Scenario 3: Subnet Prefix Is Shorter Than The Prefix In The Firewall Filter Match Condition - Juniper EX9200 Features Manual
Traffic policers feature guide ex series
Hide thumbs
Also See for EX9200:
- Features manual (448 pages) ,
- Manual (118 pages) ,
- Overview manual (72 pages)
Table of Contents
Advertisement
Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition
Copyright © 2016, Juniper Networks, Inc.
The following configuration shows the statements for configuring the single-rate two-color
policer, the prefix-specific action that references the policer, and the IPv4 standard
stateless firewall filter that references the prefix-specific action:
[edit]
firewall {
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
family inet {
prefix-action psa-1Mbps-per-source-25-32-128 {
policer 1Mbps-policer;
subnet-prefix-length 25;
source-prefix-length 32;
}
filter limit-source-one-24 {
term one {
from {
source-address {
10.10.10.0/24;
}
}
then prefix-action psa-1Mbps-per-source-25-32-128;
}
}
}
}
interfaces {
so-0/0/2 {
unit 0 {
family inet {
filter {
input limit-source-one-24;
}
address 10.39.1.1/16;
}
}
}
}
The complete example,
"Example: Configuring Prefix-Specific Counting and Policing" on
page
100, shows the simplest case of prefix-specific actions, in which the single-term
firewall filter matches on one address with a prefix length that is the same as the subnet
prefix length specified in the prefix-specific action. Unlike the example, this scenario
describes a configuration in which the prefix-specific action defines a subnet prefix length
that is shorter than the prefix of the source address matched by the firewall filter. In this
case, the filter term matches on the
Chapter 10: Prefix-Specific Counting and Policing Actions
/25
subnet of the source address
10.10.10.0
.
111
Advertisement
Table of Contents
