Prefix-Specific Counting and Policing Actions
Prefix-Specific Counting and Policing Overview
- Separate Counting and Policing for Each IPv4 Address Range
- Prefix-Specific Action Configuration
- Counter and Policer Set Size and Indexing
Separate Counting and Policing for Each IPv4 Address Range
Prefix-specific counting and policing enables you to configure an IPv4 firewall filter term that matches on a source or destination address, applies a single-rate two-color policer as the term action, but associates the matched packet with a specific counter and policer instance based on the source or destination in the packet header. You can implicitly create a separate counter or policer instance for a single address or for a group of addresses.
Prefix-specific counting and policing uses a prefix-specific action configuration that specifies the name of the policer you want to apply, whether prefix-specific counting is to be enabled, and a source or destination address prefix range.
The prefix range specifies between 1 and 16 sequential set bits of an IPv4 address mask. The length of the prefix range determines the size of the counter and policer set, which consists of as few as 2 or as many as 65,536 counter and policer instances. The position of the bits of the prefix range determines the indexing of filter-matched packets into the set of instances.
A prefix-specific action is specific to a source or destination prefix range, but it is not specific to a particular source or destination address range, and it is not specific to a particular interface.
To apply a prefix-specific action to the traffic at an interface, you configure a firewall filter term that matches on source or destination addresses, and then you apply the firewall filter to the interface. The flow of filtered traffic is rate-limited using prefix-specific counter and policer instances that are selected per packet based on the source or destination address in the header of the filtered packet.
Prefix-Specific Action Configuration
To configure a prefix-specific action, you specify the following information:
Prefix-specific action name—Name that can be referenced as the action of an IPv4 standard firewall filter term that matches packets on source or destination addresses.
Policer name—Name of a single-rate two-color policer for which you want to implicitly create prefix-specific instances.
Note:For aggregated Ethernet interfaces, you can configure a prefix-specific action that references a logical interface policer (also called an aggregate policer). You can reference this type of prefix-specific action from an IPv4 standard firewall filter and then apply the filter at the aggregate level of the interface.
Counting option—Option to include if you want to enable prefix-specific counters.
Filter-specific option—Option to include if you want a single counter and policer set to be shared across all terms in the firewall filter. A prefix-specific action that operates in this way is said to operate in filter-specific mode. If you do not enable this option, the prefix-specific action operates in term-specific mode, meaning that a separate counter and policer set is created for each filter term that references the prefix-specific action.
Source address prefix length—Length of the address prefix, from 0 through 32, to be used with a packet matched on the source address.
Destination address prefix length—Length of the address prefix, from 0 through 32, to be used with a packet matched on the destination address.
Subnet prefix length—Length of the subnet prefix, from 0 through 32, to be used with a packet matched on either the source or destination address.
You must configure source and destination address prefix lengths to be from 1 to 16 bits longer than the subnet prefix length. If you configure source or destination address prefix lengths to be more than 16 bits beyond the configured subnet prefix length, an error occurs when you try to commit the configuration.
Counter and Policer Set Size and Indexing
The number of prefix-specific actions (counters or policers) implicitly created for a prefix-specific action is determined by the length of the address prefix and the length of the subnet prefix:
Size of Counter and Policer Set = 2^(source-or-destination-prefix-length - subnet-prefix-length)
Table 1 shows examples of counter and policer set size and indexing.
Example Prefix Lengths Specified in the Prefix-Specific Action |
Calculation of Counter or Policer Set Size |
Indexing of Instances |
|
|---|---|---|---|
source-prefix-length = 32 subnet-prefix-length = 16 |
Size = 2^(32 - 16) = 2^16 = 65,536 instances Note:
This calculation shows the largest counter or policer set size supported. |
Instance 0: |
x.x.0.0 |
Instance 1: |
x.x.0.1 |
||
Instance 65535: |
x.x.255.255 |
||
source-prefix-length = 32 subnet-prefix-length = 24 |
Size = 2^(32 - 24) = 2^8 = 256 instances |
Instance 0: |
x.x.x.0 |
Instance 1: |
x.x.x.1 |
||
Instance 255: |
x.x.x.255 |
||
source-prefix-length = 32 subnet-prefix-length = 25 |
Size = 2^(32 - 25) = 2^7 = 128 instances |
Instance 0: |
x.x.x.0 |
Instance 1: |
x.x.x.1 |
||
Instance 127: |
x.x.x.127 |
||
source-prefix-length = 24 subnet-prefix-length = 20 |
Size = 2^(24 - 20) = 2^4 = 16 instances |
Instance 0: |
x.x.0.x |
Instance 1: |
x.x.1.x |
||
Instance 15: |
x.x.15.x |
||
See Also
Filter-Specific Counter and Policer Set Overview
By default, a prefix-specific policer set operates in term-specific mode so that, for a given firewall filter, the Junos OS creates a separate counter and policer set for every filter term that references the prefix-specific action. As an option, you can configure a prefix-specific policer set to operate in filter-specific mode so that a single prefix-specific policer set is used by all terms (within the same firewall filter) that reference the policer.
