Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Configuration Example - Bridge Domain flood filter to limit or police BUM traffic

0

0

Article ID: KB30816 KB Last Updated: 02 Jun 2016Version: 1.0
Summary:

This article provides a sample configuration for Bridge Domain flood filter to limit or police BUM (Broadcast, Unknown unicast, Multicast) traffic.

Symptoms:

On a Trio-based PFE (Packet Forwarding Engine) in a Bridge Domain environment, interface policers cannot be used to limit unknown unicast traffic. A Bridge Domain flood filter can be used instead.

Solution:

Step by step example configuration to police BUM traffic:

  1. Define individual policers for each type of BUM traffic:

    • Broadcast 

      set firewall policer vlan108_broadcast if-exceeding bandwidth-limit 1m
      set firewall policer vlan108_broadcast if-exceeding burst-size-limit 50k
      set firewall policer vlan108_broadcast then discard


    • Unknown unicast

      set firewall policer vlan108_unknown_unicast if-exceeding bandwidth-limit 250k
      set firewall policer vlan108_unknown_unicast if-exceeding burst-size-limit 50k
      set firewall policer vlan108_unknown_unicast if-exceeding burst-size-limit 50k


    • Multicast

      set firewall policer vlan108_multicast if-exceeding bandwidth-limit 4m
      set firewall policer vlan108_multicast if-exceeding burst-size-limit 100k
      set firewall policer vlan108_multicast then discard


  2. Configure filter under family bridge

    set firewall family bridge filter vlan_108_BUM_flood term police_unicast_flood from traffic-type unknown-unicast
    set firewall family bridge filter vlan_108_BUM_flood term police_unicast_flood then policer vlan108_unknown_unicast
    set firewall family bridge filter vlan_108_BUM_flood term police_unicast_flood then count vlan108_unicast_flood_allowed
    set firewall family bridge filter vlan_108_BUM_flood term broadcast_flood from traffic-type broadcast
    set firewall family bridge filter vlan_108_BUM_flood term broadcast_flood then policer vlan108_broadcast
    set firewall family bridge filter vlan_108_BUM_flood term broadcast_flood then count vlan108_bcast_flood_allowed
    set firewall family bridge filter vlan_108_BUM_flood term mcast_flood from traffic-type multicast
    set firewall family bridge filter vlan_108_BUM_flood term mcast_flood then policer vlan108_multicast

  3. Apply filter under the bridge-domain

    set bridge-domains 108 forwarding-options flood input vlan_108_BUM_flood


Verification

Setup Topology:


Bridge-domain and interface configuration:

[[edit]
labroot@MX# show bridge-domains 108
vlan-id 108;
interface ge-1/3/2.108;
interface ge-1/3/3.108;
routing-interface irb.108;
forwarding-options {
    flood {
        input vlan_108_BUM_flood;
    }
}

[edit]
labroot@MX# show interfaces ge-1/3/2
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 108 {
    encapsulation vlan-bridge;
    vlan-id 108;
}

[edit]
labroot@MX# show interfaces ge-1/3/3
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 108 {
    encapsulation vlan-bridge;
    vlan-id 108;
}

[edit]
labroot@MX#

  1. Unknown unicast traffic sent from Tester
    labroot@MX> show firewall

    Filter: __default_bpdu_filter__

    Filter: vlan_108_BUM_flood
    Counters:
    Name Bytes Packets
    vlan108_bcast_flood_allowed 0 0
    vlan108_mcast_flood_allowed 0 0
    vlan108_unicast_flood_allowed 116700 1945
    Policers:
    Name Bytes Packets
    vlan108_broadcast-broadcast_flood 0 0
    vlan108_multicast-mcast_flood 0 0
    vlan108_unknown_unicast-police_unicast_flood 378620224 5915941

