[j-nsp] instance-specific filters for VPLS BUM/flood filtering

Saku Ytti saku at ytti.fi
Tue Nov 6 08:25:31 EST 2012


On (2012-11-06 13:43 +0100), Sebastian Wiesinger wrote:

> Just to be sure, could you try to use the "interface-specific" keyword
> for your filter?

You should have tried that, it won't commit. It was first thing I tried
when testing VPLS.

> I wonder if someone can clear this up. I think shared filters are more
> intuitive and in line with how "normal" interface filters work. But
> then I would need that "instance-specific" knob.

Agreed. I was surprised by my results, infact so surprised I started to
doubt myself, so I just retested. nqe2 is sending traffic to nqe1, nqe1
is not sending anything, so traffic is unidirectional. 

I have same FW filter attached to both  vpls instances:
if-exceeding {
    bandwidth-limit 10m;
        burst-size-limit 100k;
     }
     then discard;
}

Here is what I'm seeing: http://ip.fi/uu10m.png

After issuing
[edit firewall policer POLICE-UNKNOWN_UNICAST]
ytti at nqe1-re0.dk# set if-exceeding bandwidth-limit 42m             

Here is what I'm seeing: http://ip.fi/uu42m.png

> At the moment I only see the "solution" to have individual flood
> filters for every VPLS instance which makes large-scale deployment
> complicated (I wanted to apply a standard filter in an apply-group).

Yes.

-- 
  ++ytti


More information about the juniper-nsp mailing list