Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Limitations in configuring legacy platforms for policer design mechanism with lo0 and VLAN interface

0

0

Article ID: KB31419 KB Last Updated: 06 Feb 2017Version: 1.0
Summary:

This article explains the working conditions and limitations of policer configurations applied to lo0 and VLAN interfaces in EX legacy platforms.

The legacy platforms affected by this configuration are

  • EX4200

  • EX45xx

  • EX3200

Symptoms:

How to tell if limitations apply:

  • Policer configuration cannot be applied in lo0 interface [ingress]
  • When applied on IRB or VLAN interface, the configuration will only work for transit traffic from Junos 14.1X53-D40 and later releases 

  • Firewall filter Syslog will not work 


Error message:

root# commit
[edit interfaces lo0 unit 0 family inet]
'filter'
Referenced filter 'hostbound-policer-filter' can not be used as policer not supported on ingress loopback interface
error: configuration check-out failed
Cause:

Solution:

Policer Configuration:

set firewall family inet filter hostbound-policer-filter term 1 from protocol icmp
set firewall family inet filter hostbound-policer-filter term 1 from icmp-type echo-request
set firewall family inet filter hostbound-policer-filter term 1 from icmp-type echo-reply
set firewall family inet filter hostbound-policer-filter term 1 then policer policer-32k
set firewall family inet filter hostbound-policer-filter term 1 then count 1-icmp-counter
set firewall family inet filter hostbound-policer-filter term 1 then log >>>>> Will not work
set firewall family inet filter hostbound-policer-filter term 1 then syslog >>>>>Will not work
set firewall policer policer-32k if-exceeding bandwidth-limit 32k
set firewall policer policer-32k if-exceeding burst-size-limit 1k
set firewall policer policer-32k then discard

The above policer configuration will police traffic only for transit traffic. 
These are the current limitations; there is no fix. 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search