[GTER] Controle de banda em BRAS juniper.
Diogo Montagner
diogo.montagner at gmail.com
Mon Feb 7 18:36:04 -03 2022
Olha o exemplo aqui:
https://juniper-nsp.puck.nether.narkive.com/9CUJW3NJ/j-nsp-bras-ipv4-ipv6-combined-policer-radius-attributes
./diogo -montagner
JNCIE-SP 0x41A
On Tue, 8 Feb 2022 at 07:55, Joao Ferreira <joca at planaltonet.net.br> wrote:
> set dynamic-profiles IPV4 variables Bandwidth-IN default-value 32k
> set dynamic-profiles IPV4 variables Bandwidth-IN mandatory
> set dynamic-profiles IPV4 variables Bandwidth-OUT default-value 32k
> set dynamic-profiles IPV4 variables Bandwidth-OUT mandatory
> set dynamic-profiles IPV4 variables Policer-IN uid
> set dynamic-profiles IPV4 variables Policer-OUT uid
> set dynamic-profiles IPV4 variables Filter-IN uid
> set dynamic-profiles IPV4 variables Filter-OUT uid
> set dynamic-profiles IPV4 variables Burst-OUT default-value 5m
> set dynamic-profiles IPV4 variables Burst-IN default-value 5m
> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
> "$junos-interface-unit" family inet filter input "$Filter-IN"
> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
> "$junos-interface-unit" family inet filter output "$Filter-OUT"
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
> interface-specific
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
> 10 then policer "$Policer-OUT"
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
> 10 then service-filter-hit
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
> 10 then accept
> **set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN"
> interface-specific*
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
> then policer "$Policer-IN"
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
> then service-filter-hit
> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term 10
> then accept
> set dynamic-profiles IPV4 firewall policer "$Policer-IN" filter-specific
> **set dynamic-profiles IPV4 firewall policer "$Policer-IN"
> logical-interface-policer*
> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
> bandwidth-limit "$Bandwidth-IN"
> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
> burst-size-limit "$Burst-IN"
> set dynamic-profiles IPV4 firewall policer "$Policer-IN" then discard
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" filter-specific
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT"
> logical-interface-policer
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
> bandwidth-limit "$Bandwidth-OUT"
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
> burst-size-limit "$Burst-OUT"
> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" then discard
>
> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 default-value 32k
> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 mandatory
> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 default-value 32k
> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 mandatory
> set dynamic-profiles IPV6 variables Burst-IN-V6 default-value 2m
> set dynamic-profiles IPV6 variables Burst-OUT-V6 default-value 2m
> set dynamic-profiles IPV6 variables Policer-IN-V6 uid
> set dynamic-profiles IPV6 variables Policer-OUT-V6 uid
> set dynamic-profiles IPV6 variables Filter-IN-V6 uid
> set dynamic-profiles IPV6 variables Filter-OUT-V6 uid
> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
> family inet6 filter input "$Filter-IN-V6"
> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
> family inet6 filter output "$Filter-OUT-V6"
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
> interface-specific
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
> term 10 then policer "$Policer-IN-V6"
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
> term 10 then service-filter-hit
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
> term 10 then accept
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
> interface-specific
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
> term 10 then policer "$Policer-OUT-V6"
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
> term 10 then service-filter-hit
> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
> term 10 then accept
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" filter-specific
> **set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
> logical-interface-policer*
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
> bandwidth-limit "$Bandwidth-IN-V6"
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
> burst-size-limit "$Burst-IN-V6"
> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" then discard
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
> filter-specific
> **set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
> logical-interface-policer*
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
> bandwidth-limit "$Bandwidth-OUT-V6"
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
> burst-size-limit "$Burst-OUT-V6"
> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" then discard
>
>
> Seriam essas em negrito? já estavam configuradas.
