[j-nsp] Juniper "firewall policer" inner workings

sthaug at nethelp.no sthaug at nethelp.no
Mon Apr 4 09:53:08 EDT 2011


> > the question is, what does JUNOS "bandwidth-limit 10m" count into this
> > "10m". Only they application payload? L4 header as well? Or even the
> > IP header? If I send UDP traffic with 10Mbps and router policer
> > "bandwidth-limit 10m" drops ~2.5% of this traffic, then I don't find
> > this normal..
> 
> IIRC, the policer is applied to everything at Layer 3 and below, hence it's
> application at 'family inet'.  I agree with Gabriel, a small amount of
> packet loss would be expected in this scenario, in your case I would deem it
> to be fairly negligible.

Expecting the throughput to be *exactly* 10 Mbps is somewhat optimstic,
but it sounds like this is what the user wants/expects. I agree that the 
observed difference (9.77 Mbps vs 10 Mbps) is negligible.

It might also be an idea to measure using different values of burst size.
I personally find the Juniper manuals to be somewhat lacking here...

Steinar Haug, Nethelp consulting, sthaug at nethelp.no



More information about the juniper-nsp mailing list