[j-nsp] Multiple policers for interface/units
Dan Peachey
dan at illusionnetworks.com
Thu Jun 4 10:19:56 EDT 2015
On 2 June 2015 at 21:15, Chris Adams <cma at cmadams.net> wrote:
> I have used policers on units to limit the traffic for a particular
> VLAN, but now I have a need to limit the total traffic on an interface.
> I have a gigE link that is telco-limited to 500Mbps (but I need to
> police the link so I don't put more than 500M in), with several VLANs
> that each need to have their own rate.
>
> I haven't done that before; what's the best way to do that?
>
> This is on an MX960.
> --
> Chris Adams <cma at cmadams.net>
>
Hi Chris,
I've done aggregate policing before although not hierarchical, but I'll
have a go at suggesting what might work.
The aggregate policing can be achieved with a firewall filter and policer
combo and under the policer you need 'physical-interface-policer'. This
needs to be applied to all IFL's.
Then I think you can police each IFL with the 'policer' command. The output
policers should be evaluated after the firewall filters so in theory it
should work.
I haven't tested it but would be interested to know if you get it to work.
Config would look something like:
firewall {
family inet {
filter AGG_POLICE_500M {
physical-interface-filter;
term POLICE {
then {
policer POLICER_AGG_500M;
}
}
}
}
policer POLICER_AGG_500M {
physical-interface-policer;
if-exceeding {
bandwidth-limit 500m;
burst-size-limit 312500;
}
then discard;
}
policer POLICER_100M {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 62500;
}
then discard;
}
}
interfaces {
ge-0/0/0 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 100 {
vlan-id 100;
family inet {
filter {
output AGG_POLICE_500M;
}
policer {
output POLICER_100M;
}
}
}
unit 200 {
vlan-id 200;
family inet {
filter {
output AGG_POLICE_500M;
}
policer {
output POLICER_100M;
}
}
}
}
}
Cheers,
Dan
More information about the juniper-nsp
mailing list