[j-nsp] rate limiting per-user prefix lists
Niall Donaghy
niall.donaghy at geant.org
Tue Jan 15 05:19:18 EST 2019
Hi Mike,
What I've seen work is policing using address match on client (internal).
One filter applied in input direction, one filter applied in output direction.
So - you can make a filter like this, and apply in the direction(s) of
interest:
filter per-user {
term max-per-user {
from {
prefix-list {
my100mbps-endusers;
}
}
then prefix-action per-user-100mbps;
}
Br,
Niall
-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
mike+jnsp at willitsonline.com
Sent: 14 January 2019 17:59
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] rate limiting per-user prefix lists
On 1/9/19 6:14 AM, Niall Donaghy wrote:
> Hi Mike,
>
> I can give you a few hints:
>
> DPCE will perform poorly, depending on how many policers you instantiate.
> (hint: 10K will kill it, and hint: policers will not be accurate).
> MPCs will perform better but don't burden more than you need to...
> obviously the MPC generations vary in performance.
> Your prefix-action config is spot-on.
> - This instantiates 1 x policer per /32.
> - If you change the subnet-prefix-length to 23, what you get is 1 x
> policer
> *shared* between x.x.x.1 and x.x.(x+1).1, x.x.x.2 and x.x.(x+1).2, etc.
>
> And a caution:
>
> Your firewall filter config matches on 0/0.
> - Uh oh! Won't this instantiate 2^32 policers? It's not flow-based,
> it's static instantiation..
>
> And recommendations:
>
> Change matching terms to /24s instead of 0/0...
> Yes - I believe this is sane, scalable to at least 20K IPs on
> MPC-3D-16XGE-SFPP.
>
> NB:
>
> On every instantiation of the firewall filter referencing the
> prefix-action, you are going to have another full set of policers.
>
> Eg: If you have 2 links, each a LAG comprised of 2 x members, then
> you'll have 4 x sets of policers (in your case, 40K).
> - If these are all on the same FPC, that's not just poor redundancy,
> but probably too many policers. :)
Hello,
Thank you for the response.
Can I ask you - you stated the proposed filter config matches on 0/0 and
thus would (try and die!) to create 2^32 individual policers, but thats what I
thought this did:
filter per-user {
term max-per-user {
from {
source-address {
0.0.0.0/0;
}
destination-prefix-list {
my100mbps-endusers;
}
}
then prefix-action per-user-100mbps;
}
Are you saying that potentially I'm allowing the creation of individual
policers for each possible ipv4 address to every single one of my
destination-prefix-list members? All I am really trying to say is police by
destination address only. If you can suggest a modification here, I'd
appreciate it.
Thank you.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list