FW: [j-nsp] Viewing Prefix-Specific Action statistics

John Ou jou at juniper.net
Mon Mar 3 09:31:47 EST 2003


Cheeyong,
This is correct behavior:
 2^(32-21)= 2048
For example, the first counter coresponding the first IP address for each
prefix:
    192.168.0.0, 192.168.8.0, 192.168.16.0, 192.168.24.0, 192.168.32.0,
192.168.40.0 and      192.168.48.0.
....
--John

> -----Original Message-----
> From: Tay Chee Yong [mailto:tcy at pacific.net.sg]
> Sent: Friday, February 28, 2003 5:22 PM
> To: John Ou
> Cc: juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Viewing Prefix-Specific Action statistics
>
>
> Hi John,
>
> I had read this document before. However, there is no document that
explains
> how
> to interpret the statistics, which I don't understand how does it shows
that
> each prefixes had been applied to the policer specified.
>
> I had just modified a little bit on my configuration, to add more /12
> addresses
> to be policed, for my explanation.
>
> [edit firewall]
> user at router# show
> policer rate-256k {
>     if-exceeding {
>         bandwidth-limit 256k;
>         burst-size-limit 32k;
>     }
>     then discard;
> }
> family inet {
>     prefix-action police-per-prefix {
>         policer rate-256k;
>         count;
>         subnet-prefix-length 21;
>         destination-prefix-length 32;
>     }
> }
>
> [edit firewall filter <inbound-acl>]
> user at router# show
> term shape {
>     from {
>         destination-address {
>             192.168.0.0/21;
>             192.168.8.0/21;
>             192.168.16.0/21;
>             192.168.24.0/21;
>             192.168.32.0/21;
>             192.168.40.0/21;
>             192.168.48.0/21;
>         }
>         protocol tcp;
>     }
>     then {
>         sample;
>         prefix-action police-per-prefix;
>     }
> }
>
> The "show firewall prefix-action-stats filter inbound-acl prefix-action
> police-per-prefix-shape" is as follows.
>
> The total number of policers generated for the above term should be
> 7 class C x 8 x 255 = 14280
>
> But why is it that the total number of policers are only 2047? Does it
means
> that not every /32 address has a policer associated to it?
>
> The other question is how is each individual /32 addresses being
> represented?
> Does it means that police-per-prefix-shape-1 represent 192.168.0.1 and
> police-per-prefix-shape-256 will represent 192.168.1.1?
>
> Filter: inbound-acl
> Counters:
> Name                                          Bytes              Packets
> police-per-prefix-shape-0                      6600                  129
> police-per-prefix-shape-1                     10468                  209
> police-per-prefix-shape-2                 301652286               342586
> police-per-prefix-shape-3                  24339459                36186
> <snips>
> police-per-prefix-shape-2045              138663368               104232
> police-per-prefix-shape-2046              538995936               478640
> police-per-prefix-shape-2047                   1600                   28
> Policers:
> Name                                        Packets
> police-per-prefix-shape-0                         0
> police-per-prefix-shape-1                         0
> police-per-prefix-shape-2                      9509
> police-per-prefix-shape-3                       119
> <snips>
> police-per-prefix-shape-2045                   7088
> police-per-prefix-shape-2046                  12662
> police-per-prefix-shape-2047                      0
>
> Thanks again.
>
> Regards,
> Cheeyong
>
>
> On Fri, 28 Feb 2003, John Ou wrote:
>
> : Cheeyong,
> : Here is link for the explanation:
> :
>
http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-policy/htm
> : l/policer-config10.html
> : Thanks.
> : --John
> : -----Original Message-----
> : From: juniper-nsp-bounces at puck.nether.net
> : [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Tay Chee Yong
> : Sent: Thursday, February 27, 2003 5:56 PM
> : To: John Ou
> : Cc: juniper-nsp at puck.nether.net
> : Subject: RE: [j-nsp] Viewing Prefix-Specific Action statistics
