[j-nsp] aggregated policing
Stefan Fouant
sfouant at gmail.com
Wed Jul 2 20:08:03 EDT 2008
Yes Harry you are correct... The default behavior for interface
policers is indeed shared amongst all interfaces which have the
policer applied. This was discussed in a book called 'JUNOS Enterprise
Routing'... Ever heard of it? ;)
On 7/2/08, Harry Reynolds <harry at juniper.net> wrote:
> I believe the default behavior is a shared policer unless a filter is
> flagged as being interface-specific.
>
> Tested on M40:
>
>
> <<< no filter or term specific
>
> [edit firewall]
> harry at vpn02# show
> policer test {
> if-exceeding {
> bandwidth-limit 1m;
> burst-size-limit 1500;
> }
> then discard;
> }
> filter test {
> term 1 {
> then policer test;
> }
> term 2 {
> then accept;
> }
> }
>
> <<< same filter applied to multiple interfaces
>
> [edit firewall]
> harry at vpn02# top show interfaces
> so-1/2/2 {
> unit 0 {
> family inet {
> filter {
> output test;
> }
> address 10.1.0.2/24;
> }
> }
> }
> so-1/2/3 {
> unit 0 {
> family inet {
> filter {
> output test;
> }
> address 192.168.1.1/24;
> }
> }
> }
>
>
> <<< On the SCB there is a single policer instance
>
>
> SCB(vpn02 vty)# show filter
> Filters:
> Index Dir Cnt Text Bss Name
> ----- ------ ------ ------ ------ --------
> 1 96 0 20 0 __default_bpdu_filter__
> 2 48 0 4 20 test
> 65279 48 0 4 0 __auto_policer_template__
> 65280 96 0 16 0 __auto_policer_template_1__
> 65281 144 0 24 0 __auto_policer_template_2__
> 65282 192 0 32 0 __auto_policer_template_3__
> 65283 240 0 40 0 __auto_policer_template_4__
>
>
> SCB(vpn02 vty)# show filter index 2 pro
> Filters:
> Index Dir Cnt Text Bss Name
> ----- ------ ------ ------ ------ --------
> 2 48 0 4 20 test
>
> Firewall program version 2 magic fed2beef
> Name: "test" Protocol: ip
> Hash: cfa11b5c171e8e96dd036a8e260b5768
> Action directory: 1 entry (48 bytes)
> Policer directory: 1 entry (176 bytes)
> Text: 1 instruction word (4 bytes)
> BSS: 5 next hop words (20 bytes)
> Action directory: 1 entry (48 bytes)
> 0: accept policer 0
> -> 0:
> Policer directory: 1 entry (176 bytes)
> 0: Policer name "test-1": 1 reference <<<< 1 reference
> Bandwidth Limit: 125000 bytes/sec.
> Burst Size: 1500 bytes.
> discard
> Program instructions: 1 word
>
> 0: terminate -> action index 0
>
> <<< Change filter to interface-specific
>
> [edit firewall]
> harry at vpn02# set filter test interface-specific
>
> [edit firewall]
> harry at vpn02# commit
> commit complete
>
>
> <<< back on scb there are now two policers instances:
>
>
> SCB(vpn02 vty)# show filter
> Filters:
> Index Dir Cnt Text Bss Name
> ----- ------ ------ ------ ------ --------
> 1 96 0 20 0 __default_bpdu_filter__
> 3 48 0 4 20 test-so-1/2/2.0-o <<<<
> 4 48 0 4 20 test-so-1/2/3.0-o <<<<<
> 65279 48 0 4 0 __auto_policer_template__
> 65280 96 0 16 0 __auto_policer_template_1__
> 65281 144 0 24 0 __auto_policer_template_2__
> 65282 192 0 32 0 __auto_policer_template_3__
> 65283 240 0 40 0 __auto_policer_template_4__
>
>
> SCB(vpn02 vty)# show filter inde 3 pro
> Filters:
> Index Dir Cnt Text Bss Name
> ----- ------ ------ ------ ------ --------
> 3 48 0 4 20 test-so-1/2/2.0-o
>
> Firewall program version 2 magic fed2beef
> Name: "test-so-1/2/2.0-o" Protocol: ip Flags: 0x01
> Hash: 5f72b272c23e8bfb61d6a59495cb0780
> Action directory: 1 entry (48 bytes)
> Policer directory: 1 entry (176 bytes)
> Text: 1 instruction word (4 bytes)
> BSS: 5 next hop words (20 bytes)
> Action directory: 1 entry (48 bytes)
> 0: accept policer 0
> -> 0:
> Policer directory: 1 entry (176 bytes)
> 0: Policer name "test-1-so-1/2/2.0-o": 1 reference
> Bandwidth Limit: 125000 bytes/sec.
> Burst Size: 1500 bytes.
> discard
> Program instructions: 1 word
>
> 0: terminate -> action index 0
>
> SCB(vpn02 vty)# show filter inde 4 pro
> Filters:
> Index Dir Cnt Text Bss Name
> ----- ------ ------ ------ ------ --------
> 4 48 0 4 20 test-so-1/2/3.0-o
>
> Firewall program version 2 magic fed2beef
> Name: "test-so-1/2/3.0-o" Protocol: ip Flags: 0x01
> Hash: 5f72b272c23e8bfb61d6a59495cb0780
> Action directory: 1 entry (48 bytes)
> Policer directory: 1 entry (176 bytes)
> Text: 1 instruction word (4 bytes)
> BSS: 5 next hop words (20 bytes)
> Action directory: 1 entry (48 bytes)
> 0: accept policer 0
> -> 0:
> Policer directory: 1 entry (176 bytes)
> 0: Policer name "test-1-so-1/2/3.0-o": 1 reference
> Bandwidth Limit: 125000 bytes/sec.
> Burst Size: 1500 bytes.
> discard
> Program instructions: 1 word
>
> 0: terminate -> action index 0
>
> SCB(vpn02 vty)#
>
> HTHs
>
>
>> -----Original Message-----
>> From: juniper-nsp-bounces at puck.nether.net
>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of CHEN Xu
>> Sent: Wednesday, July 02, 2008 4:13 PM
>> To: juniper-nsp at puck.nether.net
>> Subject: [j-nsp] aggregated policing
>>
>> Hi guys,
>>
>> I am wondering whether it is doable on Juniper to police the
>> aggregation of a set of interfaces.
>>
>> For example, I have two interfaces, each of them has a
>> capacity cap of 100K. However, I want to put a further cap,
>> saying the sum of the two interfaces should not go over 150K.
>> Is this doable?
>>
>> I found an statement of interface-set, which can specify a
>> set of interfaces, and then set a police policy. But I
>> suspect that this will apply the same policy to each
>> individual interface within that set, but not on the aggregated level.
>>
>> Thanks.
>> -Simon
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Sent from Gmail for mobile | mobile.google.com
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D
More information about the juniper-nsp
mailing list