[GTER] Controle de banda em BRAS juniper.
Joao Ferreira
joca at planaltonet.net.br
Mon Feb 7 20:13:35 -03 2022
As configurações que fiz foi seguindo essa do exemplo. E você mencionou
faltar interface especific , mais já existe na minha config TB.
Em seg, 7 de fev de 2022 18:36, Diogo Montagner <diogo.montagner at gmail.com>
escreveu:
> Olha o exemplo aqui:
>
>
> https://juniper-nsp.puck.nether.narkive.com/9CUJW3NJ/j-nsp-bras-ipv4-ipv6-combined-policer-radius-attributes
>
>
>
> ./diogo -montagner
> JNCIE-SP 0x41A
>
>
> On Tue, 8 Feb 2022 at 07:55, Joao Ferreira <joca at planaltonet.net.br>
> wrote:
>
>> set dynamic-profiles IPV4 variables Bandwidth-IN default-value 32k
>> set dynamic-profiles IPV4 variables Bandwidth-IN mandatory
>> set dynamic-profiles IPV4 variables Bandwidth-OUT default-value 32k
>> set dynamic-profiles IPV4 variables Bandwidth-OUT mandatory
>> set dynamic-profiles IPV4 variables Policer-IN uid
>> set dynamic-profiles IPV4 variables Policer-OUT uid
>> set dynamic-profiles IPV4 variables Filter-IN uid
>> set dynamic-profiles IPV4 variables Filter-OUT uid
>> set dynamic-profiles IPV4 variables Burst-OUT default-value 5m
>> set dynamic-profiles IPV4 variables Burst-IN default-value 5m
>> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
>> "$junos-interface-unit" family inet filter input "$Filter-IN"
>> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
>> "$junos-interface-unit" family inet filter output "$Filter-OUT"
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
>> interface-specific
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>> 10 then policer "$Policer-OUT"
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>> 10 then service-filter-hit
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT" term
>> 10 then accept
>> **set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN"
>> interface-specific*
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>> 10 then policer "$Policer-IN"
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>> 10 then service-filter-hit
>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>> 10 then accept
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" filter-specific
>> **set dynamic-profiles IPV4 firewall policer "$Policer-IN"
>> logical-interface-policer*
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
>> bandwidth-limit "$Bandwidth-IN"
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
>> burst-size-limit "$Burst-IN"
>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" then discard
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" filter-specific
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT"
>> logical-interface-policer
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
>> bandwidth-limit "$Bandwidth-OUT"
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
>> burst-size-limit "$Burst-OUT"
>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" then discard
>>
>> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 default-value 32k
>> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 mandatory
>> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 default-value 32k
>> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 mandatory
>> set dynamic-profiles IPV6 variables Burst-IN-V6 default-value 2m
>> set dynamic-profiles IPV6 variables Burst-OUT-V6 default-value 2m
>> set dynamic-profiles IPV6 variables Policer-IN-V6 uid
>> set dynamic-profiles IPV6 variables Policer-OUT-V6 uid
>> set dynamic-profiles IPV6 variables Filter-IN-V6 uid
>> set dynamic-profiles IPV6 variables Filter-OUT-V6 uid
>> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
>> family inet6 filter input "$Filter-IN-V6"
>> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
>> family inet6 filter output "$Filter-OUT-V6"
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>> interface-specific
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>> term 10 then policer "$Policer-IN-V6"
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>> term 10 then service-filter-hit
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>> term 10 then accept
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>> interface-specific
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>> term 10 then policer "$Policer-OUT-V6"
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>> term 10 then service-filter-hit
>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>> term 10 then accept
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
>> filter-specific
>> **set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
>> logical-interface-policer*
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
>> bandwidth-limit "$Bandwidth-IN-V6"
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
>> burst-size-limit "$Burst-IN-V6"
>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" then discard
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>> filter-specific
>> **set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>> logical-interface-policer*
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
>> bandwidth-limit "$Bandwidth-OUT-V6"
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" if-exceeding
>> burst-size-limit "$Burst-OUT-V6"
>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" then discard
>>
>>
>> Seriam essas em negrito? já estavam configuradas.
>>
>> Em seg., 7 de fev. de 2022 às 17:15, Diogo Montagner <
>> diogo.montagner at gmail.com> escreveu:
>>
>>> Tu precisa utilizar um logical-interface-policer:
>>>
>>>
>>> https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/ref/statement/logical-interface-policer-edit-firewall.html
>>>
>>>
>>> ./diogo -montagner
>>> JNCIE-SP 0x41A
>>>
>>>
>>> On Mon, 7 Feb 2022 at 23:43, Joao Ferreira via gter <
>>> gter at eng.registro.br> wrote:
>>>
>>>> Boa tarde, estou configurando controle dinamico em BRAS juniper usando
>>>> IPV4 e IPV6, o problema que estou tendo e que o controle de banda do
>>>> juniper esta sendo feito encima de protocolo, resultando que soma o
>>>> controle de banda, alguem tem uma configuracao que o controle seja
>>>> feito na
>>>> interface? estou usando essa configuração.
