[j-nsp] instance-specific filters for VPLS BUM/flood filtering

Christopher E. Brown chris.brown at acsalaska.net
Fri Nov 9 14:57:11 EST 2012 

Please share case #, I have same complaints in discussion with our SE
and up that chain.

Personally I think they need to add "instance-specific" as a keyword to
the policer to make them shared or not-shared by choice.  95% of the
time I need unshared, but can think of a few cases where shared sould be
useful.


On 11/8/12 7:06 AM, Saku Ytti wrote:
> 
>>> In my mind, the default is fine.  It is consistent with normal behavior
>>> and there are times when a shared policer would be desired.  The lack of
>>> a instance specific option though, that is stupid beyond belief,
>>> shocking surprise.
>>
>> To me the biggest problem is, you cannot know if instance policers are
>> shared or not, as it is version dependent.
> 
> I opened JTAC case (I can unicast case# if you want to pass it to your
> account team).
> 
> Query:
> ----
> Case A)
> 
> # show firewall filter PROTECT-FROM_IP_OPTION 
> 
> term police-ip-options {
> 
>     from {
> 
>         ip-options any;
> 
>     }
> 
>     then {
> 
>         policer POLICE-IP_OPTIONS;
> 
>         count police-ip-options;
> 
>     }
> 
> }
> 
> term accept-all {
> 
>     then {
> 
>         count accept-all;
> 
>         accept;
> 
>     }
> 
> }
> 
> 
> 
> # show firewall policer POLICE-IP_OPTIONS 
> 
> if-exceeding {
> 
>     bandwidth-limit 3m;
> 
>     burst-size-limit 3200000;
> 
> }
> 
> then discard;
> 
> 
> 
> set routing-instances RED forwarding-options family inet filter  PROTECT-FROM_IP_OPTION
> 
> set routing-instances BLUE forwarding-options family inet filter  PROTECT-FROM_IP_OPTION
> 
> 
> 
> Will RED and BLUE share 3Mbps, or will each get own 3Mbps?
> 
> 
> 
> 
> 
> Case B)
> 
> 
> 
>> ...amily vpls filter PROTECT-UNKNOWN_UNICAST                
>             
> 
> term unknown_unicast {
> 
>     from {
> 
>         traffic-type unknown-unicast;
> 
>     }
> 
>     then {
> 
>         policer POLICE-UNKNOWN_UNICAST;
> 
>         accept;
> 
>     }
> 
> }
> 
> term accep {
> 
>     then accept;
> 
> }
> 
> 
> 
>> show configuration firewall policer POLICE-UNKNOWN_UNICAST 
> 
> if-exceeding {
> 
>     bandwidth-limit 42m;
> 
>     burst-size-limit 100k;
> 
> }
> 
> then discard;
> 
> 
> 
> set routing-instances GREEN forwarding-options family vpls filter input 
> PROTECT-UNKNOWN_UNICAST
> 
> set routing-instances YELLOW forwarding-options family vpls filter input 
> PROTECT-UNKNOWN_UNICAST
> 
> 
> 
> Will GREEN, YELLOW share 42Mbps or get own 42Mbps policers?
> ----
> 
> 
> 
> JTAC response
> ----
> Query: If you configure same FW with policer to multiple instances, what is expected result? Should policer be shared or should it be dedicated per instances?
> JTAC: It will be dedicated per instance. In your example RED and BLUE will consume 3MB independently.
> ---
> 
> 
> 
> 
> But as per my own testing, I know IP-OPTIONS policer was shared in 10.4 (which
> is what I want for IP options). And VPLS policer I want not-shared, as in 11.4.
> 
> 


-- 
------------------------------------------------------------------------
Christopher E. Brown   <chris.brown at acsalaska.net>   desk (907) 550-8393
                                                     cell (907) 632-8492
IP Engineer - ACS
------------------------------------------------------------------------

More information about the juniper-nsp mailing list