[j-nsp] Tracking traffic after policers?

Tue May 5 14:05:43 EDT 2009

Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
> I have an ethernet with a bunch of customer VLANs on an M10i.  The
> customers are limited to the bandwidth they pay for with policers.  I
> collect the traffic stats for graphing via SNMP, but the stats (from the
> standard interface MIB) reflect the traffic before policing.
> 
> Is there a way to collect statistics _after_ policing (e.g. graph only
> the traffic that is passed)?  I see the JUNIPER-FIREWALL-MIB variable
> jnxFWCounterByteCount, but it is always 0 for policers (only the packets
> are counted, which isn't very useful for traffic stats).
> 
> I'm of course looking to do this with as simple a config as possible;
> right now I can set a logical interface's rate with "set policer input
> 4meg output 4meg", with the 4meg policer only defined once.

It looks like using a firewall filter with an interface-specific counter
might do it.  So, rather than:

[edit interfaces fe-1/0/0 unit 0 family inet]
+       policer {
+           input 4meg;
+           output 4meg;
+       }

I can do:

[edit interfaces fe-1/0/0 unit 0 family inet]
+       filter {
+           input 4meg;
+           output 4meg;
+       }
[edit]
+  firewall {
+      policer 4meg {
+          filter-specific;
+      }
+      filter 4meg {
+          interface-specific;
+          term other {
+              then {
+                  policer 4meg;
+                  count 4meg;
+                  accept;
+              }
+          }
+      }
+  }

Is that correct (anybody trying to do this)?  Would there be any
drawbacks to having ~60 interfaces set up like this?
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.