Premium IP Filter
A firewall filter is applied to the input interface(s) to a customer. It accepts, drops or retags the Premium IP packets based on the criteria listed below.
- The in-profile packets are classified in the expedited-forwarding queue (i.e. re-writing of the interface classification). If the Premium IP DSCP value varies between the two domains, the packets must be tagged with the new DSCP value.
- The out-of-profile packets must be discarded.
- The "errant" packets (i.e. those wrongly using the Premium IP tagging) must be re-tagged as Best Effort.
The criteria to accept the Premium IP packets are as follows.
1. If the upstream network is Premium IP-compliant (no errant Premium IP packets coming from this network)
- DSCP value
- Destination destination IP address
[edit firewall]
filter customer1-in {
policer pol-cust1-cust2 { -- policer definition for the PIP
if-exceeding { -- traffic from the customer 1 to
bandwidth-limit 2m; -- the customer 2
burst-size-limit 22350;
}
then discard; -- discard excess traffic
}
policer pol-cust1-cust3 { -- policer definition for the PIP
if-exceeding { -- traffic from the customer 1 to
bandwidth-limit 2m; -- the customer 3
burst-size-limit 22350;
}
then discard;
}
[...]
term rl-IPP-cust1-cust2 {
from {
destination-prefix-list { -- the destination prefix list
pref-list-cust2; -- is the one of the customer 2
}
dscp 46; -- rate-limitation dscp 46 (Premium IP)
}
then {
count IPP-cust1-cust2; -- monitor the amount of PIP between cust1 and cust2
policer pol-cust1-cust2;
-- rate-limit the amount of PIP between cust1 and cust2 and drop the excess
loss-priority low;
-- set the loss priority (for the RED drop profile - optional in this configuration)
forwarding-class expedited-forwarding;
-- re-write the classifucation done by the classifier,
-- send the packet into the Premium IP queue (expedited-forwarding class)
accept; -- accept the other packets
}
term rl-IPP-cust1-cust3 { -- the same but between the customer 1 and the customer 2
from {
destination-prefix-list { -- the destination prefix list
pref-list-cust3; -- is the one of the customer 3
}
dscp 46;
}
then {
count IPP-cust1-cust3;
policer pol-cust1-cust3;
loss-priority low;
forwarding-class expedited-forwarding;
accept;
}
[...]
term default { -- do not forget this one ;-)
then {
accept;
}
}
}
2. On the first router of a Premium IP compliant section (part of a network supporting Premium IP)
- Source destination IP address
- Destination destination IP address
- DSCP value
[edit firewall]
filter customer1-in {
policer pol-cust1-cust2 { -- policer definition for the PIP
if-exceeding { -- traffic from the customer 1 to
bandwidth-limit 2m; -- the customer 2
burst-size-limit 22350;
}
then discard; -- discard excess traffic
}
policer pol-cust1-cust3 { -- policer definition for the PIP
if-exceeding { -- traffic from the customer 1 to
bandwidth-limit 2m; -- the customer 3
burst-size-limit 22350;
}
then discard;
}
[...]
term rl-IPP-cust1-cust2 {
from {
source-prefix-list { -- rate-limitation based on
pref-list-cust1; -- the source prefix list
}
destination-prefix-list { -- rate-limitation based on
pref-list-cust2; -- the destination prefix list
}
dscp 46; -- dscp 46 (Premium IP)
}
then {
count IPP-cust1-cust2; -- monitor the amount of PIP between cust1 and cust2
policer pol-cust1-cust2; -- rate-limit the amount of PIP between cust1 and cust2 and drop the excess
loss-priority low; -- set the loss priority (for the RED drop profile - optional in this configuration)
forwarding-class expedited-forwarding;
-- re-write the classifucation done by the classifier,
-- send the packet into the Premium IP queue (expedited-forwarding class)
accept; -- accept the other packets
}
term rl-IPP-cust1-cust3 { -- the same but between the customer 1 and the customer 2
from {
source-prefix-list {
pref-list-cust1;
}
destination-prefix-list { -- the destination prefix list
pref-list-cust3; -- is the one of the customer 3
}
dscp 46;
}
then {
count IPP-cust1-cust3;
policer pol-cust1-cust3;
loss-priority low;
forwarding-class expedited-forwarding;
accept;
}
[...]
term default { -- do not forget this one
then {
accept;
}
}
}
