[j-nsp] Policer Statistics (fwd)

Robert O'Hara rohara at juniper.net
Fri Jan 31 05:48:17 EST 2003


Cheeyong..

The counter that is defined in the 'then' statment counts *all* packets.
The counter that is associated with the policer when you execute the
'show firewall' command - shows the packets and bits that were policed.
You have to do a diff between the two diffferent counters.

Bob O'Hara


-----Original Message-----
From: Tay Chee Yong [mailto:tcy at pacific.net.sg]
Sent: Thursday, January 30, 2003 10:17 PM
To: Robert O'Hara
Cc: juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Policer Statistics (fwd)


Hi Robert,

Thanks for your reply.

>From our configuration, the count comes before the policer statement.
Even if I
type policer statement before the count statement, the config will still
display
the count statement before the policer statement, as shown below.

policer icmp-cap {
    if-exceeding {
        bandwidth-limit 2m;
        burst-size-limit 16k;
    }
    then discard;
}

term icmp-anti-flooding {
    from {
        protocol icmp;
    }
    then {
        count icmp-anti-flooding;
        policer icmp-cap;
        sample;
        accept;
    }
}

So does the above config means that JUNOS will count the packets
matching the
filter, then apply the policer?

Regards,
Cheeyong


On Thu, 30 Jan 2003, Robert O'Hara wrote:

: Hi CheeYong,
:
: In the following example:
:
:  [edit firewall]
:   filter limit-ftp {
:   	 policer p1{
:   	 	 if-exceeding {
:   	 	 	 bandwidth-limit 400k;
:   	 	 	 burst-size-limit 20k;
:   	 	 }
:   	 	 then {
:   	 	 	 discard;
:   	 	 }
:   	 }
:
: When you do 'show firewall' you will see a
: counter "limit-ftp". This counter associated
: with this policer and is counting the packets dropped/discarded.
:
:
:   	 term t-ftp{
:   	 	 from {
:   	 	 	 source-address 1.2.3/24;
:   	 	 	 protocol tcp;
:   	 	 	 destination-port ftp;
:   	 	 }
:   	 	 then {
:   	 	 	 policer limit-ftp;
:   	 	 	 accept;
:   	 	 	 count count-ftp;  <==  packets that passed the
: policer
:
: This counter will counter the packets that passed the policer.
: In the then clause, the policer is applied first. After
: this, if the packet did not get discarded, it will go
: on to the next action, which is count.
:
: Thanks,
:
: Bob O'Hara
:
: Systems Engineer/Northeast Region
: Juniper Networks
:
: -----Original Message-----
: From: Tay Chee Yong [mailto:tcy at pacific.net.sg]
: Sent: Thursday, January 30, 2003 5:44 AM
: To: juniper-nsp at puck.nether.net
: Subject: [j-nsp] Policer Statistics (fwd)
:
:
: Does someone has any findings for the following?
:
: Thanks.
: Cheeyong
:
:
: ---------- Forwarded message ----------
: Date: Wed, 29 Jan 2003 01:13:48 +0800 (Singapore Standard Time)
: From: Tay Chee Yong <tcy at pacific.net.sg>
: To: juniper-nsp at puck.nether.net
: Subject: Policer Statistics
:
: Hi all,
:
: I was wondering if Juniper running JUNOS 5.3 has a way of displaying a
: policer's
: conformed/exceeded packets/bytes, as per a Cisco's rate-limit/service
: policy
: show output.
:
: Seems that the output results of the policer only shows the number of
: packets
: being discarded (as per the policer's action - discard)
:
: Policer: at-0/3/0.10-in-policer
:     at-0/3/0.10-in-policer
:                     0 packets
:
: Is there a way to display more information such as number of
: conformed/exceeded packets/bytes for real-time debugging using the
: monitor
: command?
:
: I believe the common practice of using the policer is within the [edit
: firewall
: filter] hierarchy, however, we are still unable to determine how well
: the
: policer is functioning. From the show results, we are only able to see
: the hits
: on the filter.
:
: Will the later release of JUNOS allow us to view more details about
the
: policer
: that is applied on the filter, or interface?
:
: Any comments is appreciated.
:
: Many Thanks.
:
: Regards,
: Cheeyong
:
: _______________________________________________
: juniper-nsp mailing list juniper-nsp at puck.nether.net
: http://puck.nether.net/mailman/listinfo/juniper-nsp
:



More information about the juniper-nsp mailing list