[j-nsp] Juniper "firewall policer" inner workings
Stefan Fouant
sfouant at shortestpathfirst.net
Mon Apr 4 11:42:28 EDT 2011
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Martin T
> Sent: Monday, April 04, 2011 11:38 AM
> To: sthaug at nethelp.no
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Juniper "firewall policer" inner workings
>
> Packet loss, which Iperf rapports, boils down to how the
> "bandwidth-limit" and "burst-size-limit" works. As Stefan mentioned,
> it would be logical that everything below IP header is counted into
> this "10m" as policer is under family inet. If so, the packet loss
> should be 8 bytes per packet because the UDP datagrams Iperf send out
> are following(checked this with tcpdump):
Actually, what I'm saying is that it also includes the IP Header as well, so
it should be 28 Bytes per packet.
> Iperf sends packets with 1470 byte payload. In addition, there is a 8
> byte UDP header and 20 byte IPv4 header. So according to tcpdump the
> whole IPv4 packet is 1498 bytes.
>
> However, if 51020 UDP datagrams were sent during the test, it would do
> (51021*8)/(1024*1024)=0.40MB lost data, but according to Iperf, the
> dividing between the sent and received data is 1.7MB.
See above.
> However, as increasing the "burst-size-limit", the packet loss
> decreases..
This doesn't surprise me, you've given a larger buffer to smooth things
out...
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC
More information about the juniper-nsp
mailing list