For an IPv4 firewall filter with multiple terms that reference the same prefix-specific policer set, configuring the policer set to operate in filter-specific mode enables you to count and monitor the activity of the policer set at the firewall filter level.
Term-specific mode and filter-specific mode also apply to policers. See Filter-Specific Policer Overview.
To enable a prefix-specific policer set to operate in filter-specific mode, you
can include the filter-specific statement at the following the hierarchy levels:
[edit firewall family inet prefix-action prefix-action-name][edit logical-systems logical-system-name firewall family inet prefix-action prefix-action-name]
You can reference filter-specific, prefix-specific policer sets from IPv4 (family inet) firewall filters only.
See Also
Filter-Specific Policer Overview
By default, a policer operates in term-specific mode so that, for a given firewall filter, the Junos OS creates a separate policer instance for every filter term that references the policer. As an option, you can configure a policer to operate in filter-specific mode so that a single policer instance is used by all terms (within the same firewall filter) that reference the policer.
For an IPv4 firewall filter with multiple terms that reference the same policer, configuring the policer to operate in filter-specific mode enables you to count and monitor the activity of the policer at the firewall filter level.
Term-specific mode and filter-specific mode also apply to prefix-specific policer sets.
To enable a single-rate two-color policer to operate in filter-specific mode,
you can include the filter-specific statement at the following hierarchy levels:
[edit firewall policer policer-name][edit logical-systems logical-system-name firewall policer policer-name]
You can reference filter-specific policers from IPv4 (family inet) firewall
filters only.
Example: Configuring Prefix-Specific Counting and Policing
This example shows how to configure prefix-specific counting and policing.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you configure prefix-specific counting and policing based on the last octet of the source address field in packets matched by an IPv4 firewall filter.
The single-rate two-color policer named 1Mbps-policer rate-limits traffic
to a bandwidth of 1,000,000 bps and a burst-size limit of 63,000 bytes, discarding
any packets in a traffic flow that exceeds the traffic limits.
Independent of the IPv4 addresses contained in any packets passed from a firewall
filter, the prefix-specific action named psa-1Mbps-per-source-24-32-256 specifies
a set of 256 counters and policers, numbered from 0 through 255. For each packet, the
last octet of the source address field is used to index into the associated prefix-specific
counter and policer in the set:
Packets with a source address ending with the octet 0x0000 00000 index the first counter and policer in the set.
Packets with a source address ending with the octet 0x0000 0001 index the second counter and policer in the set.
Packets with a source address ending with the octet 0x1111 1111 index the last counter and policer in the set.
The limit-source-one-24 firewall filter contains a single term that matches
all packets from the /24 subnet of source address 10.10.10.0, passing
these packets to the prefix-specific action psa-1Mbps-per-source-24-32-256.
Topology
In this example, because the filter term matches the /24 subnet of
a single source address, each counting and policing instance in the prefix-specific set is
used for only one source address.
Packets with a source address
10.10.10.0index the first counter and policer in the set.Packets with a source address
10.10.10.1index the second counter and policer in the set.Packets with a source address
10.10.10.255index the last counter and policer in the set.
This example shows the simplest case of prefix-specific actions, in which the filter term matches on one address with a prefix length that is the same as the prefix length specified in the prefix-specific action for indexing into the set of prefix-specific counters and policers.
