[j-nsp] police multiple family CCC interfaces with a single shared policer on M(or MX) series?
Martin T
m4rtntns at gmail.com
Wed Dec 12 16:36:58 EST 2012
In addition, I tried to add filter "if-group-filter" to egress traffic
instead of ingress traffic like this:
[edit]
root at M20# show interfaces ge-1/1/0
vlan-tagging;
mtu 9000;
encapsulation vlan-ccc;
unit 534 {
description CCC-test;
encapsulation vlan-ccc;
bandwidth 20m;
vlan-id 534;
family ccc {
filter {
output if-group-filter;
group 10;
}
}
}
unit 541 {
description CCC-test;
encapsulation vlan-ccc;
bandwidth 20m;
vlan-id 541;
family ccc {
filter {
output if-group-filter;
group 10;
}
}
}
unit 653 {
description CCC-test;
encapsulation vlan-ccc;
bandwidth 20m;
vlan-id 653;
family ccc {
filter {
output if-group-filter;
group 10;
}
}
}
[edit]
root at M20# show firewall
policer bw-20Mbps {
if-exceeding {
bandwidth-limit 20m;
burst-size-limit 512k;
}
then discard;
}
family ccc {
filter if-group-filter {
term if-group-term {
from {
interface-group 10;
}
then policer bw-20Mbps;
}
}
}
[edit]
root at M20#
..but such configuration broke the connectivity between the
"workstation1" and "workstation2". Any ideas how to police multiple
family ccc interfaces with one shared policer on M(or MX) series?
regards,
Martin
2012/12/12 Martin T <m4rtntns at gmail.com>:
> Hi,
>
> I have a setup where two Linux workstations are connected to each
> other via Juniper remote LSP circuit
> cross-connect(remote-interface-switch). Simplified setup looks like
> this:
>
> workstation1 <-> M20 <-> M10i <-> workstation2
>
>
> Both workstations have three sub-interfaces(VLAN interfaces).
> "workstation1" has following sub-interfaces:
>
> inet 10.10.1.2/24 brd 10.10.1.255 scope global eth0.534
> inet 10.10.2.2/24 brd 10.10.2.255 scope global eth0.541
> inet 10.10.3.2/24 brd 10.10.3.255 scope global eth0.653
>
> ..and "workstation2" has following sub-interfaces:
>
> inet 10.10.1.1/24 brd 10.10.1.255 scope global eth0.534
> inet 10.10.2.1/24 brd 10.10.2.255 scope global eth0.541
> inet 10.10.3.1/24 brd 10.10.3.255 scope global eth0.653
>
>
> Circuits between M20(9.4R3.5) and M10i(10.4R9.2) are up and I'm able
> to reach "workstation1" from "workstation2" and vice versa on all
> three VLAN's. Now I need to police those three circuits with a common
> 20Mbps policer. In other words all three family ccc interfaces both in
> M20 and M10i need to share same 20Mbps policer. First idea was to
> group three sub-interfaces in routers with "interface-set" and apply
> policer. Something like this:
>
> [edit firewall]
> root at M20# show
> policer bw-20Mbps {
> if-exceeding {
> bandwidth-limit 20m;
> burst-size-limit 512k;
> }
> then discard;
> }
> interface-set if-set {
> ge-1/1/0.534;
> ge-1/1/0.541;
> ge-1/1/0.653;
> }
> filter if-set-filter {
> term 20Mbps-policer {
> from {
> interface-set if-set;
> }
> then policer bw-20Mbps;
> }
> }
>
> [edit firewall]
> root at M20#
>
> While this works fine in case of inet family interfaces(I tested this
> and single policer is indeed shared between multiple sub-interfaces),
> it doesn't seem to work in case of family ccc interfaces- commit fails
> with "Referenced filter 'if-set-filter' is not defined" error while
> filter "if-set-filter" actually is defined under firewall
> configuration. As I understand, firewall filters for family ccc needs
> to be configured under [edit firewall family ccc filter filter-name]
> hierarchy? Under [edit firewall family ccc filter filter-name] there
> is no "interface-set" match condition, but there is an
> "interface-group" match condition. So as a next step I put all those
> three interfaces to same "interface-group" number 10 and applied
> policer "bw-20Mbps" to the "interface-group":
>
> [edit]
> root at M20# show interfaces ge-1/1/0
> vlan-tagging;
> mtu 9000;
> encapsulation vlan-ccc;
> unit 534 {
> description CCC-test;
> encapsulation vlan-ccc;
> bandwidth 20m;
> vlan-id 534;
> family ccc {
> filter {
> input if-group-filter;
> group 10;
> }
> }
> }
> unit 541 {
> description CCC-test;
> encapsulation vlan-ccc;
> bandwidth 20m;
> vlan-id 541;
> family ccc {
> filter {
> input if-group-filter;
> group 10;
> }
> }
> }
> unit 653 {
> description CCC-test;
> encapsulation vlan-ccc;
> bandwidth 20m;
> vlan-id 653;
> family ccc {
> filter {
> input if-group-filter;
> group 10;
> }
> }
> }
>
> [edit]
> root at M20# show firewall
> policer bw-20Mbps {
> if-exceeding {
> bandwidth-limit 20m;
> burst-size-limit 512k;
> }
> then discard;
> }
> family ccc {
> filter if-group-filter {
> term if-group-term {
> from {
> interface-group 10;
> }
> then policer bw-20Mbps;
> }
> }
> }
>
> [edit]
> root at M20#
>
>
> Now if I start Iperf in bidirectional simultaneous mode in one of the
> workstations on all three interfaces at the same time, I get around
> 18Mbps on all three VLAN's while I was expecting to receive about
> 6.5Mbps. In other words ge-1/1/0.534, ge-1/1/0.541 and ge-1/1/0.653 do
> not share the bw-20Mbps policer. Am I doing this wrong? Or is it
> impossible to police multiple family ccc interfaces with one shared
> policer on M(or MX) series?
>
>
> regards,
> Martin
More information about the juniper-nsp
mailing list