[j-nsp] Juniper "firewall policer" inner workings

Stefan Fouant sfouant at shortestpathfirst.net
Mon Apr 4 09:39:11 EDT 2011


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Martin T
> Sent: Monday, April 04, 2011 8:48 AM
> To: Gabriel Blanchard
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Juniper "firewall policer" inner workings
> 
> Gabriel,
> the question is, what does JUNOS "bandwidth-limit 10m" count into this
> "10m". Only they application payload? L4 header as well? Or even the
> IP header? If I send UDP traffic with 10Mbps and router policer
> "bandwidth-limit 10m" drops ~2.5% of this traffic, then I don't find
> this normal..

IIRC, the policer is applied to everything at Layer 3 and below, hence it's
application at 'family inet'.  I agree with Gabriel, a small amount of
packet loss would be expected in this scenario, in your case I would deem it
to be fairly negligible.

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC



More information about the juniper-nsp mailing list