For descriptions of other configurations for prefix-specific counting and policing, see Prefix-Specific Counting and Policing Configuration Scenarios.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring a Policer for Prefix-Specific Counting and Policing
- Configuring a Prefix-Specific Action Based on the Policer
- Configuring an IPv4 Filter That References the Prefix-Specific Action
- Applying the Firewall Filter to IPv4 Input Traffic at a Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following configuration commands
into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.
set firewall policer 1Mbps-policer if-exceeding bandwidth-limit 1m set firewall policer 1Mbps-policer if-exceeding burst-size-limit 63k set firewall policer 1Mbps-policer then discard set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 policer 1Mbps-policer set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 count set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 subnet-prefix-length 24 set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 source-prefix-length 32 set firewall family inet filter limit-source-one-24 term one from source-address 10.10.10.0/24 set firewall family inet filter limit-source-one-24 term one then prefix-action psa-1Mbps-per-source-24-32-256 set interfaces so-0/0/2 unit 0 family inet filter input limit-source-one-24 set interfaces so-0/0/2 unit 0 family inet address 10.39.1.1/16
Configuring a Policer for Prefix-Specific Counting and Policing
Step-by-Step Procedure
To configure a policer to be used for prefix-specific counting and policing:
Enable configuration of a single-rate two-color policer.
[edit] user@host# edit firewall policer 1Mbps-policer
Define the traffic limit.
[edit firewall policer 1Mbps-policer] user@host# set if-exceeding bandwidth-limit 1m user@host# set if-exceeding burst-size-limit 63k
Packets in a traffic flow that conforms to this limit are passed with the PLP set to
low.Define the actions for nonconforming traffic.
[edit firewall policer 1Mbps-policer] user@host# set then discard
Packets in a traffic flow that exceeds this limit are discarded. Other configurable actions for a single-rate two-color policer are to set the forwarding class and to set the PLP level.
Results
Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
Configuring a Prefix-Specific Action Based on the Policer
Step-by-Step Procedure
To configure a prefix-specific action that references the policer and specifies a portion of a source address prefix:
Enable configuration of a prefix-specific action.
[edit] user@host# edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256
Prefix-specific counting and policing can be defined for IPv4 traffic only.
Reference the policer for which a prefix-specific set is to be created.
[edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256] user@host# set policer 1Mbps-policer user@host# set count
Note:For aggregated Ethernet interfaces, you can configure a prefix-specific action that references a logical interface policer (also called an aggregate policer). You can reference this type of prefix-specific action from an IPv4 standard firewall filter and then apply the filter at the aggregate level of the interface.
Specify the prefix range on which IPv4 addresses are to be indexed to the counter and policer set.
[edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256] user@host# set source-prefix-length 32 user@host# set subnet-prefix-length 24
Results
Confirm the configuration of the prefix-specific action by entering the show firewall configuration mode command. If the command output does not display the
intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
family inet {
prefix-action psa-1Mbps-per-source-24-32-256 {
policer 1Mbps-policer;
subnet-prefix-length 24;
source-prefix-length 32;
}
}
Configuring an IPv4 Filter That References the Prefix-Specific Action
Step-by-Step Procedure
To configure an IPv4 standard firewall filter that references the prefix-specific action:
Enable configuration of the IPv4 standard firewall filter.
[edit] user@host# edit firewall family inet filter limit-source-one-24
Prefix-specific counting and policing can be defined for IPv4 traffic only.
Configure the filter term to match on the packet source address or destination address.
[edit firewall family inet filter limit-source-one-24] user@host# set term one from source-address 10.10.10.0/24
Configure the filter term to reference the prefix-specific action.
[edit firewall family inet filter limit-source-one-24] user@host# set term one then prefix-action psa-1Mbps-per-source-24-32-256
You could also use the
next termaction to configure all Hypertext Transfer Protocol (HTTP) traffic to each host to transmit at 500 Kbps and have the total HTTP traffic limited to 1 Mbps.
Results
Confirm the configuration of the prefix-specific action by entering the show firewall configuration mode command. If the command output does not display the
intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
family inet {
prefix-action psa-1Mbps-per-source-24-32-256 {
policer 1Mbps-policer;
subnet-prefix-length 24;
source-prefix-length 32;
}
filter limit-source-one-24 {
term one {
from {
source-address {
10.10.10.0/24;
}
}
then prefix-action psa-1Mbps-per-source-24-32-256;
}
}
}
Applying the Firewall Filter to IPv4 Input Traffic at a Logical Interface
Step-by-Step Procedure
To apply the firewall filter to IPv4 input traffic at a logical interface:
Enable configuration of IPv4 on the logical interface.
