[j-nsp] Aggregated policing question

Amarjeet Singh techie.logging at gmail.com
Sat Apr 18 07:54:30 EDT 2015 

# If policer is called in FF and even if that FF is applied to multiple
interfaces (but those interfaces share same PFE then) it only creates
single instance.

# When policer is called in a FF and in different terms of that FF then it
creates unique instance of policer for each term.
To override it we can use knob "filter specific" it creates single instance
for that FF regardless policer is called in different/multiple terms.

# If needed to rate-limit the combined traffic of multiple VLANS of
physical interface then use "physical-interface-knob" like i mentioned in
earlier example.

Br, Amarjeet


On Thu, Apr 16, 2015 at 9:51 PM, Cydon Satyr <cydonsatyr at gmail.com> wrote:

> It works :)
> Thanks!
>
> Please, if you don't mind just helping me clear this confusion - why does
> documentation says that filter using policer will by default share one
> instance of that policer? When does this apply then?
> Also will your physical-interface-filter share policer instance if applied
> to different physical interfaces, for example 2/0/1.10 and 2/0/2.10? How to
> share among these when they have same PFE?
>
> Thanks a lot again you don't need to answer above I'm just confused a bit
> about what documentation says.
>
> Regards!!
>
> On Wed, Apr 15, 2015 at 7:04 PM, Amarjeet Singh <techie.logging at gmail.com>
> wrote:
>
>> Hello Cydon - adding "filter-specific" knob will not help if you want to
>>> police 2 x IFL's as aggregate/combines rate.
>>>
>>
>> Use "physical-interface" knob for policer & Filter if you want your IFL's
>> ge-1/0/0.10 & ge-1/0/0.20 don't exceed rate 256kbs.
>>
>> In your example
>>
>> policer 256K-srTC {
>> physical-interface-policer ######
>>     if-exceeding {
>>          bandwidth-limit 256k;
>>          burst-size-limit 15k;
>>      }
>>     then discard;
>>  }
>>
>> filter agg-inet-policer-256K {
>> physical-interface-filter; #####
>>       term 10 {
>>          then {
>>              policer 256K-srTC;
>>          }
>>       }
>>     }
>>
>> Apply above on input of your both IFL's and thanks me later ;)
>>
>> Br, Amarjeet
>>
>>
>>>
>>>
>>>
>>>
>>> Date: Tue, 14 Apr 2015 19:42:29 +0200
>>> From: Cydon Satyr <cydonsatyr at gmail.com>
>>> To: Eduardo Schoedler <listas at esds.com.br>
>>> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
>>> Subject: Re: [j-nsp] Aggregated policing question
>>> Message-ID:
>>>         <CAF0PUwdf6jBJ_zEXLiho16E6qLY2i909QpUT_+=
>>> QJYYZoL5yQg at mail.gmail.com>
>>> Content-Type: text/plain; charset=UTF-8
>>>
>>>
>>> Maybe somebody has another idea?
>>>
>>> Eduardo, thanks for the suggestion again.
>>>
>>> BR
>>>
>>> On Sun, Apr 12, 2015 at 8:28 PM, Cydon Satyr <cydonsatyr at gmail.com>
>>> wrote:
>>>
>>> > Doesn't help.
>>> >
>>> > Wouldn't that know make it non-aggregate anyway?
>>> >
>>> > BR
>>> >
>>> > On Sun, Apr 12, 2015 at 8:17 PM, Eduardo Schoedler <listas at esds.com.br
>>> >
>>> > wrote:
>>> >
>>> >> Try set "filter-specific" in the policer.
>>> >>
>>> >> --
>>> >> Eduardo Schoedler
>>> >>
>>> >> Em domingo, 12 de abril de 2015, Cydon Satyr <cydonsatyr at gmail.com>
>>> >> escreveu:
>>> >>
>>> >>> Juniper documentation mentions that regular srTC policer applied in
>>> >>> regular
>>> >>> firewall filter will be shared among all interfaces that use that
>>> filter
>>> >>> (if those interfaces share same PFE).
>>> >>>
>>> >>> So, the following configuration would mean that when applied to two
>>> inet
>>> >>> IFL on the same IFF, ingress traffic would be policed at total of
>>> 256K.
>>> >>>
>>> >>>
>>> >>> policer 256K-srTC {
>>> >>>     if-exceeding {
>>> >>>         bandwidth-limit 256k;
>>> >>>         burst-size-limit 15k;
>>> >>>     }
>>> >>>     then discard;
>>> >>> }
>>> >>>
>>> >>>   filter agg-inet-policer-256K {
>>> >>>       term 10 {
>>> >>>           then {
>>> >>>               policer 256K-srTC;
>>> >>>            }
>>> >>>       }
>>> >>>     }
>>> >>>
>>> >>> Except that it doesn't - if I apply this to say ge-1/0/0.10 and
>>> >>> ge-1/0/0.20, aggregate rate is 500k.
>>> >>>
>>> >>> Am I missing something here?
>>> >>>
>>> >>> BTW, this is on M320 if it makes a difference.
>>> >>>
>>> >>> BR
>>> >>> _______________________________________________
>>> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> Eduardo Schoedler
>>> >>
>>> >>
>>> >
>>>
>>>
>>> -
>>
>>
>

More information about the juniper-nsp mailing list