[j-nsp] rate limiting per-user prefix lists

Niall Donaghy niall.donaghy at geant.org
Tue Jan 15 05:19:18 EST 2019

Hi Mike,

What I've seen work is policing using address match on client (internal).
One filter applied in input direction, one filter applied in output direction.

So - you can make a filter like this, and apply in the direction(s) of 

filter per-user {
    term max-per-user {
        from {
            prefix-list {
        then prefix-action per-user-100mbps;


-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
mike+jnsp at willitsonline.com
Sent: 14 January 2019 17:59
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] rate limiting per-user prefix lists

On 1/9/19 6:14 AM, Niall Donaghy wrote:
> Hi Mike,
> I can give you a few hints:
> 	DPCE will perform poorly, depending on how many policers you instantiate.
> (hint: 10K will kill it, and hint: policers will not be accurate).
> 	MPCs will perform better but don't burden more than you need to...
> obviously the MPC generations vary in performance.
> 	Your prefix-action config is spot-on.
> 		- This instantiates 1 x policer per /32.
> 		- If you change the subnet-prefix-length to 23, what you get is 1 x
> policer
> *shared* between x.x.x.1 and x.x.(x+1).1, x.x.x.2 and x.x.(x+1).2, etc.
> And a caution:
> 	Your firewall filter config matches on 0/0.
> 		- Uh oh! Won't this instantiate 2^32 policers? It's not flow-based,
> it's static instantiation..
> And recommendations:
> 	Change matching terms to /24s instead of 0/0...
> 	Yes - I believe this is sane, scalable to at least 20K IPs on
> NB:
> 	On every instantiation of the firewall filter referencing the
> prefix-action, you are going to have another full set of policers.
> 	Eg: If you have 2 links, each a LAG comprised of 2 x members, then
> you'll have 4 x sets of policers (in your case, 40K).
> 		- If these are all on the same FPC, that's not just poor redundancy,
> but probably too many policers. :)


    Thank you for the response.

    Can I ask you - you stated the proposed filter config matches on 0/0 and 
thus would (try and die!) to create 2^32 individual policers, but thats what I 
thought this did:

filter per-user {
    term max-per-user {
        from {
            source-address {
            destination-prefix-list {
        then prefix-action per-user-100mbps;

Are you saying that potentially I'm allowing the creation of individual 
policers for each possible ipv4 address to every single one of my 
destination-prefix-list members? All I am really trying to say is police by 
destination address only. If you can suggest a modification here, I'd 
appreciate it.

Thank you.

juniper-nsp mailing list juniper-nsp at puck.nether.net 

More information about the juniper-nsp mailing list