[j-nsp] aggregated policing

Harry Reynolds harry at juniper.net
Wed Jul 2 19:29:59 EDT 2008 

I believe the default behavior is a shared policer unless a filter is
flagged as being interface-specific.

Tested on M40:


<<< no filter or term specific

[edit firewall]
harry at vpn02# show
policer test {
    if-exceeding {
        bandwidth-limit 1m;
        burst-size-limit 1500;
    }
    then discard;
}
filter test {
    term 1 {
        then policer test;
    }
    term 2 {
        then accept;
    }
}

<<< same filter applied to multiple interfaces

[edit firewall]
harry at vpn02# top show interfaces 
so-1/2/2 {
    unit 0 {
        family inet {
            filter {
                output test;
            }
            address 10.1.0.2/24;
        }
    }
}
so-1/2/3 {
    unit 0 {
        family inet {
            filter {
                output test;
            }
            address 192.168.1.1/24;
        }
    }
}


<<< On the SCB there is a single policer instance


SCB(vpn02 vty)# show filter   
Filters:
Index     Dir     Cnt    Text     Bss  Name
-----  ------  ------  ------  ------  --------
    1      96       0      20       0  __default_bpdu_filter__
    2      48       0       4      20  test
65279      48       0       4       0  __auto_policer_template__
65280      96       0      16       0  __auto_policer_template_1__
65281     144       0      24       0  __auto_policer_template_2__
65282     192       0      32       0  __auto_policer_template_3__
65283     240       0      40       0  __auto_policer_template_4__


SCB(vpn02 vty)# show filter index 2 pro 
Filters:
Index     Dir     Cnt    Text     Bss  Name
-----  ------  ------  ------  ------  --------
    2      48       0       4      20  test

Firewall program version 2 magic fed2beef
   Name: "test"  Protocol: ip
   Hash: cfa11b5c171e8e96dd036a8e260b5768
   Action directory: 1 entry (48 bytes)
   Policer directory: 1 entry (176 bytes)
   Text: 1 instruction word (4 bytes)
BSS: 5 next hop words (20 bytes)
Action directory: 1 entry (48 bytes)
   0: accept policer 0
      -> 0:
Policer directory: 1 entry (176 bytes)
   0: Policer name "test-1": 1 reference <<<< 1 reference
      Bandwidth Limit: 125000 bytes/sec. 
      Burst Size: 1500 bytes. 
      discard
Program instructions: 1 word

   0: terminate -> action index 0

<<< Change filter to interface-specific

[edit firewall]
harry at vpn02# set filter test interface-specific 

[edit firewall]
harry at vpn02# commit 
commit complete


<<< back on scb there are now two policers instances:


SCB(vpn02 vty)# show filter                
Filters:
Index     Dir     Cnt    Text     Bss  Name
-----  ------  ------  ------  ------  --------
    1      96       0      20       0  __default_bpdu_filter__
    3      48       0       4      20  test-so-1/2/2.0-o <<<<
    4      48       0       4      20  test-so-1/2/3.0-o <<<<<
65279      48       0       4       0  __auto_policer_template__
65280      96       0      16       0  __auto_policer_template_1__
65281     144       0      24       0  __auto_policer_template_2__
65282     192       0      32       0  __auto_policer_template_3__
65283     240       0      40       0  __auto_policer_template_4__


SCB(vpn02 vty)# show filter inde 3 pro
Filters:
Index     Dir     Cnt    Text     Bss  Name
-----  ------  ------  ------  ------  --------
    3      48       0       4      20  test-so-1/2/2.0-o

Firewall program version 2 magic fed2beef
   Name: "test-so-1/2/2.0-o"  Protocol: ip  Flags: 0x01
   Hash: 5f72b272c23e8bfb61d6a59495cb0780
   Action directory: 1 entry (48 bytes)
   Policer directory: 1 entry (176 bytes)
   Text: 1 instruction word (4 bytes)
BSS: 5 next hop words (20 bytes)
Action directory: 1 entry (48 bytes)
   0: accept policer 0
      -> 0:
Policer directory: 1 entry (176 bytes)
   0: Policer name "test-1-so-1/2/2.0-o": 1 reference
      Bandwidth Limit: 125000 bytes/sec. 
      Burst Size: 1500 bytes. 
      discard
Program instructions: 1 word

   0: terminate -> action index 0

SCB(vpn02 vty)# show filter inde 4 pro      
Filters:
Index     Dir     Cnt    Text     Bss  Name
-----  ------  ------  ------  ------  --------
    4      48       0       4      20  test-so-1/2/3.0-o

Firewall program version 2 magic fed2beef
   Name: "test-so-1/2/3.0-o"  Protocol: ip  Flags: 0x01
   Hash: 5f72b272c23e8bfb61d6a59495cb0780
   Action directory: 1 entry (48 bytes)
   Policer directory: 1 entry (176 bytes)
   Text: 1 instruction word (4 bytes)
BSS: 5 next hop words (20 bytes)
Action directory: 1 entry (48 bytes)
   0: accept policer 0
      -> 0:
Policer directory: 1 entry (176 bytes)
   0: Policer name "test-1-so-1/2/3.0-o": 1 reference
      Bandwidth Limit: 125000 bytes/sec. 
      Burst Size: 1500 bytes. 
      discard
Program instructions: 1 word

   0: terminate -> action index 0

SCB(vpn02 vty)# 
 
HTHs
 

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of CHEN Xu
> Sent: Wednesday, July 02, 2008 4:13 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] aggregated policing
> 
> Hi guys,
> 
> I am wondering whether it is doable on Juniper to police the 
> aggregation of a set of interfaces.
> 
> For example, I have two interfaces, each of them has a 
> capacity cap of 100K. However, I want to put a further cap, 
> saying the sum of the two interfaces should not go over 150K. 
> Is this doable?
> 
> I found an statement of interface-set, which can specify a 
> set of interfaces, and then set a police policy. But I 
> suspect that this will apply the same policy to each 
> individual interface within that set, but not on the aggregated level.
> 
> Thanks.
> -Simon
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list