[GTER] Controle de banda em BRAS juniper.

Diogo Montagner diogo.montagner at gmail.com
Mon Feb 7 17:15:34 -03 2022


Tu precisa utilizar um logical-interface-policer:

https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/ref/statement/logical-interface-policer-edit-firewall.html


./diogo -montagner
JNCIE-SP 0x41A


On Mon, 7 Feb 2022 at 23:43, Joao Ferreira via gter <gter at eng.registro.br>
wrote:

> Boa tarde, estou configurando controle dinamico em BRAS juniper  usando
> IPV4  e IPV6, o problema que estou tendo e que o controle de banda do
> juniper esta sendo feito encima de protocolo, resultando que soma o
> controle de banda, alguem tem uma configuracao que o controle seja feito na
> interface? estou usando essa configuração.
>
> set dynamic-profiles IPV4 variables Bandwidth-IN default-value 32k
> set dynamic-profiles IPV4 variables Bandwidth-IN mandatory
> set dynamic-profiles IPV4 variables Bandwidth-OUT default-value 32k
> set dynamic-profiles IPV4 variables Bandwidth-OUT mandatory
> set dynamic-profiles IPV4 variables Policer-IN uid
> set dynamic-profiles IPV4 variables Policer-OUT uid
> set dynamic-profiles IPV4 variables Filter-IN uid
> set dynamic-profiles IPV4 variables Filter-OUT uid
> set dynamic-profiles IPV4 variables Burst-OUT default-value 5m
> set dynamic-profiles IPV4 variables Burst-IN default-value 5m
> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
> "$junos-interface-unit" family inet filter input "$Filter-IN"
> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
> "$junos-interface-unit" family inet filter output "$Filter-OUT"
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
> interface-specific
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term 10
> then policer "$Policer-OUT"
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term 10
> then service-filter-hit
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term 10
> then accept
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN"
> interface-specific
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
> then policer "$Policer-IN"
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
> then service-filter-hit
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
> then accept
> set dynamic-profiles IPV4 firewall policer "$Policer-IN" filter-specific
> set dynamic-profiles IPV4 firewall policer "$Policer-IN"
> logical-interface-policer
> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
> bandwidth-limit "$Bandwidth-IN"
> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
> burst-size-limit "$Burst-IN"
> set dynamic-profiles IPV4 firewall policer "$Policer-IN" then discard
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" filter-specific
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT"
> logical-interface-policer
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
> bandwidth-limit "$Bandwidth-OUT"
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
> burst-size-limit "$Burst-OUT"
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" then discard
>
> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 default-value 32k
> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 mandatory
> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 default-value 32k
> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 mandatory
> set dynamic-profiles IPV6 variables Burst-IN-V6 default-value 2m
> set dynamic-profiles IPV6 variables Burst-OUT-V6 default-value 2m
> set dynamic-profiles IPV6 variables Policer-IN-V6 uid
> set dynamic-profiles IPV6 variables Policer-OUT-V6 uid
> set dynamic-profiles IPV6 variables Filter-IN-V6 uid
> set dynamic-profiles IPV6 variables Filter-OUT-V6 uid
> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
> family inet6 filter input "$Filter-IN-V6"
> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
> family inet6 filter output "$Filter-OUT-V6"
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
> interface-specific
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6" term
> 10 then policer "$Policer-IN-V6"
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6" term
> 10 then service-filter-hit
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6" term
> 10 then accept
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
> interface-specific
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
> term 10 then policer "$Policer-OUT-V6"
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
> term 10 then service-filter-hit
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
> term 10 then accept
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" filter-specific
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
> logical-interface-policer
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
> bandwidth-limit "$Bandwidth-IN-V6"
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
> burst-size-limit "$Burst-IN-V6"
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" then discard
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
> filter-specific
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
> logical-interface-policer
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
> bandwidth-limit "$Bandwidth-OUT-V6"
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
> burst-size-limit "$Burst-OUT-V6"
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" then discard
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>


More information about the gter mailing list