[edit] user@host# edit interfaces so-0/0/2 unit 0 family inet
Configure an IP address.
[edit interfaces so-0/0/2 unit 0 family inet] user@host# set address 10.39.1.1/16
Apply the IPv4 standard stateless firewall filter.
[edit interfaces so-0/0/2 unit 0 family inet] user@host# set filter input limit-source-one-24
Results
Confirm the configuration of the prefix-specific action by entering the show interfaces configuration mode command. If the command output does not display
the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
so-0/0/2 {
unit 0 {
family inet {
filter {
input limit-source-one-24;
}
address 10.39.1.1/16;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying the Firewall Filters Applied to an Interface
- Displaying Prefix-Specific Actions Statistics for the Firewall Filter
Displaying the Firewall Filters Applied to an Interface
Purpose
Verify that the firewall filter limit-source-one-24 is applied to
the IPv4 input traffic at logical interface so-0/0/2.0.
Action
Use the show interfaces statistics operational mode command for logical interface so-0/0/2.0, and include
the detail option. In the command output section for Protocol inet, the Input Filters field displays limit-source-one-24, indicating that the filter is applied to IPv4 traffic in the input direction:
user@host> show interfaces statistics so-0/0/2.0 detail
Logical interface so-0/0/2.0 (Index 79) (SNMP ifIndex 510) (Generation 149)
Flags: Hardware-Down Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP
Protocol inet, MTU: 4470, Generation: 173, Route table: 0
Flags: Sendbcast-pkt-to-re, Protocol-Down
Input Filters: limit-source-one-24
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.39/16, Local: 10.39.1.1, Broadcast: 10.39.255.255, Generation: 163
Displaying Prefix-Specific Actions Statistics for the Firewall Filter
Purpose
Verify the number of packets evaluated by the policer.
Action
Use the show firewall prefix-action-stats filter filter-name prefix-action name operational mode command to display statistics about a prefix-specific action configured
on a firewall filter.
As an option, you can use the from set-index to set-index command option to specify the starting and ending counter or policer
to be displayed. A policer set is indexed from 0 through 65535.
The command output displays the specified filter name followed by a listing of the number of bytes and packets processed by each policer in the policer set.
For a term-specific policer, each policer in the set is identified as follows:
prefix-specific-action-name-term-name-set-index
For a filter-specific policer, each policer is identified in the command output as follows:
prefix-specific-action-name-set-index
Because the example prefix-specific action psa-1Mbps-per-source-24-32-256 is referenced by only one term of the example filter limit-source-one-24, the
example policer 1Mbps-policer is configured as term-specific. In the show
firewall prefix-action-stats command output, the policer statistics are displayed as psa-1Mbps-per-source-24-32-256-one-0, psa-1Mbps-per-source-24-32-256-one-1, and so on through psa-1Mbps-per-source-24-32-256-one-255.
user@host> show firewall prefix-action-stats filter limit-source-one-24 prefix-action psa-1Mbps-per-source-24-32-256 from 0 to 9 Filter: limit-source-one-24 Counters: Name Bytes Packets psa-1Mbps-per-source-24-32-256-one-0 0 0 psa-1Mbps-per-source-24-32-256-one-1 0 0 psa-1Mbps-per-source-24-32-256-one-2 0 0 psa-1Mbps-per-source-24-32-256-one-3 0 0 psa-1Mbps-per-source-24-32-256-one-4 0 0 psa-1Mbps-per-source-24-32-256-one-5 0 0 psa-1Mbps-per-source-24-32-256-one-6 0 0 psa-1Mbps-per-source-24-32-256-one-7 0 0 psa-1Mbps-per-source-24-32-256-one-8 0 0 psa-1Mbps-per-source-24-32-256-one-9 0 0
Prefix-Specific Counting and Policing Configuration Scenarios
- Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets
- Scenario 1: Firewall Filter Term Matches on Multiple Addresses
- Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition
- Scenario 3: SubnetThe 128th counter and policer Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition
Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets
Table 2 describes the relationship between the prefix length specified in the prefix-specific action and the prefix length of the addresses matched by the firewall filter term that references the prefix-specific action.
