[j-nsp] Service Provider Shaping vs Policing

James Jun james at towardex.com
Wed Apr 19 12:53:25 EDT 2017 

On Wed, Apr 19, 2017 at 11:55:37AM -0400, Shamen Snyder wrote:
> I'm curious as to what other Juniper service providers are doing for
> their internet customers. I assume most probably shape or police at the
> customer CPE or as close as they can to it.
> 
> We are currently in a position where we terminate internet customers in
> the POP that we purchase bulk transit in several collocations around the
> United States. Then carry customer internet traffic back to the IP
> termination via our MPLS network.

We have similar setup, we backhaul customers to IP POP via our MPLS transport network in the
metro.

We setup 10GE NNI interfaces between IP and transport network and configure shaping on the NNI
to subscriber line speed for that EVC.  Likewise, for customer's upload direction, shaping is
performed in opposite direction.

On the customer facing PE, we police the ingress on customer port (so that will be customer's
upload bandwidth) to prevent admitting too much traffic than what the shaper would eventually
allow at the point of NNI interconnection.

Since their upload bandwidth is shaped at the interconnect site, the ingress policer at the
customer facing PE does not get violated in normal cases, unless customer has a compromised
host sending large burst of uncontrolled fire-and-forget traffic (e.g. DoS).

> 
> Shaping is broken when configured on a LAG (see KB22921). Which
> depending on how many interfaces you have in a LAG a customer would need
> that many flows to see all of their bandwidth. So I assume most
> providers are using policing instead.

We never use LAG for NNI interfaces, precisely because queueing and policing get complicated.
Each NNI is independent 10GE interfaces as we hand-off from IP to transport network, and each
EVC backhauling a customer never exceeds 3 Gbps subscriber speed.

If the customer needs to be a 10G port to IP network (regardless of whether burstable or
full-rate 10G), we put them on optical transport and deliver the service via unprotected
10G wave.  This will change ofcourse with the ongoing deployment of 100G interfaces.

We don't do any complex QoS or classifications for internet traffic uses -- after all, if we
had a choice, we would rather put layer-3 routers at every customer facing site, but alas that
is not very cost effective right now.  We just police & queue (no classification) to enforce
traffic contract and prevent over-admittance of traffic onto the metro transport network.

HTH,
James

More information about the juniper-nsp mailing list