[j-nsp] police multiple family CCC interfaces with a single shared policer on M(or MX) series?
Martin T
m4rtntns at gmail.com
Tue Dec 11 19:49:04 EST 2012
Hi,
I have a setup where two Linux workstations are connected to each
other via Juniper remote LSP circuit
cross-connect(remote-interface-switch). Simplified setup looks like
this:
workstation1 <-> M20 <-> M10i <-> workstation2
Both workstations have three sub-interfaces(VLAN interfaces).
"workstation1" has following sub-interfaces:
inet 10.10.1.2/24 brd 10.10.1.255 scope global eth0.534
inet 10.10.2.2/24 brd 10.10.2.255 scope global eth0.541
inet 10.10.3.2/24 brd 10.10.3.255 scope global eth0.653
..and "workstation2" has following sub-interfaces:
inet 10.10.1.1/24 brd 10.10.1.255 scope global eth0.534
inet 10.10.2.1/24 brd 10.10.2.255 scope global eth0.541
inet 10.10.3.1/24 brd 10.10.3.255 scope global eth0.653
Circuits between M20(9.4R3.5) and M10i(10.4R9.2) are up and I'm able
to reach "workstation1" from "workstation2" and vice versa on all
three VLAN's. Now I need to police those three circuits with a common
20Mbps policer. In other words all three family ccc interfaces both in
M20 and M10i need to share same 20Mbps policer. First idea was to
group three sub-interfaces in routers with "interface-set" and apply
policer. Something like this:
[edit firewall]
root at M20# show
policer bw-20Mbps {
if-exceeding {
bandwidth-limit 20m;
burst-size-limit 512k;
}
then discard;
}
interface-set if-set {
ge-1/1/0.534;
ge-1/1/0.541;
ge-1/1/0.653;
}
filter if-set-filter {
term 20Mbps-policer {
from {
interface-set if-set;
}
then policer bw-20Mbps;
}
}
[edit firewall]
root at M20#
While this works fine in case of inet family interfaces(I tested this
and single policer is indeed shared between multiple sub-interfaces),
it doesn't seem to work in case of family ccc interfaces- commit fails
with "Referenced filter 'if-set-filter' is not defined" error while
filter "if-set-filter" actually is defined under firewall
configuration. As I understand, firewall filters for family ccc needs
to be configured under [edit firewall family ccc filter filter-name]
hierarchy? Under [edit firewall family ccc filter filter-name] there
is no "interface-set" match condition, but there is an
"interface-group" match condition. So as a next step I put all those
three interfaces to same "interface-group" number 10 and applied
policer "bw-20Mbps" to the "interface-group":
[edit]
root at M20# show interfaces ge-1/1/0
vlan-tagging;
mtu 9000;
encapsulation vlan-ccc;
unit 534 {
description CCC-test;
encapsulation vlan-ccc;
bandwidth 20m;
vlan-id 534;
family ccc {
filter {
input if-group-filter;
group 10;
}
}
}
unit 541 {
description CCC-test;
encapsulation vlan-ccc;
bandwidth 20m;
vlan-id 541;
family ccc {
filter {
input if-group-filter;
group 10;
}
}
}
unit 653 {
description CCC-test;
encapsulation vlan-ccc;
bandwidth 20m;
vlan-id 653;
family ccc {
filter {
input if-group-filter;
group 10;
}
}
}
[edit]
root at M20# show firewall
policer bw-20Mbps {
if-exceeding {
bandwidth-limit 20m;
burst-size-limit 512k;
}
then discard;
}
family ccc {
filter if-group-filter {
term if-group-term {
from {
interface-group 10;
}
then policer bw-20Mbps;
}
}
}
[edit]
root at M20#
Now if I start Iperf in bidirectional simultaneous mode in one of the
workstations on all three interfaces at the same time, I get around
18Mbps on all three VLAN's while I was expecting to receive about
6.5Mbps. In other words ge-1/1/0.534, ge-1/1/0.541 and ge-1/1/0.653 do
not share the bw-20Mbps policer. Am I doing this wrong? Or is it
impossible to police multiple family ccc interfaces with one shared
policer on M(or MX) series?
regards,
Martin
More information about the juniper-nsp
mailing list