[j-nsp] Rate limiting (policer or CoS) on the same box
Pedro Roque Marques
roque at juniper.net
Thu Jan 20 01:32:55 EST 2005
Paul Connally writes:
Since nobody has answered your query yet, let me give it a shot...
If i understand correctly you want to police the downstream traffic
from your ISP on that oc12 to your customers. Policing the upstream
traffic is a simpler problem but i'm assuming that your upstream
traffic is mostly uncongested.
Ideally, one would want to achieve this effect in your upstream router
itself. i.e. the upstream could have a bunch (8) AF traffic classes
(i.e. queues with a given reserved bandwidth) defined to which
in-contract traffic gets split while traffic that exceeds profile gets
into the best-effort class.
However i don't know if your ISP is willing to do this for you or if so
if the cost of that solution would be attractive to you.
So, if you are past the congestion point, the only thing you can do is
to create artifial congestion on your node and hope that most of the
traffic is TCP and does respond well to congestion.
i.e. you can create a policer that rate-limits down-stream traffic on
the interface to your customers. Unfortunatly that would mean droping
traffic out of profile. Which means that you don't really share
availiable bandwidth.
Or you could get really creative and loop that traffic around an
oc12 interface that gets loopbacked to the box...
i.e.
(traffic flow ==>)
isp --oc12-- m20 -- oc12-- m20 --> fan out to customers.
In this scenario you would be able to queue on that m20 loopbacked
interface and share the extra bandwidth... at the cost of 2 extra oc12
pics (dunno if you can do this w/ a single tunnel PIC).
It would still be imperfect as you would relly on the traffic backing
off when it gets artificially congested on the loopbacked link. i.e. a
ddos attack comming via the isp for one customer would still cause
traffic drops for others... but it could work reasonably for TCP
traffic.
But one has to live with limitations if you are trying to control the
traffic rates past the congestion point.
regards,
Pedro.
> Our group has purchased a Juniper M20. We've got an issue that I'm
> pretty sure can be accomplished, but some assistance would be
> helpful.
> We're going to have two ISP's connected on the upstream; a POS OC12
> and a GigE. We also have around 8 downstream connectors, all
> connected via GigE. BGP is enabled to both upstreams and all
> downstreams. Here's what we need to have happen:
> 1) Each downstream connector has requested to subscribe to a portion
> of our GigE upstream link (ex: One group wants 100Mb, one wants
> 50Mb, one wants 300Mb, etc). Since they are paying the ISP fee
> based on desired guaranteed bandwidth, I need to set up a queue to
> 'guarantee' the downstream connector access to that bandwidth. They
> would also like to be able to 'burst' above their subscribed level
> (if the bandwidth is available) without taking another connectors'
> paid bandwidth (i.e. be put into a secondary queue).
> 2) On our OC12 link, each downstream connector needs to be
> guaranteed a specific amount of bandwidth. Queuing would be nice
> here, but it's not necessary.
> 3) Since each downstream connector is going to have a single GigE
> into my Juniper, they would like to be able to pull stats off the
> Juniper as to how much of their border router's in/out traffic is
> going to the GigE, and how much is going to the OC12. This is
> likely some kind of Netflow hack, but some advice to those who've
> done this would be helpful.
> _______________________________________________ juniper-nsp mailing
> list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list