[j-nsp] Policer does not work in output direction on interface with service-set.
Yury Yaroshevsky
yk at donbass.net
Mon Dec 10 07:25:58 EST 2018
Hi, list.
I have MX480 with MS-MIC16G (Junos 15.1R6.7).
Now I try test config (see bellow) with policer and NAT (over service-set).
Policer in output direction dosn't work.Customer not limited in output
direction.
On input - policer is working.
I checked that the policer is programmed on fpc:
> show interfaces xe-2/0/0.10692 extensive
Logical interface xe-2/0/0.10692 (Index 3328) (SNMP ifIndex 2658)
(Generation 3323)
Description: xe-2/0/0.10692 DIPT Policer test; VLAN 1069/1069
Flags: Up SNMP-Traps 0x104000 VLAN-Tag [ 0x8100.1069 0x8100.1069 ]
Encapsulation: ENET2
Traffic statistics:
Input bytes : 35447169692
Output bytes : 691916183
Input packets: 24216879
Output packets: 1343654
Local statistics:
Input bytes : 3521317
Output bytes : 3757556
Input packets: 52804
Output packets: 21793
Transit statistics:
Input bytes : 35443648375 839616 bps
Output bytes : 688158627 40762856 bps
Input packets: 24164075 1995 pps
Output packets: 1321861 8855 pps
Protocol inet, MTU: 1500, Generation: 4511, Route table: 0
Flags: Sendbcast-pkt-to-re, User-MTU
Input Filters: FILTER_4M_IN
Output Filters: FILTER_4M_OUT
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.6.240.0/30, Local: 10.6.240.1, Broadcast:
10.6.240.3, Generation: 1272
Protocol multiservice, MTU: Unlimited, Generation: 3806, Route table: 0
Policer: Input: __default_arp_policer__
> start shell pfe network fpc2
NPC platform (1067Mhz MPC 8548 processor, 2048MB memory, 512KB flash)
NPC2(xxx vty)# show ifl 3328
Logical interface xe-2/0/0.10692 (Index 3328, Alias-Index 0 Peer-Index 0
ifl address 0x4f744cf8)
Channel Mode DISABLED (channel1 0 channel2 0)
Flags: (0x000000000010c000) Up SNMP-Traps
GEN Flags: (0x0028)
Addresses:
Media address: Family: Link (18), Chan: 2, Length: 48
(04:2d:04:2d:00:00:00:00:00:00:81:00:81:00:00:02:01:06:00:00:04:2d:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00)
IRB ifl BD index 65535
Reroute Ref: 0, Restore Ref: 0, LRID: 0
Residue Stats in: 0 out: 0
Protocols:
Protocol: Multiservice, MTU: 65535 bytes, TCP MSS 0 bytes, Flags:
0x0000000200000000, Route table: 0
Maximum labels: 0
Input filter: 0, Output filter: 0, Interface class: 0, Dialer Filter: 0
Input Simple Filter: 0, Output Simple Filter: 0
Input implicit filters: None
Output implicit filters: None
L2 Input policer: 0, L2 Output policer: 0
Input policer: 17000, Output policer: 0
RPF fail-filter: 0, Reroute Ref: 0, Restore Ref: 0
Protocol: IPv4, MTU: 1500 bytes, TCP MSS 0 bytes, Flags:
0x8000000200000800, Route table: 0
Maximum labels: 0
Input filter: 27, Output filter: 28, Interface class: 0, Dialer
Filter: 0
Input Simple Filter: 0, Output Simple Filter: 0
Input implicit filters: None
Output implicit filters: None
L2 Input policer: 0, L2 Output policer: 0
Input policer: 0, Output policer: 0
RPF fail-filter: 0, Reroute Ref: 0, Restore Ref: 0
Service filters in: 23, 0, 0, 0, 0, 0, out: 24, 0, 0, 0, 0, 0, psf: 0
Address(0): 10.6.240.1 (0x00) [primary] [10.6.240.0/30]
Media:
Type: VLAN Tagged, Encapsulation: Ethernet (0x0000000E)
MTU: 1522 bytes, Flags: 0x0000
Dependencies:
Parent ifl index: 3328
Storm control:
BC: 0, UC: 0, Flags: 0x0
NPC2(xxx vty)# show filter index 27 program
Filter index = 27
Optimization flag: 0xf7
Filter notify host id = 0
Filter properties: None
Filter state = CONSISTENT
term 1
term priority 0
then
accept
policer template 4M
policer 4M-1
app_type 0
bandwidth-limit 4000000 bits/sec
burst-size-limit 512000 bytes
discard
NPC2(xxx vty)# show filter index 28 program
Filter index = 28
Optimization flag: 0xf7
Filter notify host id = 0
Filter properties: None
Filter state = CONSISTENT
term 1
term priority 0
then
accept
policer template 4M
policer 4M-1
app_type 0
bandwidth-limit 4000000 bits/sec
burst-size-limit 512000 bytes
discard
NPC2(rc1.m20.kmt vty)# show policer xe-2/0/0.10692 family inet
IFD xe-2/0/0
Input filter
Filter is not interface specific 27
Output filter
Filter is not interface specific 28
Question:
1) This is a bug that can be fixed by replacing JunOS.
Will this configuration work on 16.1R7?
2) If this is a feature (policer not work in output direction with
attached service-set (NAT) on interface), then in what way I can
limit my customer?
See my configs below:
> show configuration interfaces xe-2/0/0.10692
description "xe-2/0/0.10692 Policer test; VLAN 1069/1069";
proxy-arp;
vlan-tags outer 1069 inner 1069;
family inet {
mtu 1500;
filter {
input FILTER_4M_IN;
output FILTER_4M_OUT;
}
service {
input {
service-set SS-NAT-01 service-filter
REDIRECT-for-NAT-in-v4-test;
}
output {
service-set SS-NAT-01 service-filter
REDIRECT-for-NAT-out-v4-test;
}
}
address 10.6.240.1/30;
}
> show configuration services service-set SS-NAT-01
stateful-firewall-rules FIREWALL-RULE-01;
nat-rules NAT-RULE-01;
interface-service {
service-interface ms-2/2/0;
}
> show configuration services stateful-firewall rule FIREWALL-RULE-01
match-direction input-output;
term OTHER {
then {
accept;
}
}
> show configuration firewall family inet service-filter
REDIRECT-for-NAT-in-v4-test
term SERVICE {
from {
source-address {
10.0.0.0/8;
}
}
then service;
}
term SKIP {
then skip;
}
> show configuration firewall family inet service-filter
REDIRECT-for-NAT-out-v4-test
term SERVICE {
from {
destination-address {
172.16.255.0/24;
}
}
then service;
}
term SKIP {
then skip;
}
> show configuration services nat
pool NAT-POOL-01 {
address 172.16.255.0/24;
port {
automatic;
}
}
rule NAT-RULE-01 {
match-direction input;
term T1 {
from {
source-address {
10.6.0.0/16;
}
}
then {
translated {
source-pool NAT-POOL-01;
translation-type {
napt-44;
}
address-pooling paired;
}
}
}
}
> show configuration firewall family inet filter FILTER_4M_IN
term 1 {
then {
policer 4M;
accept;
}
}
> show configuration firewall family inet filter FILTER_4M_OUT
term 1 {
then {
policer 4M;
accept;
}
}
> show configuration firewall policer 4M
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 512k;
}
then discard;
More information about the juniper-nsp
mailing list