[j-nsp] instance-specific filters for VPLS BUM/flood filtering
Christopher E. Brown
chris.brown at acsalaska.net
Fri Dec 21 20:57:05 EST 2012
Well, I just re-tested this in
10.4R9
10.4R10
10.4R11
10.4R12
11.4R6
On MX960 RE2000/MPC2 and MX80
In all cases, set to "network-services ip" or "network-services enhanced-ip" (with a
reboot between to actually switch) I always see a single filter and policer set shared
across multiple instances.
I just opened a case and cited the closed PR and bogus/unsolved.
On 11/14/2012 11:08 AM, Christopher E. Brown wrote:
>
> Except I am running network-services ip not enhanced-ip, and 10.4R10 now
> R11 (PR lists R9 as "fixed") and am seeing shared policers.
>
>
>
> On 11/14/12 8:19 AM, Addy Mathur wrote:
>> Folks:
>>
>> When Trio MPCs were released, original behavior pertaining to policer
>> behavior on VPLS instances was different from that observed on I-CHIP
>> DPCs (as has been uncovered in this thread). This was changed via
>> PR/674408, which should now be externally viewable. It changes the
>> default Trio MPC behavior to be more in line with I-CHIP DPC default.
>>
>> https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR674408
>>
>> Regards,
>> Addy.
>>
>> On Fri, Nov 9, 2012 at 2:57 PM, Christopher E. Brown
>> <chris.brown at acsalaska.net <mailto:chris.brown at acsalaska.net>> wrote:
>>
>>
>> Please share case #, I have same complaints in discussion with our SE
>> and up that chain.
>>
>> Personally I think they need to add "instance-specific" as a keyword to
>> the policer to make them shared or not-shared by choice. 95% of the
>> time I need unshared, but can think of a few cases where shared sould be
>> useful.
>>
>>
>> On 11/8/12 7:06 AM, Saku Ytti wrote:
>> >
>> >>> In my mind, the default is fine. It is consistent with normal
>> behavior
>> >>> and there are times when a shared policer would be desired. The
>> lack of
>> >>> a instance specific option though, that is stupid beyond belief,
>> >>> shocking surprise.
>> >>
>> >> To me the biggest problem is, you cannot know if instance
>> policers are
>> >> shared or not, as it is version dependent.
>> >
>> > I opened JTAC case (I can unicast case# if you want to pass it to your
>> > account team).
>> >
>> > Query:
>> > ----
>> > Case A)
>> >
>> > # show firewall filter PROTECT-FROM_IP_OPTION
>> >
>> > term police-ip-options {
>> >
>> > from {
>> >
>> > ip-options any;
>> >
>> > }
>> >
>> > then {
>> >
>> > policer POLICE-IP_OPTIONS;
>> >
>> > count police-ip-options;
>> >
>> > }
>> >
>> > }
>> >
>> > term accept-all {
>> >
>> > then {
>> >
>> > count accept-all;
>> >
>> > accept;
>> >
>> > }
>> >
>> > }
>> >
>> >
>> >
>> > # show firewall policer POLICE-IP_OPTIONS
>> >
>> > if-exceeding {
>> >
>> > bandwidth-limit 3m;
>> >
>> > burst-size-limit 3200000;
>> >
>> > }
>> >
>> > then discard;
>> >
>> >
>> >
>> > set routing-instances RED forwarding-options family inet filter
>> PROTECT-FROM_IP_OPTION
>> >
>> > set routing-instances BLUE forwarding-options family inet filter
>> PROTECT-FROM_IP_OPTION
>> >
>> >
>> >
>> > Will RED and BLUE share 3Mbps, or will each get own 3Mbps?
>> >
>> >
>> >
>> >
>> >
>> > Case B)
>> >
>> >
>> >
>> >> ...amily vpls filter PROTECT-UNKNOWN_UNICAST
>> >
>> >
>> > term unknown_unicast {
>> >
>> > from {
>> >
>> > traffic-type unknown-unicast;
>> >
>> > }
>> >
>> > then {
>> >
>> > policer POLICE-UNKNOWN_UNICAST;
>> >
>> > accept;
>> >
>> > }
>> >
>> > }
>> >
>> > term accep {
>> >
>> > then accept;
>> >
>> > }
>> >
>> >
>> >
>> >> show configuration firewall policer POLICE-UNKNOWN_UNICAST
>> >
>> > if-exceeding {
>> >
>> > bandwidth-limit 42m;
>> >
>> > burst-size-limit 100k;
>> >
>> > }
>> >
>> > then discard;
>> >
>> >
>> >
>> > set routing-instances GREEN forwarding-options family vpls filter
>> input
>> > PROTECT-UNKNOWN_UNICAST
>> >
>> > set routing-instances YELLOW forwarding-options family vpls filter
>> input
>> > PROTECT-UNKNOWN_UNICAST
>> >
>> >
>> >
>> > Will GREEN, YELLOW share 42Mbps or get own 42Mbps policers?
>> > ----
>> >
>> >
>> >
>> > JTAC response
>> > ----
>> > Query: If you configure same FW with policer to multiple
>> instances, what is expected result? Should policer be shared or
>> should it be dedicated per instances?
>> > JTAC: It will be dedicated per instance. In your example RED and
>> BLUE will consume 3MB independently.
>> > ---
>> >
>> >
>> >
>> >
>> > But as per my own testing, I know IP-OPTIONS policer was shared in
>> 10.4 (which
>> > is what I want for IP options). And VPLS policer I want
>> not-shared, as in 11.4.
>> >
>> >
>>
>>
>> --
>> ------------------------------------------------------------------------
>> Christopher E. Brown <chris.brown at acsalaska.net
>> <mailto:chris.brown at acsalaska.net>> desk (907) 550-8393
>> <tel:%28907%29%20550-8393>
>> cell (907)
>> 632-8492 <tel:%28907%29%20632-8492>
>> IP Engineer - ACS
>> ------------------------------------------------------------------------
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> <mailto:juniper-nsp at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>
>
--
------------------------------------------------------------------------
Christopher E. Brown <chris.brown at acsalaska.net> desk (907) 550-8393
cell (907) 632-8492
IP Engineer - ACS
------------------------------------------------------------------------
More information about the juniper-nsp
mailing list