, Generation: 173, Route table: 0
      Flags: Sendbcast-pkt-to-re, Protocol-Down
      Input Filters: limit-source-one-24
      Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
        Destination: 10.39/16, Local: 10.39.1.1, Broadcast: 10.39.255.255, Generation: 163

Displaying Prefix-Specific Actions Statistics for the Firewall Filter

Purpose

Verify the number of packets evaluated by the policer.

Action

Use the show firewall prefix-action-stats filter filter-name prefix-action name operational mode command to display statistics about a prefix-specific action configured on a firewall filter.

As an option, you can use the from set-index to set-index command option to specify the starting and ending counter or policer to be displayed. A policer set is indexed from 0 through 65535.

The command output displays the specified filter name followed by a listing of the number of bytes and packets processed by each policer in the policer set.

For a term-specific policer, each policer in the set is identified as follows:

prefix-specific-action-name-term-name-set-index

For a filter-specific policer, each policer is identified in the command output as follows:

prefix-specific-action-name-set-index

Because the example prefix-specific action psa-1Mbps-per-source-24-32-256 is referenced by only one term of the example filter limit-source-one-24, the example policer 1Mbps-policer is configured as term-specific. In the show firewall prefix-action-stats command output, the policer statistics are displayed as psa-1Mbps-per-source-24-32-256-one-0, psa-1Mbps-per-source-24-32-256-one-1, and so on through psa-1Mbps-per-source-24-32-256-one-255.

user@host> show firewall prefix-action-stats filter limit-source-one-24 prefix-action psa-1Mbps-per-source-24-32-256 from 0 to 9
Filter: limit-source-one-24
Counters:
Name                                                Bytes   Packets
psa-1Mbps-per-source-24-32-256-one-0                    0         0
psa-1Mbps-per-source-24-32-256-one-1                    0         0
psa-1Mbps-per-source-24-32-256-one-2                    0         0
psa-1Mbps-per-source-24-32-256-one-3                    0         0
psa-1Mbps-per-source-24-32-256-one-4                    0         0
psa-1Mbps-per-source-24-32-256-one-5                    0         0
psa-1Mbps-per-source-24-32-256-one-6                    0         0
psa-1Mbps-per-source-24-32-256-one-7                    0         0
psa-1Mbps-per-source-24-32-256-one-8                    0         0
psa-1Mbps-per-source-24-32-256-one-9                    0         0
 

Related Documentation

 

Published: 2012-11-16

Previous Page Next Page