    labroot@MX> show firewall

    Filter: __default_bpdu_filter__

    Filter: vlan_108_BUM_flood
    Counters:
    Name Bytes Packets
    vlan108_bcast_flood_allowed 0 0
    vlan108_mcast_flood_allowed 0 0
    vlan108_unicast_flood_allowed 233100 3885
    Policers:
    Name Bytes Packets
    vlan108_broadcast-broadcast_flood 0 0
    vlan108_multicast-mcast_flood 0 0
    vlan108_unknown_unicast-police_unicast_flood 757240576 11831884

    labroot@MX> show interfaces ge-1/3/2 | match rate
    Input rate : 714285840 bps (1488095 pps)
    Output rate : 0 bps (0 pps)

    labroot@MX> show interfaces ge-1/3/3 | match rate
    Input rate : 0 bps (0 pps)
    Output rate : 234152 bps (487 pps)

    labroot@MX>

  2. Broadcast  traffic sent from Tester

    labroot@MX> clear firewall all

    labroot@MX> show firewall

    Filter: __default_bpdu_filter__

    Filter: vlan_108_BUM_flood
    Counters:
    Name Bytes Packets
    vlan108_bcast_flood_allowed 699600 11660
    vlan108_mcast_flood_allowed 0 0
    vlan108_unicast_flood_allowed 0 0
    Policers:
    Name Bytes Packets
    vlan108_broadcast-broadcast_flood 567372160 8865190
    vlan108_multicast-mcast_flood 0 0
    vlan108_unknown_unicast-police_unicast_flood 0 0

    labroot@MX> show firewall

    Filter: __default_bpdu_filter__

    Filter: vlan_108_BUM_flood
    Counters:
    Name Bytes Packets
    vlan108_bcast_flood_allowed 1165200 19420
    vlan108_mcast_flood_allowed 0 0
    vlan108_unicast_flood_allowed 0 0
    Policers:
    Name Bytes Packets
    vlan108_broadcast-broadcast_flood 945620928 14775327
    vlan108_multicast-mcast_flood 0 0
    vlan108_unknown_unicast-police_unicast_flood 0 0

    labroot@MX>

    labroot@MX> show interfaces ge-1/3/2 | match rate
    Input rate : 714287880 bps (1488099 pps)
    Output rate : 0 bps (0 pps)

    labroot@MX> show interfaces ge-1/3/3 | match rate
    Input rate : 0 bps (0 pps)
    Output rate : 936616 bps (1951 pps)

    labroot@MX>

  3. Multicast  traffic sent from Tester

    labroot@MX> clear firewall all

    labroot@MX>

    labroot@MX> show firewall

    Filter: __default_bpdu_filter__

    Filter: vlan_108_BUM_flood
    Counters:
    Name Bytes Packets
    vlan108_bcast_flood_allowed 0 0
    vlan108_mcast_flood_allowed 2793600 46560
    vlan108_unicast_flood_allowed 0 0
    Policers:
    Name Bytes Packets
    vlan108_broadcast-broadcast_flood 0 0
    vlan108_multicast-mcast_flood 565144704 8830386
    vlan108_unknown_unicast-police_unicast_flood 0 0

    labroot@MX> show firewall

    Filter: __default_bpdu_filter__

    Filter: vlan_108_BUM_flood
    Counters:
    Name Bytes Packets
    vlan108_bcast_flood_allowed 0 0
    vlan108_mcast_flood_allowed 4660800 77680
    vlan108_unicast_flood_allowed 0 0
    Policers:
    Name Bytes Packets
    vlan108_broadcast-broadcast_flood 0 0
    vlan108_multicast-mcast_flood 941896640 14717135
    vlan108_unknown_unicast-police_unicast_flood 0 0

    labroot@MX>
    labroot@MX> show interfaces ge-1/3/2 | match rate
    Input rate : 714284032 bps (1488091 pps)
    Output rate : 0 bps (0 pps)

    labroot@MX> show interfaces ge-1/3/3 | match rate
    Input rate : 0 bps (0 pps)
    Output rate : 3746504 bps (7805 pps)

    labroot@MX>
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search