[j-nsp] Aggregated policing question

Cydon Satyr cydonsatyr at gmail.com
Sat Apr 18 08:11:51 EDT 2015 

So having a single instance of policer does not mean the traffic will get
measured as aggregate trough the policer, it simply means counters will be
shown in one instance...
I think that part was confusing.

Thanks again

On Sat, Apr 18, 2015 at 1:54 PM, Amarjeet Singh <techie.logging at gmail.com>
wrote:

> # If policer is called in FF and even if that FF is applied to multiple
> interfaces (but those interfaces share same PFE then) it only creates
> single instance.
>
> # When policer is called in a FF and in different terms of that FF then it
> creates unique instance of policer for each term.
> To override it we can use knob "filter specific" it creates single
> instance for that FF regardless policer is called in different/multiple
> terms.
>
> # If needed to rate-limit the combined traffic of multiple VLANS of
> physical interface then use "physical-interface-knob" like i mentioned in
> earlier example.
>
> Br, Amarjeet
>
>
> On Thu, Apr 16, 2015 at 9:51 PM, Cydon Satyr <cydonsatyr at gmail.com> wrote:
>
>> It works :)
>> Thanks!
>>
>> Please, if you don't mind just helping me clear this confusion - why does
>> documentation says that filter using policer will by default share one
>> instance of that policer? When does this apply then?
>> Also will your physical-interface-filter share policer instance if
>> applied to different physical interfaces, for example 2/0/1.10 and
>> 2/0/2.10? How to share among these when they have same PFE?
>>
>> Thanks a lot again you don't need to answer above I'm just confused a bit
>> about what documentation says.
>>
>> Regards!!
>>
>> On Wed, Apr 15, 2015 at 7:04 PM, Amarjeet Singh <techie.logging at gmail.com
>> > wrote:
>>
>>> Hello Cydon - adding "filter-specific" knob will not help if you want to
>>>> police 2 x IFL's as aggregate/combines rate.
>>>>
>>>
>>> Use "physical-interface" knob for policer & Filter if you want your
>>> IFL's ge-1/0/0.10 & ge-1/0/0.20 don't exceed rate 256kbs.
>>>
>>> In your example
>>>
>>> policer 256K-srTC {
>>> physical-interface-policer ######
>>>     if-exceeding {
>>>          bandwidth-limit 256k;
>>>          burst-size-limit 15k;
>>>      }
>>>     then discard;
>>>  }
>>>
>>> filter agg-inet-policer-256K {
>>> physical-interface-filter; #####
>>>       term 10 {
>>>          then {
>>>              policer 256K-srTC;
>>>          }
>>>       }
>>>     }
>>>
>>> Apply above on input of your both IFL's and thanks me later ;)
>>>
>>> Br, Amarjeet
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>> Date: Tue, 14 Apr 2015 19:42:29 +0200
>>>> From: Cydon Satyr <cydonsatyr at gmail.com>
>>>> To: Eduardo Schoedler <listas at esds.com.br>
>>>> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
>>>> Subject: Re: [j-nsp] Aggregated policing question
>>>> Message-ID:
>>>>         <CAF0PUwdf6jBJ_zEXLiho16E6qLY2i909QpUT_+=
>>>> QJYYZoL5yQg at mail.gmail.com>
>>>> Content-Type: text/plain; charset=UTF-8
>>>>
>>>>
>>>> Maybe somebody has another idea?
>>>>
>>>> Eduardo, thanks for the suggestion again.
>>>>
>>>> BR
>>>>
>>>> On Sun, Apr 12, 2015 at 8:28 PM, Cydon Satyr <cydonsatyr at gmail.com>
>>>> wrote:
>>>>
>>>> > Doesn't help.
>>>> >
>>>> > Wouldn't that know make it non-aggregate anyway?
>>>> >
>>>> > BR
>>>> >
>>>> > On Sun, Apr 12, 2015 at 8:17 PM, Eduardo Schoedler <
>>>> listas at esds.com.br>
>>>> > wrote:
>>>> >
>>>> >> Try set "filter-specific" in the policer.
>>>> >>
>>>> >> --
>>>> >> Eduardo Schoedler
>>>> >>
>>>> >> Em domingo, 12 de abril de 2015, Cydon Satyr <cydonsatyr at gmail.com>
>>>> >> escreveu:
>>>> >>
>>>> >>> Juniper documentation mentions that regular srTC policer applied in
>>>> >>> regular
>>>> >>> firewall filter will be shared among all interfaces that use that
>>>> filter
>>>> >>> (if those interfaces share same PFE).
>>>> >>>
>>>> >>> So, the following configuration would mean that when applied to two
>>>> inet
>>>> >>> IFL on the same IFF, ingress traffic would be policed at total of
>>>> 256K.
>>>> >>>
>>>> >>>
>>>> >>> policer 256K-srTC {
>>>> >>>     if-exceeding {
>>>> >>>         bandwidth-limit 256k;
>>>> >>>         burst-size-limit 15k;
>>>> >>>     }
>>>> >>>     then discard;
>>>> >>> }
>>>> >>>
>>>> >>>   filter agg-inet-policer-256K {
>>>> >>>       term 10 {
>>>> >>>           then {
>>>> >>>               policer 256K-srTC;
>>>> >>>            }
>>>> >>>       }
>>>> >>>     }
>>>> >>>
>>>> >>> Except that it doesn't - if I apply this to say ge-1/0/0.10 and
>>>> >>> ge-1/0/0.20, aggregate rate is 500k.
>>>> >>>
>>>> >>> Am I missing something here?
>>>> >>>
>>>> >>> BTW, this is on M320 if it makes a difference.
>>>> >>>
>>>> >>> BR
>>>> >>> _______________________________________________
>>>> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>> >>>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Eduardo Schoedler
>>>> >>
>>>> >>
>>>> >
>>>>
>>>>
>>>> -
>>>
>>>
>>
>

More information about the juniper-nsp mailing list