FW: [j-nsp] Viewing Prefix-Specific Action statistics
John Ou
jou at juniper.net
Mon Mar 3 09:31:47 EST 2003
Cheeyong,
This is correct behavior:
2^(32-21)= 2048
For example, the first counter coresponding the first IP address for each
prefix:
192.168.0.0, 192.168.8.0, 192.168.16.0, 192.168.24.0, 192.168.32.0,
192.168.40.0 and 192.168.48.0.
....
--John
> -----Original Message-----
> From: Tay Chee Yong [mailto:tcy at pacific.net.sg]
> Sent: Friday, February 28, 2003 5:22 PM
> To: John Ou
> Cc: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Viewing Prefix-Specific Action statistics
>
>
> Hi John,
>
> I had read this document before. However, there is no document that
explains
> how
> to interpret the statistics, which I don't understand how does it shows
that
> each prefixes had been applied to the policer specified.
>
> I had just modified a little bit on my configuration, to add more /12
> addresses
> to be policed, for my explanation.
>
> [edit firewall]
> user at router# show
> policer rate-256k {
> if-exceeding {
> bandwidth-limit 256k;
> burst-size-limit 32k;
> }
> then discard;
> }
> family inet {
> prefix-action police-per-prefix {
> policer rate-256k;
> count;
> subnet-prefix-length 21;
> destination-prefix-length 32;
> }
> }
>
> [edit firewall filter <inbound-acl>]
> user at router# show
> term shape {
> from {
> destination-address {
> 192.168.0.0/21;
> 192.168.8.0/21;
> 192.168.16.0/21;
> 192.168.24.0/21;
> 192.168.32.0/21;
> 192.168.40.0/21;
> 192.168.48.0/21;
> }
> protocol tcp;
> }
> then {
> sample;
> prefix-action police-per-prefix;
> }
> }
>
> The "show firewall prefix-action-stats filter inbound-acl prefix-action
> police-per-prefix-shape" is as follows.
>
> The total number of policers generated for the above term should be
> 7 class C x 8 x 255 = 14280
>
> But why is it that the total number of policers are only 2047? Does it
means
> that not every /32 address has a policer associated to it?
>
> The other question is how is each individual /32 addresses being
> represented?
> Does it means that police-per-prefix-shape-1 represent 192.168.0.1 and
> police-per-prefix-shape-256 will represent 192.168.1.1?
>
> Filter: inbound-acl
> Counters:
> Name Bytes Packets
> police-per-prefix-shape-0 6600 129
> police-per-prefix-shape-1 10468 209
> police-per-prefix-shape-2 301652286 342586
> police-per-prefix-shape-3 24339459 36186
> <snips>
> police-per-prefix-shape-2045 138663368 104232
> police-per-prefix-shape-2046 538995936 478640
> police-per-prefix-shape-2047 1600 28
> Policers:
> Name Packets
> police-per-prefix-shape-0 0
> police-per-prefix-shape-1 0
> police-per-prefix-shape-2 9509
> police-per-prefix-shape-3 119
> <snips>
> police-per-prefix-shape-2045 7088
> police-per-prefix-shape-2046 12662
> police-per-prefix-shape-2047 0
>
> Thanks again.
>
> Regards,
> Cheeyong
>
>
> On Fri, 28 Feb 2003, John Ou wrote:
>
> : Cheeyong,
> : Here is link for the explanation:
> :
>
http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy/htm
> : l/policer-config10.html
> : Thanks.
> : --John
> : -----Original Message-----
> : From: juniper-nsp-bounces at puck.nether.net
> : [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Tay Chee Yong
> : Sent: Thursday, February 27, 2003 5:56 PM
> : To: John Ou
> : Cc: juniper-nsp at puck.nether.net
> : Subject: RE: [j-nsp] Viewing Prefix-Specific Action statistics
> :
> :
> : Hi John,
> :
> : Would appreciate if you could direct me to the URL where is userdoc
> resides
> : in.
> : Can't seems to find it on Juniper website.
> :
> : Thanks again.
