[j-nsp] Viewing Prefix-Specific Action statistics
Tay Chee Yong
tcy at pacific.net.sg
Sat Mar 1 09:22:17 EST 2003
Hi John,
I had read this document before. However, there is no document that explains how
to interpret the statistics, which I don't understand how does it shows that
each prefixes had been applied to the policer specified.
I had just modified a little bit on my configuration, to add more /12 addresses
to be policed, for my explanation.
[edit firewall]
user at router# show
policer rate-256k {
if-exceeding {
bandwidth-limit 256k;
burst-size-limit 32k;
}
then discard;
}
family inet {
prefix-action police-per-prefix {
policer rate-256k;
count;
subnet-prefix-length 21;
destination-prefix-length 32;
}
}
[edit firewall filter <inbound-acl>]
user at router# show
term shape {
from {
destination-address {
192.168.0.0/21;
192.168.8.0/21;
192.168.16.0/21;
192.168.24.0/21;
192.168.32.0/21;
192.168.40.0/21;
192.168.48.0/21;
}
protocol tcp;
}
then {
sample;
prefix-action police-per-prefix;
}
}
The "show firewall prefix-action-stats filter inbound-acl prefix-action
police-per-prefix-shape" is as follows.
The total number of policers generated for the above term should be
7 class C x 8 x 255 = 14280
But why is it that the total number of policers are only 2047? Does it means
that not every /32 address has a policer associated to it?
The other question is how is each individual /32 addresses being represented?
Does it means that police-per-prefix-shape-1 represent 192.168.0.1 and
police-per-prefix-shape-256 will represent 192.168.1.1?
Filter: inbound-acl
Counters:
Name Bytes Packets
police-per-prefix-shape-0 6600 129
police-per-prefix-shape-1 10468 209
police-per-prefix-shape-2 301652286 342586
police-per-prefix-shape-3 24339459 36186
<snips>
police-per-prefix-shape-2045 138663368 104232
police-per-prefix-shape-2046 538995936 478640
police-per-prefix-shape-2047 1600 28
Policers:
Name Packets
police-per-prefix-shape-0 0
police-per-prefix-shape-1 0
police-per-prefix-shape-2 9509
police-per-prefix-shape-3 119
<snips>
police-per-prefix-shape-2045 7088
police-per-prefix-shape-2046 12662
police-per-prefix-shape-2047 0
Thanks again.
Regards,
Cheeyong
On Fri, 28 Feb 2003, John Ou wrote:
: Cheeyong,
: Here is link for the explanation:
: http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy/htm
: l/policer-config10.html
: Thanks.
: --John
: -----Original Message-----
: From: juniper-nsp-bounces at puck.nether.net
: [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Tay Chee Yong
: Sent: Thursday, February 27, 2003 5:56 PM
: To: John Ou
: Cc: juniper-nsp at puck.nether.net
: Subject: RE: [j-nsp] Viewing Prefix-Specific Action statistics
:
:
: Hi John,
:
: Would appreciate if you could direct me to the URL where is userdoc resides
: in.
: Can't seems to find it on Juniper website.
:
: Thanks again.
:
: Regards,
: Cheeyong
:
:
: On Thu, 27 Feb 2003, John Ou wrote:
:
: : It represents the counter number for the corresponding prefixes.
: : The maximal PSA counter can be displayed is 2^16=65536 (0-65535).
: : It is one-to-one mapping to the host in ascending order. See
: : the userdoc in detail. Thanks.
: : --John
: : -----Original Message-----
: : From: Tay Chee Yong [mailto:tcy at pacific.net.sg]
: : Sent: Thursday, February 27, 2003 8:21 AM
: : To: John Ou
: : Cc: juniper-nsp at puck.nether.net
: : Subject: RE: [j-nsp] Viewing Prefix-Specific Action statistics
: :
: :
: : Hi John,
: :
: : Some questions.
: :
: : What does the number 0-65535 behind the name/policer means? Does it refer
: to
: : the
: : policer for the particular prefix? How do I know which policer is mean for
: : which
: : /32 address?
: :
: : Does the values here refers to the number of bytes/packets within the 256k
: : shaping, or number of bytes/packets being discard.
: :
: : Please advise.
: :
: : Thanks.
: :
: : Regards,
: : Cheeyong
: :
: : On Thu, 27 Feb 2003, John Ou wrote:
: :
: : : Cheeyong,
: : : The correct syntax should be
: : : > run show firewall prefix-action-stats filter inbound-acl prefix-action
: : : police-per-prefix-shape
: : : You need append the term name to the prefix-acton with "-" in order to
: : view
: : : the policer counters for that term. Let me know if it works. Thanks.
: : : --John
: : : -----Original Message-----
: : : From: juniper-nsp-bounces at puck.nether.net
: : : [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Tay Chee Yong
: : : Sent: Thursday, February 27, 2003 7:48 AM
: : : To: juniper-nsp at puck.nether.net
: : : Subject: [j-nsp] Viewing Prefix-Specific Action statistics
: : :
: : :
: : : Hi People,
: : :
: : : I had implemented the Prefix-Specific Action on our Juniper routers, and
: : it
: : : working well. However, I am unable to view the statistics of how many
: : : packets/bytes had been policed/discard by the policer.
: : :
: : : My configuration is as follows:
: : :
: : : [edit firewall]
: : : user at router# show
: : : policer rate-256k {
: : : if-exceeding {
: : : bandwidth-limit 256k;
: : : burst-size-limit 32k;
: : : }
: : : then discard;
: : : }
: : : family inet {
: : : prefix-action police-per-prefix {
: : : policer rate-256k;
: : : count;
: : : subnet-prefix-length 21;
: : : destination-prefix-length 32;
: : : }
: : : }
: : :
: : : [edit firewall filter <inbound-acl>]
: : : user at router# show
: : :
: : : term shape {
: : : from {
: : : destination-address {
: : : 192.168.0.0/21;
: : : }
: : : protocol tcp;
: : : }
: : : then {
: : : sample;
: : : prefix-action police-per-prefix;
: : : }
: : : }
: : :
: : : However, using the command "show firewall prefix-action-stats" is unable
: : to
: : : produce any statistics.
: : :
: : : user at router# run show firewall prefix-action-stats filter inbound-acl
: : : prefix-action police-per-prefix
: : : Filter: inbound-acl
: : :
: : : Could someone please enlighten me? Thanks.
: : :
: : : Regards,
: : : Cheeyong
: : : _______________________________________________
: : : juniper-nsp mailing list juniper-nsp at puck.nether.net
: : : http://puck.nether.net/mailman/listinfo/juniper-nsp
: : :
: :
: _______________________________________________
: juniper-nsp mailing list juniper-nsp at puck.nether.net
: http://puck.nether.net/mailman/listinfo/juniper-nsp
:
More information about the juniper-nsp
mailing list