>
> Em seg., 7 de fev. de 2022 às 17:15, Diogo Montagner <
> diogo.montagner at gmail.com> escreveu:
>
>> Tu precisa utilizar um logical-interface-policer:
>>
>>
>> https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/ref/statement/logical-interface-policer-edit-firewall.html
>>
>>
>> ./diogo -montagner
>> JNCIE-SP 0x41A
>>
>>
>> On Mon, 7 Feb 2022 at 23:43, Joao Ferreira via gter <gter at eng.registro.br>
>> wrote:
>>
>>> Boa tarde, estou configurando controle dinamico em BRAS juniper usando
>>> IPV4 e IPV6, o problema que estou tendo e que o controle de banda do
>>> juniper esta sendo feito encima de protocolo, resultando que soma o
>>> controle de banda, alguem tem uma configuracao que o controle seja feito
>>> na
>>> interface? estou usando essa configuração.
>>>
>>> set dynamic-profiles IPV4 variables Bandwidth-IN default-value 32k
>>> set dynamic-profiles IPV4 variables Bandwidth-IN mandatory
>>> set dynamic-profiles IPV4 variables Bandwidth-OUT default-value 32k
>>> set dynamic-profiles IPV4 variables Bandwidth-OUT mandatory
>>> set dynamic-profiles IPV4 variables Policer-IN uid
>>> set dynamic-profiles IPV4 variables Policer-OUT uid
>>> set dynamic-profiles IPV4 variables Filter-IN uid
>>> set dynamic-profiles IPV4 variables Filter-OUT uid
>>> set dynamic-profiles IPV4 variables Burst-OUT default-value 5m
>>> set dynamic-profiles IPV4 variables Burst-IN default-value 5m
>>> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
>>> "$junos-interface-unit" family inet filter input "$Filter-IN"
>>> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
>>> "$junos-interface-unit" family inet filter output "$Filter-OUT"
>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
>>> interface-specific
>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>>> 10
>>> then policer "$Policer-OUT"
>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>>> 10
>>> then service-filter-hit
>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>>> 10
>>> then accept
>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN"
>>> interface-specific
>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>>> 10
>>> then policer "$Policer-IN"
>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>>> 10
>>> then service-filter-hit
>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>>> 10
>>> then accept
>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" filter-specific
>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN"
>>> logical-interface-policer
>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
>>> bandwidth-limit "$Bandwidth-IN"
>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
>>> burst-size-limit "$Burst-IN"
>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" then discard
>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" filter-specific
>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT"
>>> logical-interface-policer
>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
>>> bandwidth-limit "$Bandwidth-OUT"
>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
>>> burst-size-limit "$Burst-OUT"
>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" then discard
>>>
>>> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 default-value 32k
>>> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 mandatory
>>> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 default-value 32k
>>> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 mandatory
>>> set dynamic-profiles IPV6 variables Burst-IN-V6 default-value 2m
>>> set dynamic-profiles IPV6 variables Burst-OUT-V6 default-value 2m
>>> set dynamic-profiles IPV6 variables Policer-IN-V6 uid
>>> set dynamic-profiles IPV6 variables Policer-OUT-V6 uid
>>> set dynamic-profiles IPV6 variables Filter-IN-V6 uid
>>> set dynamic-profiles IPV6 variables Filter-OUT-V6 uid
>>> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
>>> family inet6 filter input "$Filter-IN-V6"
>>> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
>>> family inet6 filter output "$Filter-OUT-V6"
>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>>> interface-specific
>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>>> term
>>> 10 then policer "$Policer-IN-V6"
>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>>> term
>>> 10 then service-filter-hit
>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>>> term
>>> 10 then accept
>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>>> interface-specific
>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>>> term 10 then policer "$Policer-OUT-V6"
>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>>> term 10 then service-filter-hit
>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>>> term 10 then accept
>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
>>> filter-specific
>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
>>> logical-interface-policer
>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
>>> bandwidth-limit "$Bandwidth-IN-V6"
>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
>>> burst-size-limit "$Burst-IN-V6"
>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" then discard
>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>>> filter-specific
>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>>> logical-interface-policer
>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
>>> bandwidth-limit "$Bandwidth-OUT-V6"
>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
>>> burst-size-limit "$Burst-OUT-V6"
>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" then discard
>>> --
>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>
>>
More information about the gter
mailing list