> :
> : Regards,
> : Cheeyong
> :
> :
> : On Thu, 27 Feb 2003, John Ou wrote:
> :
> : : It represents the counter number for the corresponding prefixes.
> : : The maximal PSA counter can be displayed is 2^16=65536 (0-65535).
> : : It is one-to-one mapping to the host in ascending order. See
> : : the userdoc in detail. Thanks.
> : : --John
> : : -----Original Message-----
> : : From: Tay Chee Yong [mailto:tcy at pacific.net.sg]
> : : Sent: Thursday, February 27, 2003 8:21 AM
> : : To: John Ou
> : : Cc: juniper-nsp at puck.nether.net
> : : Subject: RE: [j-nsp] Viewing Prefix-Specific Action statistics
> : :
> : :
> : : Hi John,
> : :
> : : Some questions.
> : :
> : : What does the number 0-65535 behind the name/policer means? Does it
> refer
> : to
> : : the
> : : policer for the particular prefix? How do I know which policer is mean
> for
> : : which
> : : /32 address?
> : :
> : : Does the values here refers to the number of bytes/packets within the
> 256k
> : : shaping, or number of bytes/packets being discard.
> : :
> : : Please advise.
> : :
> : : Thanks.
> : :
> : : Regards,
> : : Cheeyong
> : :
> : : On Thu, 27 Feb 2003, John Ou wrote:
> : :
> : : : Cheeyong,
> : : : The correct syntax should be
> : : : > run show firewall prefix-action-stats filter inbound-acl
> prefix-action
> : : : police-per-prefix-shape
> : : : You need append the term name to the prefix-acton with "-" in order
to
> : : view
> : : : the policer counters for that term. Let me know if it works. Thanks.
> : : : --John
> : : : -----Original Message-----
> : : : From: juniper-nsp-bounces at puck.nether.net
> : : : [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Tay Chee
Yong
> : : : Sent: Thursday, February 27, 2003 7:48 AM
> : : : To: juniper-nsp at puck.nether.net
> : : : Subject: [j-nsp] Viewing Prefix-Specific Action statistics
> : : :
> : : :
> : : : Hi People,
> : : :
> : : : I had implemented the Prefix-Specific Action on our Juniper routers,
> and
> : : it
> : : : working well. However, I am unable to view the statistics of how
many
> : : : packets/bytes had been policed/discard by the policer.
> : : :
> : : : My configuration is as follows:
> : : :
> : : : [edit firewall]
> : : : user at router# show
> : : : policer rate-256k {
> : : : if-exceeding {
> : : : bandwidth-limit 256k;
> : : : burst-size-limit 32k;
> : : : }
> : : : then discard;
> : : : }
> : : : family inet {
> : : : prefix-action police-per-prefix {
> : : : policer rate-256k;
> : : : count;
> : : : subnet-prefix-length 21;
> : : : destination-prefix-length 32;
> : : : }
> : : : }
> : : :
> : : : [edit firewall filter <inbound-acl>]
> : : : user at router# show
> : : :
> : : : term shape {
> : : : from {
> : : : destination-address {
> : : : 192.168.0.0/21;
> : : : }
> : : : protocol tcp;
> : : : }
> : : : then {
> : : : sample;
> : : : prefix-action police-per-prefix;
> : : : }
> : : : }
> : : :
> : : : However, using the command "show firewall prefix-action-stats" is
> unable
> : : to
> : : : produce any statistics.
> : : :
> : : : user at router# run show firewall prefix-action-stats filter
inbound-acl
> : : : prefix-action police-per-prefix
> : : : Filter: inbound-acl
> : : :
> : : : Could someone please enlighten me? Thanks.
> : : :
> : : : Regards,
> : : : Cheeyong
> : : : _______________________________________________
> : : : juniper-nsp mailing list juniper-nsp at puck.nether.net
> : : : http://puck.nether.net/mailman/listinfo/juniper-nsp
> : : :
> : :
> : _______________________________________________
> : juniper-nsp mailing list juniper-nsp at puck.nether.net
> : http://puck.nether.net/mailman/listinfo/juniper-nsp
> :
>
>
>
More information about the juniper-nsp
mailing list