[j-nsp] instance-specific filters for VPLS BUM/flood filtering

Saku Ytti saku at ytti.fi
Thu Nov 8 11:06:06 EST 2012 

> > In my mind, the default is fine.  It is consistent with normal behavior
> > and there are times when a shared policer would be desired.  The lack of
> > a instance specific option though, that is stupid beyond belief,
> > shocking surprise.
> 
> To me the biggest problem is, you cannot know if instance policers are
> shared or not, as it is version dependent.

I opened JTAC case (I can unicast case# if you want to pass it to your
account team).

Query:
----
Case A)

# show firewall filter PROTECT-FROM_IP_OPTION 

term police-ip-options {

    from {

        ip-options any;

    }

    then {

        policer POLICE-IP_OPTIONS;

        count police-ip-options;

    }

}

term accept-all {

    then {

        count accept-all;

        accept;

    }

}



# show firewall policer POLICE-IP_OPTIONS 

if-exceeding {

    bandwidth-limit 3m;

    burst-size-limit 3200000;

}

then discard;



set routing-instances RED forwarding-options family inet filter  PROTECT-FROM_IP_OPTION

set routing-instances BLUE forwarding-options family inet filter  PROTECT-FROM_IP_OPTION



Will RED and BLUE share 3Mbps, or will each get own 3Mbps?





Case B)



> ...amily vpls filter PROTECT-UNKNOWN_UNICAST                
            

term unknown_unicast {

    from {

        traffic-type unknown-unicast;

    }

    then {

        policer POLICE-UNKNOWN_UNICAST;

        accept;

    }

}

term accep {

    then accept;

}



> show configuration firewall policer POLICE-UNKNOWN_UNICAST 

if-exceeding {

    bandwidth-limit 42m;

    burst-size-limit 100k;

}

then discard;



set routing-instances GREEN forwarding-options family vpls filter input 
PROTECT-UNKNOWN_UNICAST

set routing-instances YELLOW forwarding-options family vpls filter input 
PROTECT-UNKNOWN_UNICAST



Will GREEN, YELLOW share 42Mbps or get own 42Mbps policers?
----



JTAC response
----
Query: If you configure same FW with policer to multiple instances, what is expected result? Should policer be shared or should it be dedicated per instances?
JTAC: It will be dedicated per instance. In your example RED and BLUE will consume 3MB independently.
---




But as per my own testing, I know IP-OPTIONS policer was shared in 10.4 (which
is what I want for IP options). And VPLS policer I want not-shared, as in 11.4.


-- 
  ++ytti

More information about the juniper-nsp mailing list