>>>>
>>>> set dynamic-profiles IPV4 variables Bandwidth-IN default-value 32k
>>>> set dynamic-profiles IPV4 variables Bandwidth-IN mandatory
>>>> set dynamic-profiles IPV4 variables Bandwidth-OUT default-value 32k
>>>> set dynamic-profiles IPV4 variables Bandwidth-OUT mandatory
>>>> set dynamic-profiles IPV4 variables Policer-IN uid
>>>> set dynamic-profiles IPV4 variables Policer-OUT uid
>>>> set dynamic-profiles IPV4 variables Filter-IN uid
>>>> set dynamic-profiles IPV4 variables Filter-OUT uid
>>>> set dynamic-profiles IPV4 variables Burst-OUT default-value 5m
>>>> set dynamic-profiles IPV4 variables Burst-IN default-value 5m
>>>> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
>>>> "$junos-interface-unit" family inet filter input "$Filter-IN"
>>>> set dynamic-profiles IPV4 interfaces "$junos-interface-ifd-name" unit
>>>> "$junos-interface-unit" family inet filter output "$Filter-OUT"
>>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
>>>> interface-specific
>>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
>>>> term 10
>>>> then policer "$Policer-OUT"
>>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
>>>> term 10
>>>> then service-filter-hit
>>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-OUT"
>>>> term 10
>>>> then accept
>>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN"
>>>> interface-specific
>>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>>>> 10
>>>> then policer "$Policer-IN"
>>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>>>> 10
>>>> then service-filter-hit
>>>> set dynamic-profiles IPV4 firewall family inet filter "$Filter-IN" term
>>>> 10
>>>> then accept
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" filter-specific
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN"
>>>> logical-interface-policer
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
>>>> bandwidth-limit "$Bandwidth-IN"
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" if-exceeding
>>>> burst-size-limit "$Burst-IN"
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-IN" then discard
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT"
>>>> filter-specific
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT"
>>>> logical-interface-policer
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
>>>> bandwidth-limit "$Bandwidth-OUT"
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" if-exceeding
>>>> burst-size-limit "$Burst-OUT"
>>>> set dynamic-profiles IPV4 firewall policer "$Policer-OUT" then discard
>>>>
>>>> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 default-value 32k
>>>> set dynamic-profiles IPV6 variables Bandwidth-IN-V6 mandatory
>>>> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 default-value 32k
>>>> set dynamic-profiles IPV6 variables Bandwidth-OUT-V6 mandatory
>>>> set dynamic-profiles IPV6 variables Burst-IN-V6 default-value 2m
>>>> set dynamic-profiles IPV6 variables Burst-OUT-V6 default-value 2m
>>>> set dynamic-profiles IPV6 variables Policer-IN-V6 uid
>>>> set dynamic-profiles IPV6 variables Policer-OUT-V6 uid
>>>> set dynamic-profiles IPV6 variables Filter-IN-V6 uid
>>>> set dynamic-profiles IPV6 variables Filter-OUT-V6 uid
>>>> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
>>>> family inet6 filter input "$Filter-IN-V6"
>>>> set dynamic-profiles IPV6 interfaces demux0 unit "$junos-interface-unit"
>>>> family inet6 filter output "$Filter-OUT-V6"
>>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>>>> interface-specific
>>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>>>> term
>>>> 10 then policer "$Policer-IN-V6"
>>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>>>> term
>>>> 10 then service-filter-hit
>>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-IN-V6"
>>>> term
>>>> 10 then accept
>>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>>>> interface-specific
>>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>>>> term 10 then policer "$Policer-OUT-V6"
>>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>>>> term 10 then service-filter-hit
>>>> set dynamic-profiles IPV6 firewall family inet6 filter "$Filter-OUT-V6"
>>>> term 10 then accept
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
>>>> filter-specific
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6"
>>>> logical-interface-policer
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
>>>> bandwidth-limit "$Bandwidth-IN-V6"
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" if-exceeding
>>>> burst-size-limit "$Burst-IN-V6"
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-IN-V6" then discard
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>>>> filter-specific
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>>>> logical-interface-policer
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>>>> if-exceeding
>>>> bandwidth-limit "$Bandwidth-OUT-V6"
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6"
>>>> if-exceeding
>>>> burst-size-limit "$Burst-OUT-V6"
>>>> set dynamic-profiles IPV6 firewall policer "$Policer-OUT-V6" then
>>>> discard
>>>> --
>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>
>>>
More information about the gter
mailing list