Counter and Policer Set |
Packet-Filtering Criteria |
Indexing of Instances |
||
|---|---|---|---|---|
Prefix-specific action scenario: Example: Configuring Prefix-Specific Counting and Policing |
||||
source-prefix-length = 32 subnet-prefix-length = 24 Set size: 2^8 = 256Instance numbers: 0 - 255 |
source-address = 10.10.10.0/24 |
Instance 0 |
10.10.10.0 |
|
Instance 1: |
10.10.10.1 |
|||
|
|
|||
Instance 255: |
10.10.10.255 |
|||
Prefix-specific action scenario: Scenario 1: Firewall Filter Term Matches on Multiple Addresses |
||||
source-prefix-length = 32 subnet-prefix-length = 24 Set size: 2^8 = 256Instance numbers: 0 - 255 |
source-address = 10.10.10.0/24 source-address = 10.11.0.0/16 |
Instance 0 |
10.10.10.0,10.11.x.0 |
|
Instance 1: |
10.10.10.1,10.11.x.1 |
|||
|
|
|||
Instance 255: |
10.10.10.255,10.11.x.255 |
|||
For addresses in the /16 subnet, x ranges from 0 through 255. |
||||
Prefix-specific action scenario: Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition |
||||
source-prefix-length = 32 subnet-prefix-length = 25 Set size: 2^7 = 128Instance numbers: 0 - 127 |
source-address = 10.10.10.0/24 |
Instance 0 |
10.10.10.0,10.10.10.128 |
|
Instance 1: |
10.10.10.1,10.10.10.120 |
|||
|
|
|||
Instance 127: |
10.10.10.255,10.10.10.127 |
|||
Prefix-specific action scenario: Scenario 3: SubnetThe 128th counter and policer Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition |
||||
source-prefix-length = 32 subnet-prefix-length = 24 Set size: 2^8 = 256Instance numbers: 0 - 255 |
source-address = 10.10.10.0/25 Note:
Only packets with source addresses ranging from |
Instance 0 |
10.10.10.0 |
|
Instance 1: |
10.10.10.1 |
|||
|
|
|||
Instance 127: |
10.10.10.127 |
|||
Instances 128 – 255: unused |
||||
Scenario 1: Firewall Filter Term Matches on Multiple Addresses
The complete example, Example: Configuring Prefix-Specific Counting and Policing,
shows the simplest case of prefix-specific actions, in which a single-term
firewall filter matches on one address with a prefix length that is
the same as the subnet prefix length specified in the prefix-specific action. Unlike
the example, this scenario describes a configuration in which a single-term firewall
filter matches on two IPv4 source addresses. In addition, the additional condition
matches on a source address with a prefix length that is different from the subnet
prefix length defined in the prefix-specific action. In this case, the additional
condition matches on the /16 subnet of the source address
10.11.0.0.
Unlike packets that match the source address 10.10.10.0/24, packets that
match the source address 10.11.0.0/16 are in a many-to-one correspondence with
the instances in the counter and policer set.
The filter-matched packets that are passed to the prefix-specific action index into
the counter and policer set in such a way that the counting and policing instances are shared
by packets that contain source addresses across the 10.10.10.0/24 and 10.11.0.0/16 subnets as follows:
The first counter and policer in the set are indexed by packets with source addresses
10.10.10.0and10.11.x.0, where x ranges from0through255.The second counter and policer in the set are indexed by packets with source addresses
10.10.10.1and10.11.x.1, where x ranges from0through255.The 256th (last) counter and policer in the set are indexed by packets with source addresses
10.10.10.255and10.11.x.255, where x ranges from0through255.
