[j-nsp] police multiple family CCC interfaces with a single shared policer on M(or MX) series?

Martin T m4rtntns at gmail.com
Tue Dec 11 19:49:04 EST 2012


Hi,

I have a setup where two Linux workstations are connected to each
other via Juniper remote LSP circuit
cross-connect(remote-interface-switch). Simplified setup looks like
this:

workstation1 <-> M20 <-> M10i <-> workstation2


Both workstations have three sub-interfaces(VLAN interfaces).
"workstation1" has following sub-interfaces:

inet 10.10.1.2/24 brd 10.10.1.255 scope global eth0.534
inet 10.10.2.2/24 brd 10.10.2.255 scope global eth0.541
inet 10.10.3.2/24 brd 10.10.3.255 scope global eth0.653

..and "workstation2" has following sub-interfaces:

inet 10.10.1.1/24 brd 10.10.1.255 scope global eth0.534
inet 10.10.2.1/24 brd 10.10.2.255 scope global eth0.541
inet 10.10.3.1/24 brd 10.10.3.255 scope global eth0.653


Circuits between M20(9.4R3.5) and M10i(10.4R9.2) are up and I'm able
to reach "workstation1" from "workstation2" and vice versa on all
three VLAN's. Now I need to police those three circuits with a common
20Mbps policer. In other words all three family ccc interfaces both in
M20 and M10i need to share same 20Mbps policer. First idea was to
group three sub-interfaces in routers with "interface-set" and apply
policer. Something like this:

[edit firewall]
root at M20# show
policer bw-20Mbps {
    if-exceeding {
        bandwidth-limit 20m;
        burst-size-limit 512k;
    }
    then discard;
}
interface-set if-set {
    ge-1/1/0.534;
    ge-1/1/0.541;
    ge-1/1/0.653;
}
filter if-set-filter {
    term 20Mbps-policer {
        from {
            interface-set if-set;
        }
        then policer bw-20Mbps;
    }
}

[edit firewall]
root at M20#

While this works fine in case of inet family interfaces(I tested this
and single policer is indeed shared between multiple sub-interfaces),
it doesn't seem to work in case of family ccc interfaces- commit fails
with "Referenced filter 'if-set-filter' is not defined" error while
filter "if-set-filter" actually is defined under firewall
configuration. As I understand, firewall filters for family ccc needs
to be configured under [edit firewall family ccc filter filter-name]
hierarchy? Under [edit firewall family ccc filter filter-name] there
is no "interface-set" match condition, but there is an
"interface-group" match condition. So as a next step I put all those
three interfaces to same "interface-group" number 10 and applied
policer "bw-20Mbps" to the "interface-group":

[edit]
root at M20# show interfaces ge-1/1/0
vlan-tagging;
mtu 9000;
encapsulation vlan-ccc;
unit 534 {
    description CCC-test;
    encapsulation vlan-ccc;
    bandwidth 20m;
    vlan-id 534;
    family ccc {
        filter {
            input if-group-filter;
            group 10;
        }
    }
}
unit 541 {
    description CCC-test;
    encapsulation vlan-ccc;
    bandwidth 20m;
    vlan-id 541;
    family ccc {
        filter {
            input if-group-filter;
            group 10;
        }
    }
}
unit 653 {
    description CCC-test;
    encapsulation vlan-ccc;
    bandwidth 20m;
    vlan-id 653;
    family ccc {
        filter {
            input if-group-filter;
            group 10;
        }
    }
}

[edit]
root at M20# show firewall
policer bw-20Mbps {
    if-exceeding {
        bandwidth-limit 20m;
        burst-size-limit 512k;
    }
    then discard;
}
family ccc {
    filter if-group-filter {
        term if-group-term {
            from {
                interface-group 10;
            }
            then policer bw-20Mbps;
        }
    }
}

[edit]
root at M20#


Now if I start Iperf in bidirectional simultaneous mode in one of the
workstations on all three interfaces at the same time, I get around
18Mbps on all three VLAN's while I was expecting to receive about
6.5Mbps. In other words ge-1/1/0.534, ge-1/1/0.541 and ge-1/1/0.653 do
not share the bw-20Mbps policer. Am I doing this wrong? Or is it
impossible to police multiple family ccc interfaces with one shared
policer on M(or MX) series?


regards,
Martin


More information about the juniper-nsp mailing list