Juniper EX4200 Firewall Filter on Trunk Port Not Matching VLAN

EX4200 switch has a firewall filter applied to input of trunk port.
Intent is to rate-limit (police) input bandwidth per VLAN id.

However the 'show firewall' command points out that policing is taking place only for the filter last "catch all" term (so named ACCEPT_OTHER_VLANS). Traffic from VLAN115 is actually being policed at the 2Mbps limit of the ACCEPT_OTHER_VLANS term.

The configuration looks fine to me.

Question:

For this specific hardware/software, can anyone spot

a configuration mistake?
an unsupported feature?
a known defect?

Please advise.

Hardware: EX4200-24F

JunOS: 12.3R4.6

Configuration is:

set firewall policer RATE_LIMIT_2M_T if-exceeding bandwidth-limit 2m
set firewall policer RATE_LIMIT_2M_T if-exceeding burst-size-limit 6250000
set firewall policer RATE_LIMIT_2M_T then discard
set firewall policer RATE_LIMIT_30M_T if-exceeding bandwidth-limit 30m
set firewall policer RATE_LIMIT_30M_T if-exceeding burst-size-limit 6250000
set firewall policer RATE_LIMIT_30M_T then discard
set firewall policer RATE_LIMIT_20M_T if-exceeding bandwidth-limit 20m
set firewall policer RATE_LIMIT_20M_T if-exceeding burst-size-limit 6250000
set firewall policer RATE_LIMIT_20M_T then discard

set vlans vlan115 vlan-id 115
set vlans vlan123 vlan-id 123

set firewall family ethernet-switching filter RATE_LIMIT_VLANS term RATE_LIMIT_VLAN123 from vlan vlan123
set firewall family ethernet-switching filter RATE_LIMIT_VLANS term RATE_LIMIT_VLAN123 then policer RATE_LIMIT_30M_T
set firewall family ethernet-switching filter RATE_LIMIT_VLANS term RATE_LIMIT_VLAN115 from vlan vlan115
set firewall family ethernet-switching filter RATE_LIMIT_VLANS term RATE_LIMIT_VLAN115 then policer RATE_LIMIT_20M_T
set firewall family ethernet-switching filter RATE_LIMIT_VLANS term ACCEPT_OTHER_VLANS then policer RATE_LIMIT_2M_T

set interfaces xe-0/1/0 mtu 9216
set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/1/0 unit 0 family ethernet-switching vlan members vlan115
set interfaces xe-0/1/0 unit 0 family ethernet-switching vlan members vlan123
set interfaces xe-0/1/0 unit 0 family ethernet-switching filter input RATE_LIMIT_VLANS

Result is:

user@ex4200> show firewall filter RATE_LIMIT_VLANS

Filter: RATE_LIMIT_VLANS
Policers:
Name                                                Bytes                Packets
RATE_LIMIT_20M_T-RATE_LIMIT_VLAN115                                          0
RATE_LIMIT_2M_T-ACCEPT_OTHER_VLANS                                    28283836
RATE_LIMIT_30M_T-RATE_LIMIT_VLAN123                                          0

{master:0}
user@ex4200>

Best Answer

This appears to be a defect - I just recreated a similar environment on an EX42000-VC running 15.1R3.6.

family ethernet-switching {
    filter LIMIT-VLANS {
        term VID10 {
            from {
                vlan v10;
            }
            then {
                count VID10;
                policer LIMIT-256K;
        }
        term ALL-ELSE {
            then policer LIMIT-1M;
        }
    }
}

In this version of code, I was able to get the vlan classifier to work (my VID10 counter was incrementing), but I could not get the policer to kick in, even though I was exceeding the bandwidth limit by a factor of 10.

To be honest, I've had nothing but grief with EX4200 firewall filters over the years - what commits and what ultimately gets applied/works are two very different things!

Best Answer

Related Solutions

Aggregate Family Rate Limits on Juniper EX

Routing – Creating a JunOS firewall filter based on dynamic routing properties

Related Topic