[j-nsp] policer useless

Andrew Ramsey akramsey@juniper.net
Mon, 16 Sep 2002 06:14:32 -0700 

Jason,

Daniel's statement below is a generic statement regarding policing vs.
shaping.  Nothing to do w/ implementations.  As for the original
problem, I'm not prepared to make any general statements regarding the
results (not sure if anyone else is either), because I don't think we
know enough about the details of the test.  There are just too many
possible variables.  I think we're getting the original test details
from Blaz and someone should post the result.

Anyway, It is possible to configure policing and see acceptable TCP
throughput.  For example, I setup the test below:

           fe-1/0/0
                  +-------+
   +----+         |       |         +----+
   |    +---------+   R22 +---------+    |
   +----+         |       |         +----+
   Thunky         +-------+          PC2
                         fe-1/0/1

-PC2 does FTP get from Thunky
-3 tests - no policer, 4m policer (same config as Blaz Zupan), and 256k
policer
-policer is applied input to fe-1/0/0
-packets are going into q0 on fe-1/0/1 w/ default scheduling

(on the client)
average throughput for no policer =3D 5737.16Kbytes
average reported throughput for 4m policer =3D 467.07 Kbytes
average reported throughput for 256k policer =3D 28.35 Kbytes

During this test, while using the "monitor interface traffic" command, I
saw the following output bps on fe-1/0/1:

...
4401936 bps
3071256 bps
5108616 bps
3629104 bps
2831680 bps
5512072 bps
2986784 bps
3111328 bps
3907872 bps
4159016 bps
...

The config I used wasn't fancy.

filter test {
    policer rate_limit {
        if-exceeding {
            bandwidth-limit 4m;
            burst-size-limit 1m;
        }
        then discard;
    }              =20
    term one {
        then {
            policer rate_limit;
            accept;
        }
    }
} =20

Hope this helps,
Andy




>-----Original Message-----
>From: Jason Parsons [mailto:jparsons@saffron.net]
>Sent: Wednesday, September 11, 2002 1:17 PM
>To: Daniel Roesen
>Cc: Blaz Zupan; juniper-nsp@puck.nether.net
>Subject: Re: [j-nsp] policer useless
>
>
>
>On Wednesday, Sep 11, 2002, at 10:14 US/Eastern, Daniel Roesen wrote:
>
>> You're doing policing, which sabotages TCP's congestion avoidance
>> mechanisms. A problem VERY well known since the days of the IMPs. :-)
>>
>> Basically, you have no chance. You need to do queuing... with
>> policing you're totally lost.
>
>I would love to see some Juniper folks comment on this.  Is there=20
>really no way to configure a policer and see acceptable TCP throughput=20
>(and associated congestion avoidance)?  What's the suggested=20
>configuration for policing a single customer interface down to a lower=20
>rate, especially if that customer delivers lots of TCP traffic?
>
>   - Jason
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp
>