> :
> :
> : Hi John,
> :
> : Would appreciate if you could direct me to the URL where is userdoc
> resides
> : in.
> : Can't seems to find it on Juniper website.
> :
> : Thanks again.
> :
> : Regards,
> : Cheeyong
> :
> :
> : On Thu, 27 Feb 2003, John Ou wrote:
> :
> : : It represents the counter number for the corresponding prefixes.
> : : The maximal PSA counter can be displayed is 2^16=65536 (0-65535).
> : : It is one-to-one mapping to the host in ascending order. See
> : : the userdoc in detail. Thanks.
> : : --John
> : : -----Original Message-----
> : : From: Tay Chee Yong [mailto:tcy at pacific.net.sg]
> : : Sent: Thursday, February 27, 2003 8:21 AM
> : : To: John Ou
> : : Cc: juniper-nsp at puck.nether.net
> : : Subject: RE: [j-nsp] Viewing Prefix-Specific Action statistics
> : :
> : :
> : : Hi John,
> : :
> : : Some questions.
> : :
> : : What does the number 0-65535 behind the name/policer means? Does it
> refer
> : to
> : : the
> : : policer for the particular prefix? How do I know which policer is mean
> for
> : : which
> : : /32 address?
> : :
> : : Does the values here refers to the number of bytes/packets within the
> 256k
> : : shaping, or number of bytes/packets being discard.
> : :
> : : Please advise.
> : :
> : : Thanks.
> : :
> : : Regards,
> : : Cheeyong
> : :
> : : On Thu, 27 Feb 2003, John Ou wrote:
> : :
> : : : Cheeyong,
> : : : The correct syntax should be
> : : : > run show firewall prefix-action-stats filter inbound-acl
> prefix-action
> : : : police-per-prefix-shape
> : : : You need append the term name to the prefix-acton with "-" in order
to
> : : view
> : : : the policer counters for that term. Let me know if it works. Thanks.
> : : : --John
> : : : -----Original Message-----
> : : : From: juniper-nsp-bounces at puck.nether.net
> : : : [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Tay Chee
Yong
> : : : Sent: Thursday, February 27, 2003 7:48 AM
> : : : To: juniper-nsp at puck.nether.net
> : : : Subject: [j-nsp] Viewing Prefix-Specific Action statistics
> : : :
> : : :
> : : : Hi People,
> : : :
> : : : I had implemented the Prefix-Specific Action on our Juniper routers,
> and
> : : it
> : : : working well. However, I am unable to view the statistics of how
many
> : : : packets/bytes had been policed/discard by the policer.
> : : :
> : : : My configuration is as follows:
> : : :
> : : : [edit firewall]
> : : : user at router# show
> : : : policer rate-256k {
> : : :     if-exceeding {
> : : :         bandwidth-limit 256k;
> : : :         burst-size-limit 32k;
> : : :     }
> : : :     then discard;
> : : : }
> : : : family inet {
> : : :     prefix-action police-per-prefix {
> : : :         policer rate-256k;
> : : :         count;
> : : :         subnet-prefix-length 21;
> : : :         destination-prefix-length 32;
> : : :     }
> : : : }
> : : :
> : : : [edit firewall filter <inbound-acl>]
> : : : user at router# show
> : : :
> : : : term shape {
> : : :     from {
> : : :         destination-address {
> : : :             192.168.0.0/21;
> : : :         }
> : : :         protocol tcp;
> : : :     }
> : : :     then {
> : : :         sample;
> : : :         prefix-action police-per-prefix;
> : : :     }
> : : : }
> : : :
> : : : However, using the command "show firewall prefix-action-stats" is
> unable
> : : to
> : : : produce any statistics.
> : : :
> : : : user at router# run show firewall prefix-action-stats filter
inbound-acl
> : : : prefix-action police-per-prefix
> : : : Filter: inbound-acl
> : : :
> : : : Could someone please enlighten me? Thanks.
> : : :
> : : : Regards,
> : : : Cheeyong
> : : : _______________________________________________
> : : : juniper-nsp mailing list juniper-nsp at puck.nether.net
> : : : http://puck.nether.net/mailman/listinfo/juniper-nsp
> : : :
> : :
> : _______________________________________________
> : juniper-nsp mailing list juniper-nsp at puck.nether.net
> : http://puck.nether.net/mailman/listinfo/juniper-nsp
> :
>
>
>



More information about the juniper-nsp mailing list