Policer firewall and ingress rate-limiter

https://www.youtube.com/watch?v=FR6-SVqTspo&feature=emb_logo&ab_channel=JuniperNetworks



Create a filter with a policer

set firewall family inet filter hard-filter term from-10 from source-address 10.10.10.0/24

set firewall family inet filter hard-filter term from-10 then policer drop-excess-traffic

set firewall family inet filter hard-filter term from-10 then accept

set firewall family inet filter hard-filter term all-other-traffic then accept



set firewall policer drop-excess-traffic if-exceeding bandwith-limit 2m

set firewall policer drop-excess-traffic if-exceeding burst-size-limit 5k 

set firewall policer drop-excess-traffic then discard

Applyto Interface

set interface ge-0/0/0 unit 0 family inet filter input hard-filter
Applyto firewall filter




https://www.juniper.net/documentation/us/en/software/junos/cos/topics/example/policer-single-rate-two-color-mfc-example.html


discard

BW= 1M

Burst-size: 1500 bytes

firewall policer
set firewall policer discard if-exceeding bandwidth-limit 1m
set firewall policer discard if-exceeding burst-size-limit 1500
set firewall policer discard then discard
forwarding class

BE-data  > Q0
Premium-data > Q1
Voice > Q2
NC > Q3

forwading-class
set class-of-service forwarding-classes class BE-data queue-num 0
set class-of-service forwarding-classes class Premium-data queue-num 1
set class-of-service forwarding-classes class Voice queue-num 2
set class-of-service forwarding-classes class NC queue-num 3
firewall filter

tcp/80 or http >   forwarding-class BE-data
tcp/12345      >   forwarding-class Voice
ping           >   forwarding-class Premium-data

firewall filter
set firewall family inet filter mf-classifier term BE-data from protocol tcp
set firewall family inet filter mf-classifier term BE-data from port http
set firewall family inet filter mf-classifier term BE-data then forwarding-class BE-data
set firewall family inet filter mf-classifier term BE-data then policer discard

set firewall family inet filter mf-classifier term Premium-data from protocol tcp
set firewall family inet filter mf-classifier term Premium-data from port 12345
set firewall family inet filter mf-classifier term Premium-data then forwarding-class Voice
set firewall family inet filter mf-classifier term Premium-data then policer discard

set firewall family inet filter mf-classifier term Ping-data from protocol icmp
#set firewall family inet filter mf-classifier term Ping-data from port 12345
set firewall family inet filter mf-classifier term Ping-data then forwarding-class BE-data
set firewall family inet filter mf-classifier term Ping-data then policer discard

set firewall family inet filter mf-classifier term Accept then accept
Apply fw filter to interface
apply fw filter to interface
#set interfaces ge-0/0/2 description to-Host
#set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.1/24
set interfaces ge-0/0/2 unit 0 family inet filter input mf-classifier