[j-nsp] Juniper "firewall policer" inner workings
Martin T
m4rtntns at gmail.com
Mon Apr 4 11:38:24 EDT 2011
Ben,
thanks for this "filter-specific" explanation!
Gabriel, Stefan, Chuck, Sthaug:
Packet loss, which Iperf rapports, boils down to how the
"bandwidth-limit" and "burst-size-limit" works. As Stefan mentioned,
it would be logical that everything below IP header is counted into
this "10m" as policer is under family inet. If so, the packet loss
should be 8 bytes per packet because the UDP datagrams Iperf send out
are following(checked this with tcpdump):
Iperf sends packets with 1470 byte payload. In addition, there is a 8
byte UDP header and 20 byte IPv4 header. So according to tcpdump the
whole IPv4 packet is 1498 bytes.
However, if 51020 UDP datagrams were sent during the test, it would do
(51021*8)/(1024*1024)=0.40MB lost data, but according to Iperf, the
dividing between the sent and received data is 1.7MB.
However, as increasing the "burst-size-limit", the packet loss decreases..
PS I don't mind this packet loss, it's just interesting to find out,
how the "bandwidth-limit" and "burst-size-limit" internally work on
Juniper platform :)
regards,
martin
2011/4/4 <sthaug at nethelp.no>:
>> > the question is, what does JUNOS "bandwidth-limit 10m" count into this
>> > "10m". Only they application payload? L4 header as well? Or even the
>> > IP header? If I send UDP traffic with 10Mbps and router policer
>> > "bandwidth-limit 10m" drops ~2.5% of this traffic, then I don't find
>> > this normal..
>>
>> IIRC, the policer is applied to everything at Layer 3 and below, hence it's
>> application at 'family inet'. I agree with Gabriel, a small amount of
>> packet loss would be expected in this scenario, in your case I would deem it
>> to be fairly negligible.
>
> Expecting the throughput to be *exactly* 10 Mbps is somewhat optimstic,
> but it sounds like this is what the user wants/expects. I agree that the
> observed difference (9.77 Mbps vs 10 Mbps) is negligible.
>
> It might also be an idea to measure using different values of burst size.
> I personally find the Juniper manuals to be somewhat lacking here...
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>
>
More information about the juniper-nsp
mailing list