[j-nsp] Rate limiting v4 and v6 together
Chris Adams
cmadams at hiwaay.net
Thu Jun 2 14:05:45 EDT 2011
Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
> I'm currently using interface, policer, and filter config like this to
> rate-limit ethernet interfaces to paid bandwidth on an M10i:
I got responses from several people along the same lines, but I figured
I'd summarize my solution for the archives. Thanks to all that
responded.
Everybody suggested putting the policer directly on the interface and
setting "logical-interface-policer" in the policer. The downside of
that is that I lose my nice SNMP counters for traffic passed by the
policer.
I did figure a way to still get stats, although they are per-family
(which will require configuring my monitoring system to add them
together):
interfaces {
fe-1/0/1 {
vlan-tagging;
unit 148 {
description "Some Customer";
bandwidth 10m;
vlan-id 148;
family inet {
filter {
input count;
output count;
}
policer {
input 10meg;
output 10meg;
}
address x.x.x.x/x;
}
family inet6 {
filter {
input count6;
output count6;
}
policer {
input 10meg;
output 10meg;
}
address xx::x/x;
}
}
}
}
firewall {
policer 10meg {
logical-interface-policer;
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1250000;
}
then discard;
}
family inet6 {
filter count6 {
interface-specific;
term other {
then {
count rate;
accept;
}
}
}
}
filter count {
interface-specific;
term other {
then {
count rate;
accept;
}
}
}
}
I can monitor the SNMP variables for the "count" and "count6" counter
"rate" and add them together to get the traffic that is actually
sent/received on the interface. Not quite as nice, but it should work.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the juniper-nsp
mailing list