[j-nsp] Juniper "firewall policer" inner workings
Ben Dale
bdale at comlinx.com.au
Mon Apr 4 08:43:34 EDT 2011
Without "filter-specific", applying a single policer to multiple interfaces will usually result in the policer aggregating throughput from all interfaces it has been applied to in order to determine whether your bandwidth-limit has been met.
On 04/04/2011, at 10:29 PM, Martin T wrote:
> With such configuration: http://img135.imageshack.us/img135/3162/iperftest.png
>
> ..there is still packet loss present:
>
> [root@ ~]# iperf -c 192.168.2.1 -u -fm -t60 -d -b 10m
> ------------------------------------------------------------
> Server listening on UDP port 5001
> Receiving 1470 byte datagrams
> UDP buffer size: 0.04 MByte (default)
> ------------------------------------------------------------
> ------------------------------------------------------------
> Client connecting to 192.168.2.1, UDP port 5001
> Sending 1470 byte datagrams
> UDP buffer size: 0.01 MByte (default)
> ------------------------------------------------------------
> [ 4] local 192.168.1.1 port 59580 connected with 192.168.2.1 port 5001
> [ 3] local 192.168.1.1 port 5001 connected with 192.168.2.1 port 44050
> [ ID] Interval Transfer Bandwidth
> [ 4] 0.0-60.0 sec 71.5 MBytes 10.0 Mbits/sec
> [ 4] Sent 51019 datagrams
> [ 3] 0.0-60.0 sec 69.9 MBytes 9.77 Mbits/sec 0.022 ms 1180/51021 (2.3%)
> [ 3] 0.0-60.0 sec 1 datagrams received out-of-order
> [ 4] Server Report:
> [ 4] 0.0-60.0 sec 69.9 MBytes 9.77 Mbits/sec 0.150 ms 1180/51018 (2.3%)
> [ 4] 0.0-60.0 sec 1 datagrams received out-of-order
> [root@ ~]#
>
>
> What should this "filter-specific" do? According to documentation,
> "Filter-specific policers allow you to configure policers and counters
> for a specific filter name. If the filter-specific statement is not
> configured, then the policer defaults to a term-specific policer", but
> it's rather difficult to understand without examples..
>
> regards,
> martin
>
>
> 2011/4/4 Ben Dale <bdale at comlinx.com.au>:
>> Hi Martin,
>>
>> Your policer bandwidth (10Mbps) is being counted on both ingress and egress and will be stacking - try adding:
>>
>> set firewall policer bw-10Mbps filter-specific
>>
>> and you should see the loss go away.
>>
>> Cheers,
>>
>> Ben
>>
>> On 04/04/2011, at 7:41 PM, Martin T wrote:
>>
>>> I made a following setup:
>>>
>>> http://img690.imageshack.us/img690/3162/iperftest.png
>>>
>>> In a laptop, an Iperf server is listening like this: "iperf -s -u -fm".
>>> In a workstation, an Iperf client is executed like this: "iperf -c
>>> 192.168.2.1 -u -fm -t60 -d -b 10m". This will execute simultaneous
>>> 10Mbps UDP traffic flood between 192.168.1.1 and 192.168.2.1 for 1
>>> minute. Results are always like this:
>>>
>>> [root@ ~]# iperf -c 192.168.2.1 -u -fm -t60 -d -b 10m
>>> ------------------------------------------------------------
>>> Server listening on UDP port 5001
>>> Receiving 1470 byte datagrams
>>> UDP buffer size: 0.04 MByte (default)
>>> ------------------------------------------------------------
>>> ------------------------------------------------------------
>>> Client connecting to 192.168.2.1, UDP port 5001
>>> Sending 1470 byte datagrams
>>> UDP buffer size: 0.01 MByte (default)
>>> ------------------------------------------------------------
>>> [ 4] local 192.168.1.1 port 32284 connected with 192.168.2.1 port 5001
>>> [ 3] local 192.168.1.1 port 5001 connected with 192.168.2.1 port 52428
>>> [ ID] Interval Transfer Bandwidth
>>> [ 4] 0.0-60.0 sec 71.5 MBytes 10.0 Mbits/sec
>>> [ 4] Sent 51021 datagrams
>>> [ 4] Server Report:
>>> [ 4] 0.0-59.9 sec 69.8 MBytes 9.77 Mbits/sec 0.112 ms 1259/51020 (2.5%)
>>> [ 4] 0.0-59.9 sec 1 datagrams received out-of-order
>>> [ 3] 0.0-60.0 sec 69.8 MBytes 9.77 Mbits/sec 0.030 ms 1200/51021 (2.4%)
>>> [ 3] 0.0-60.0 sec 1 datagrams received out-of-order
>>> [root@ ~]#
>>>
>>> As you can see, there is a ~2.5% packet loss. This packet loss is due
>>> to the fact, that router "bw-10Mbps" policer drops small percentage of
>>> packages in "input" direction(I can check the amount of dropped
>>> packets with "show policer" command). For example if I increase the
>>> policer "bandwidth-limit" to "11m", there will be no packet loss.
>>>
>>> In both machines(192.168.1.1 and 192.168.2.1) Iperf sends packets with
>>> 1470 byte payload. In addition, there is a 8 byte UDP header and 20
>>> byte IPv4 header. So according to tcpdump the whole IPv4 packet is
>>> 1498 bytes:
>>>
>>>
>>> [root@ ~]# tcpdump -i fxp0 -c 4 -v
>>> tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
>>> 11:49:18.961405 IP (tos 0x0, ttl 63, id 44836, offset 0, flags [DF],
>>> proto UDP (17), length 1498)
>>> 192.168.2.1.52428 > 192.168.1.1.commplex-link: UDP, length 1470
>>> 11:49:18.961459 IP (tos 0x0, ttl 64, id 37052, offset 0, flags [none],
>>> proto UDP (17), length 1498)
>>> 192.168.1.1.32284 > 192.168.2.1.commplex-link: UDP, length 1470
>>> 11:49:18.961473 IP (tos 0x0, ttl 64, id 37053, offset 0, flags [none],
>>> proto UDP (17), length 1498)
>>> 192.168.1.1.32284 > 192.168.2.1.commplex-link: UDP, length 1470
>>> 11:49:18.961485 IP (tos 0x0, ttl 64, id 37054, offset 0, flags [none],
>>> proto UDP (17), length 1498)
>>> 192.168.1.1.32284 > 192.168.2.1.commplex-link: UDP, length 1470
>>> 4 packets captured
>>> 284 packets received by filter
>>> 0 packets dropped by kernel
>>> [root@ ~]#
>>>
>>> Whole frame size is 1512 bytes.
>>>
>>> Does JUNOS include UDP(or L3 header in general) header to this
>>> "bandwidth-limit 10m"? If it does, shouldn't there be 0.5% packet loss
>>> instead of 2.5%? Or if "bandwidth-limit 10m" includes IPv4 header as
>>> well, the packet loss for Iperf should be
>>>
>>> 1498 - 100%
>>> 28 - x%
>>>
>>> ..1.9% not ~2.5%. Are my calculations wrong or how does JUNOS policer
>>> "bandwidth-limit" calculate this 10m bits?
>>>
>>>
>>> regards,
>>> martin
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>
More information about the juniper-nsp
mailing list