[j-nsp] "Subrate" ethernet

Blaz Zupan blaz at inlimbo.org
Tue Nov 18 12:17:53 EST 2003 

Let's say we have a customer edge Juniper box with a 4 port FastEthernet PIC
and one of the ports is connected to a MPLS layer 2 VPN to another location.
Something like this:

CE1 ---- PE --- MPLS VPN --- PE ---- CE2

The VPN is rate limited to, lets say 50 Mbps. CE1 is our Juniper while CE2 is
a customer who is receiving internet connectivity from us. The customer has
been the target of DoS attacks recently. The main problem was that during the
DoS attack, the attack has used up most of the bandwidth, so the BGP session
from CE1 to CE2 has dropped. We thought about using QoS, for example with
schedulers like this:

schedulers {
    data-scheduler {
        transmit-rate remainder;
        buffer-size remainder;
        priority low;
    }
    voice-scheduler {
        transmit-rate percent 20;
        buffer-size percent 20;
        priority strict-high;
    }
    vpn-scheduler {
        transmit-rate percent 20;
        buffer-size percent 20;
        priority low;
    }
    network-scheduler {
        transmit-rate percent 5;
        buffer-size percent 5;
        priority high;
    }
}

The problem with this is of course, that the link is actually rate limited
outside of our control, so CE1 does not actually know that its FastEthernet
only has 50 Mbps available and the QoS is rather inefective. Is there a way to
tell the box that the link is actually only 50 Mbps and not 100 Mbps? I can do
this on the input side with "set interfaces fe-0/1/2 fastether-options
ingress-rate-limit 50m", but how about for the output side? Also, I see that
with the QPP PIC I can configure per-unit "bandwidth" with "set
class-of-service interface unit X bandwidth".

The only other idea I have is to change the schedulers like this:

schedulers {
    data-scheduler {
        transmit-rate 28m;
        buffer-size remainder;
        priority low;
    }
    voice-scheduler {
        transmit-rate 10m;
        buffer-size percent 20;
        priority strict-high;
    }
    vpn-scheduler {
        transmit-rate 10m;
        buffer-size percent 20;
        priority low;
    }
    network-scheduler {
        transmit-rate 2m;
        buffer-size percent 5;
        priority high;
    }
}

Would this achieve the desired effect or is there some other way?

More information about the juniper-nsp mailing list