[j-nsp] Tower top switch/router recommendation..
Peter Kranz
pkranz at unwiredltd.com
Wed Mar 23 18:31:08 EDT 2011
Hi Will,
If I undertand correctly, this version handles a CIR with a certain
burst-size in terms of bits.. But doesn't handle the need to allow ongoing
bursts above 'bandwidth-limit' if the resources are available.. That
unfortunately is the gist of the problem that makes it more difficult to
solve..
Peter Kranz
www.UnwiredLtd.com
Desk: 510-868-1614 x100
Mobile: 510-207-0000
pkranz at unwiredltd.com
-----Original Message-----
From: OBrien, Will [mailto:ObrienH at missouri.edu]
Sent: Wednesday, March 23, 2011 3:26 PM
To: Peter Kranz
Cc: Pavel Lunin; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Tower top switch/router recommendation..
I create my policers per subnet for convenience. You can do them per IP by
simply using /32 but if each customer has a dedicated cider block, it'll be
pretty straight forward.
Here's how I do it:
on an interface, (this is from a MX, but similar context on a srx)
unit 201 {
family inet {
filter {
input InboundPolicer;
output Outbound Policer;
}
address blahblah;
}
Then...
firewall family inet filter InboundPolicer term CustomerX {
from {
address {
192.168.10.0/24;
}
}
then prefix-action limitCustomer10Mbit; }
Then...
firewall family inet prefix-action imitCustomer10Mbit policer 10MbitPolicer;
subnet-prefix-length 24; destination-prefix-length 32;
## this says from the /24, limit based on traffic to a particular /32. I
use this to limit bandwidth to each user on my campus. Adjust as needed. /24
would consider the entire block.
Then:
firewall policer
limitCustomer10Mbit{
if-exceeding {
bandwidth-limit 10000000;
burst-size-limit 1250000; //There's a complex formula for this, but
it works out to about 1/8th of the bandwith you want.
}
then discard;
Got it?
Starting with this, I'd take a look at the example QoS configs and combine
the two to create some filters for your needs.
I'm not terribly familiar with J series, but they will likely do this as the
older M series would. (MX does it without even trying hard) and I think it's
doable with the SRX, but I'd build a lab version first and try it.
Will
On Mar 23, 2011, at 4:52 PM, Peter Kranz wrote:
> Hi Pavel,
>
> Each customer is on a separate non-overlapping subnet,
> but NOT on a different VLAN generally.. So filtering at the subnet
> level is easy.. does this change your response at all?
>
>
>
> Peter Kranz
> www.UnwiredLtd.com <http://www.unwiredltd.com/>
> Desk: 510-868-1614 x100
> Mobile: 510-207-0000
> <mailto:pkranz at unwiredltd.com> pkranz at unwiredltd.com
>
> From: Pavel Lunin [mailto:plunin at senetsy.ru]
> Sent: Wednesday, March 23, 2011 2:43 PM
> To: Peter Kranz
> Cc: Doug Hanks; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Tower top switch/router recommendation..
>
>
>
>
>
> Seems like filters+policers allows you to specify
> bandwidth-limit and burst-size..
>
> I.e. if you had a pool of 10 mbps.. you could carve it into individual
> customer chunks at their... But no way to allow the customer to burst
> above that bandwidth-limit to some specified higher BW, only allowed
> to specify burst in terms of burst-size..
>
> I need a way to ensure a customer gets their CIR at all times, and if
> adequate extra BW available, they can burst to a higher (but limited
> to a specified MIR) bandwidth..
>
>
>
> Peter, what you talk about looks like a policer/shaper per VLAN. If I
> didn't miss something, of course.
>
> EX series won't help you since it only supports policers for incoming
> (not
> outgoing) traffic and only 8 queues (and consequently 8 different
> shaper
> instances) per physical port. Of course you can try to do policing on
> ingress, but you'll need to write and maintain a hell of filters to
> distinguish the customers. This means you need to know something other
> than a VLAN to demux them: e. g. their IPs, but this means you have to
> know it, customers can't use overlapping space, etc. Not flexible at
> all and too much of manual work.
>
> So in order to do what you want, some sort of aggregation router is
> needed, which would support either policers or shapers per outgoing
> vlan. In case of <1Gbps. well, maybe the higher J-series or SRX650 in
> packet mode (or even together with the stateful stuff, why not).
>
> Than you can configure something like this:
> http://books.google.com/books?id=EGi0zUwhB4QC
> <http://books.google.com/books?id=EGi0zUwhB4QC&lpg=PA256&ots=672B7l6d7
> V&dq=j
> unos%20policer%20out-of-profile&hl=ru&pg=PA256#v=onepage&q&f=false>
> &lpg=PA256&ots=672B7l6d7V&dq=junos%20policer%20out-of-profile&hl=ru&pg
> =PA256
> #v=onepage&q&f=false
>
> Nothing personal about the book name :)
>
> Two policers, first is for higher bw (say, 10M), which drops exceeding
> traffic, than, if it didn't, the next one (say, 5M), which somehow
> lowers the packets' priority: sets the fw-class, which is than mapped
> to an appropriate low-priority queue, sets the loss-priority, marks
> them as out-of-profile (AFAIR only supported on J/SRX but it's
> actually more or less the same as mapping to a class, which is bound
> to a lower-priority que,) or something else.
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list