The following configuration shows the statements for configuring the single-rate two-color policer, the prefix-specific action that references the policer, and the IPv4 standard stateless firewall filter that references the prefix-specific action:
[edit]
firewall {
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
family inet {
prefix-action psa-1Mbps-per-source-24-32-256 {
policer 1Mbps-policer;
subnet-prefix-length 24;
source-prefix-length 32;
}
filter limit-source-two-24-16 {
term one {
from {
source-address {
10.10.10.0/24;
10.11.0.0/16;
}
}
then prefix-action psa-1Mbps-per-source-24-32-256;
}
}
}
}
interfaces {
so-0/0/2 {
unit 0 {
family inet {
filter {
input limit-source-two-24-16;
}
address 10.39.1.1/16;
}
}
}
}
Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition
The complete example, Example: Configuring Prefix-Specific Counting and Policing,
shows the simplest case of prefix-specific actions, in which the single-term
firewall filter matches on one address with a prefix length that is the same as the
subnet prefix length specified in the prefix-specific action. Unlike the example,
this scenario describes a configuration in which the prefix-specific action defines
a subnet prefix length that is longer than the prefix of the source address matched
by the firewall filter. In this case, the prefix-specific action defines a
subnet-prefix value of 25, while the firewall filter matches on a
source address in the /24 subnet.
The firewall filter passes the prefix-specific action packets with source addresses
that range from 10.10.10.0 through 10.10.10.255, while the prefix-specific
action specifies a set of only 128 counters and policers, numbered from 0 through 127.
The filter-matched packets that are passed to the prefix-specific action index into
the counter and policer set in such a way that the counting and policing instances are shared
by packets that contain either of two source addresses within the 10.10.10.0/24 subnet:
The first counter and policer in the set are indexed by packets with source addresses
10.10.10.0and10.10.10.128.The second counter and policer in the set are indexed by packets with source addresses
10.10.10.1and10.10.10.129.The 128th (last) counter and policer in the set are indexed by packets with source addresses
10.10.10.127and10.10.10.255.
The following configuration shows the statements for configuring the single-rate two-color policer, the prefix-specific action that references the policer, and the IPv4 standard stateless firewall filter that references the prefix-specific action:
[edit]
firewall {
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
family inet {
prefix-action psa-1Mbps-per-source-25-32-128 {
policer 1Mbps-policer;
subnet-prefix-length 25;
source-prefix-length 32;
}
filter limit-source-one-24 {
term one {
from {
source-address {
10.10.10.0/24;
}
}
then prefix-action psa-1Mbps-per-source-25-32-128;
}
}
}
}
interfaces {
so-0/0/2 {
unit 0 {
family inet {
filter {
input limit-source-one-24;
}
address 10.39.1.1/16;
}
}
}
}
Scenario 3: SubnetThe 128th counter and policer Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition
The complete example, Example: Configuring Prefix-Specific Counting and Policing,
shows the simplest case of prefix-specific actions, in which the single-term
firewall filter matches on one address with a prefix length that is the same as the
subnet prefix length specified in the prefix-specific action. Unlike the example,
this scenario describes a configuration in which the prefix-specific action defines
a subnet prefix length that is shorter than the prefix of the source address matched
by the firewall filter. In this case, the filter term matches on the
/25 subnet of the source address
10.10.10.0.
The firewall filter passes the prefix-specific action only packets with source addresses
that range from 10.10.10.0 through 10.10.10.127, while the prefix-specific
action specifies a set of 256 counters and policers, numbered from 0 through 255.
The matched packets that are passed to the prefix-specific action index into the lower half of the counter and policer set only:
The first counter and policer in the set are indexed by packets with source address
10.10.10.0.The second counter and policer in the set are indexed by packets with source address
10.10.10.1and10.10.10.129.The 128th counter and policer in the set are indexed by packets with source address
10.10.10.127.The upper half of the set (instances numbered from 128 through 255) are not indexed by packets passed to the prefix-specific action from this particular firewall filter.
The following configuration shows the statements for configuring the single-rate two-color policer, the prefix-specific action that references the policer, and the IPv4 standard stateless firewall filter that references the prefix-specific action:
[edit]
firewall {
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
family inet {
prefix-action psa-1Mbps-per-source-24-32-256 {
policer 1Mbps-policer;
subnet-prefix-length 24;
source-prefix-length 32;
}
filter limit-source-one-25 {
term one {
from {
source-address {
10.10.10.0/25;
}
}
then prefix-action psa-1Mbps-per-source-24-32-256;
}
}
}
}
interfaces {
so-0/0/2 {
unit 0 {
family inet {
filter {
input limit-source-one-25;
}
address 10.39.1.1/16;
}
}
}
}