[GTER] Controle de banda em BRAS juniper.

Joao Ferreira joca at planaltonet.net.br
Mon Feb 7 17:55:46 -03 2022


set dynamic-profiles IPV4 variables Bandwidth-IN default-value 32k
set dynamic-profiles IPV4 variables Bandwidth-IN mandatory
set dynamic-profiles IPV4 variables Bandwidth-OUT default-value 32k
set dynamic-profiles IPV4 variables Bandwidth-OUT mandatory
set dynamic-profiles IPV4 variables Policer-IN uid
set dynamic-profiles IPV4 variables Policer-OUT uid
set dynamic-profiles IPV4 variables Filter-IN uid
set dynamic-profiles IPV4 variables Filter-OUT uid
set dynamic-profiles IPV4 variables Burst-OUT default-value 5m
set dynamic-profiles IPV4 variables Burst-IN default-value 5m
set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
"$junos-interface-unit" family inet filter input "$Filter-IN"
set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
"$junos-interface-unit" family inet filter output "$Filter-OUT"
set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
interface-specific
set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term 10
then policer "$Policer-OUT"
set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term 10
then service-filter-hit
set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term 10
then accept
**set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN"
interface-specific*
set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
then policer "$Policer-IN"
set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
then service-filter-hit
set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
then accept
set dynamic-profiles IPV4 firewall policer "$Policer-IN" filter-specific
**set dynamic-profiles IPV4 firewall policer "$Policer-IN"
logical-interface-policer*
set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
bandwidth-limit "$Bandwidth-IN"
set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
burst-size-limit "$Burst-IN"
set dynamic-profiles IPV4 firewall policer "$Policer-IN" then discard
set dynamic-profiles IPV4 firewall policer "$Policer-OUT" filter-specific
set dynamic-profiles IPV4 firewall policer "$Policer-OUT"
logical-interface-policer
set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
bandwidth-limit "$Bandwidth-OUT"
set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
burst-size-limit "$Burst-OUT"
set dynamic-profiles IPV4 firewall policer "$Policer-OUT" then discard

set dynamic-profiles IPV6 variables Bandwidth-IN-V6 default-value 32k
set dynamic-profiles IPV6 variables Bandwidth-IN-V6 mandatory
set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 default-value 32k
set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 mandatory
set dynamic-profiles IPV6 variables Burst-IN-V6 default-value 2m
set dynamic-profiles IPV6 variables Burst-OUT-V6 default-value 2m
set dynamic-profiles IPV6 variables Policer-IN-V6 uid
set dynamic-profiles IPV6 variables Policer-OUT-V6 uid
set dynamic-profiles IPV6 variables Filter-IN-V6 uid
set dynamic-profiles IPV6 variables Filter-OUT-V6 uid
set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
family inet6 filter input "$Filter-IN-V6"
set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
family inet6 filter output "$Filter-OUT-V6"
set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
interface-specific
set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6" term
10 then policer "$Policer-IN-V6"
set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6" term
10 then service-filter-hit
set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6" term
10 then accept
set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
interface-specific
set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
term 10 then policer "$Policer-OUT-V6"
set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
term 10 then service-filter-hit
set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
term 10 then accept
set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" filter-specific
**set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
logical-interface-policer*
set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
bandwidth-limit "$Bandwidth-IN-V6"
set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
burst-size-limit "$Burst-IN-V6"
set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" then discard
set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" filter-specific
**set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
logical-interface-policer*
set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
bandwidth-limit "$Bandwidth-OUT-V6"
set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
burst-size-limit "$Burst-OUT-V6"
set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" then discard


Seriam essas em negrito? já estavam  configuradas.

Em seg., 7 de fev. de 2022 às 17:15, Diogo Montagner <
diogo.montagner at gmail.com> escreveu:

> Tu precisa utilizar um logical-interface-policer:
>
>
> https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/ref/statement/logical-interface-policer-edit-firewall.html
>
>
> ./diogo -montagner
> JNCIE-SP 0x41A
>
>
> On Mon, 7 Feb 2022 at 23:43, Joao Ferreira via gter <gter at eng.registro.br>
> wrote:
>
>> Boa tarde, estou configurando controle dinamico em BRAS juniper  usando
>> IPV4  e IPV6, o problema que estou tendo e que o controle de banda do
>> juniper esta sendo feito encima de protocolo, resultando que soma o
>> controle de banda, alguem tem uma configuracao que o controle seja feito
>> na
>> interface? estou usando essa configuração.
>>
>> set dynamic-profiles IPV4 variables Bandwidth-IN default-value 32k
>> set dynamic-profiles IPV4 variables Bandwidth-IN mandatory
>> set dynamic-profiles IPV4 variables Bandwidth-OUT default-value 32k
>> set dynamic-profiles IPV4 variables Bandwidth-OUT mandatory
>> set dynamic-profiles IPV4 variables Policer-IN uid
>> set dynamic-profiles IPV4 variables Policer-OUT uid
>> set dynamic-profiles IPV4 variables Filter-IN uid
>> set dynamic-profiles IPV4 variables Filter-OUT uid
>> set dynamic-profiles IPV4 variables Burst-OUT default-value 5m
>> set dynamic-profiles IPV4 variables Burst-IN default-value 5m
>> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
>> "$junos-interface-unit" family inet filter input "$Filter-IN"
>> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
>> "$junos-interface-unit" family inet filter output "$Filter-OUT"
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
>> interface-specific
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>> 10
>> then policer "$Policer-OUT"
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>> 10
>> then service-filter-hit
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>> 10
>> then accept
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN"
>> interface-specific
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
>> then policer "$Policer-IN"
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
>> then service-filter-hit
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
>> then accept
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" filter-specific
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN"
>> logical-interface-policer
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
>> bandwidth-limit "$Bandwidth-IN"
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
>> burst-size-limit "$Burst-IN"
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" then discard
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" filter-specific
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT"
>> logical-interface-policer
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
>> bandwidth-limit "$Bandwidth-OUT"
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
>> burst-size-limit "$Burst-OUT"
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" then discard
>>
>> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 default-value 32k
>> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 mandatory
>> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 default-value 32k
>> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 mandatory
>> set dynamic-profiles IPV6 variables Burst-IN-V6 default-value 2m
>> set dynamic-profiles IPV6 variables Burst-OUT-V6 default-value 2m
>> set dynamic-profiles IPV6 variables Policer-IN-V6 uid
>> set dynamic-profiles IPV6 variables Policer-OUT-V6 uid
>> set dynamic-profiles IPV6 variables Filter-IN-V6 uid
>> set dynamic-profiles IPV6 variables Filter-OUT-V6 uid
>> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
>> family inet6 filter input "$Filter-IN-V6"
>> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
>> family inet6 filter output "$Filter-OUT-V6"
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>> interface-specific
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>> term
>> 10 then policer "$Policer-IN-V6"
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>> term
>> 10 then service-filter-hit
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>> term
>> 10 then accept
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>> interface-specific
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>> term 10 then policer "$Policer-OUT-V6"
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>> term 10 then service-filter-hit
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>> term 10 then accept
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
>> filter-specific
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
>> logical-interface-policer
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
>> bandwidth-limit "$Bandwidth-IN-V6"
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
>> burst-size-limit "$Burst-IN-V6"
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" then discard
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>> filter-specific
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>> logical-interface-policer
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
>> bandwidth-limit "$Bandwidth-OUT-V6"
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
>> burst-size-limit "$Burst-OUT-V6"
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" then discard
>> --
>> gter list    https://eng.registro.br/mailman/listinfo/gter
>>
>


More information about the gter mailing list