Emm... it is just me being an idiot then :-) Thanks guys! -Simon
On Wed, Jul 2, 2008 at 8:08 PM, Stefan Fouant <[EMAIL PROTECTED]> wrote: > Yes Harry you are correct... The default behavior for interface > policers is indeed shared amongst all interfaces which have the > policer applied. This was discussed in a book called 'JUNOS Enterprise > Routing'... Ever heard of it? ;) > > > > On 7/2/08, Harry Reynolds <[EMAIL PROTECTED]> wrote: >> I believe the default behavior is a shared policer unless a filter is >> flagged as being interface-specific. >> >> Tested on M40: >> >> >> <<< no filter or term specific >> >> [edit firewall] >> [EMAIL PROTECTED] show >> policer test { >> if-exceeding { >> bandwidth-limit 1m; >> burst-size-limit 1500; >> } >> then discard; >> } >> filter test { >> term 1 { >> then policer test; >> } >> term 2 { >> then accept; >> } >> } >> >> <<< same filter applied to multiple interfaces >> >> [edit firewall] >> [EMAIL PROTECTED] top show interfaces >> so-1/2/2 { >> unit 0 { >> family inet { >> filter { >> output test; >> } >> address 10.1.0.2/24; >> } >> } >> } >> so-1/2/3 { >> unit 0 { >> family inet { >> filter { >> output test; >> } >> address 192.168.1.1/24; >> } >> } >> } >> >> >> <<< On the SCB there is a single policer instance >> >> >> SCB(vpn02 vty)# show filter >> Filters: >> Index Dir Cnt Text Bss Name >> ----- ------ ------ ------ ------ -------- >> 1 96 0 20 0 __default_bpdu_filter__ >> 2 48 0 4 20 test >> 65279 48 0 4 0 __auto_policer_template__ >> 65280 96 0 16 0 __auto_policer_template_1__ >> 65281 144 0 24 0 __auto_policer_template_2__ >> 65282 192 0 32 0 __auto_policer_template_3__ >> 65283 240 0 40 0 __auto_policer_template_4__ >> >> >> SCB(vpn02 vty)# show filter index 2 pro >> Filters: >> Index Dir Cnt Text Bss Name >> ----- ------ ------ ------ ------ -------- >> 2 48 0 4 20 test >> >> Firewall program version 2 magic fed2beef >> Name: "test" Protocol: ip >> Hash: cfa11b5c171e8e96dd036a8e260b5768 >> Action directory: 1 entry (48 bytes) >> Policer directory: 1 entry (176 bytes) >> Text: 1 instruction word (4 bytes) >> BSS: 5 next hop words (20 bytes) >> Action directory: 1 entry (48 bytes) >> 0: accept policer 0 >> -> 0: >> Policer directory: 1 entry (176 bytes) >> 0: Policer name "test-1": 1 reference <<<< 1 reference >> Bandwidth Limit: 125000 bytes/sec. >> Burst Size: 1500 bytes. >> discard >> Program instructions: 1 word >> >> 0: terminate -> action index 0 >> >> <<< Change filter to interface-specific >> >> [edit firewall] >> [EMAIL PROTECTED] set filter test interface-specific >> >> [edit firewall] >> [EMAIL PROTECTED] commit >> commit complete >> >> >> <<< back on scb there are now two policers instances: >> >> >> SCB(vpn02 vty)# show filter >> Filters: >> Index Dir Cnt Text Bss Name >> ----- ------ ------ ------ ------ -------- >> 1 96 0 20 0 __default_bpdu_filter__ >> 3 48 0 4 20 test-so-1/2/2.0-o <<<< >> 4 48 0 4 20 test-so-1/2/3.0-o <<<<< >> 65279 48 0 4 0 __auto_policer_template__ >> 65280 96 0 16 0 __auto_policer_template_1__ >> 65281 144 0 24 0 __auto_policer_template_2__ >> 65282 192 0 32 0 __auto_policer_template_3__ >> 65283 240 0 40 0 __auto_policer_template_4__ >> >> >> SCB(vpn02 vty)# show filter inde 3 pro >> Filters: >> Index Dir Cnt Text Bss Name >> ----- ------ ------ ------ ------ -------- >> 3 48 0 4 20 test-so-1/2/2.0-o >> >> Firewall program version 2 magic fed2beef >> Name: "test-so-1/2/2.0-o" Protocol: ip Flags: 0x01 >> Hash: 5f72b272c23e8bfb61d6a59495cb0780 >> Action directory: 1 entry (48 bytes) >> Policer directory: 1 entry (176 bytes) >> Text: 1 instruction word (4 bytes) >> BSS: 5 next hop words (20 bytes) >> Action directory: 1 entry (48 bytes) >> 0: accept policer 0 >> -> 0: >> Policer directory: 1 entry (176 bytes) >> 0: Policer name "test-1-so-1/2/2.0-o": 1 reference >> Bandwidth Limit: 125000 bytes/sec. >> Burst Size: 1500 bytes. >> discard >> Program instructions: 1 word >> >> 0: terminate -> action index 0 >> >> SCB(vpn02 vty)# show filter inde 4 pro >> Filters: >> Index Dir Cnt Text Bss Name >> ----- ------ ------ ------ ------ -------- >> 4 48 0 4 20 test-so-1/2/3.0-o >> >> Firewall program version 2 magic fed2beef >> Name: "test-so-1/2/3.0-o" Protocol: ip Flags: 0x01 >> Hash: 5f72b272c23e8bfb61d6a59495cb0780 >> Action directory: 1 entry (48 bytes) >> Policer directory: 1 entry (176 bytes) >> Text: 1 instruction word (4 bytes) >> BSS: 5 next hop words (20 bytes) >> Action directory: 1 entry (48 bytes) >> 0: accept policer 0 >> -> 0: >> Policer directory: 1 entry (176 bytes) >> 0: Policer name "test-1-so-1/2/3.0-o": 1 reference >> Bandwidth Limit: 125000 bytes/sec. >> Burst Size: 1500 bytes. >> discard >> Program instructions: 1 word >> >> 0: terminate -> action index 0 >> >> SCB(vpn02 vty)# >> >> HTHs >> >> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On Behalf Of CHEN Xu >>> Sent: Wednesday, July 02, 2008 4:13 PM >>> To: juniper-nsp@puck.nether.net >>> Subject: [j-nsp] aggregated policing >>> >>> Hi guys, >>> >>> I am wondering whether it is doable on Juniper to police the >>> aggregation of a set of interfaces. >>> >>> For example, I have two interfaces, each of them has a >>> capacity cap of 100K. However, I want to put a further cap, >>> saying the sum of the two interfaces should not go over 150K. >>> Is this doable? >>> >>> I found an statement of interface-set, which can specify a >>> set of interfaces, and then set a police policy. But I >>> suspect that this will apply the same policy to each >>> individual interface within that set, but not on the aggregated level. >>> >>> Thanks. >>> -Simon >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > -- > Sent from Gmail for mobile | mobile.google.com > > Stefan Fouant > Principal Network Engineer > NeuStar, Inc. - http://www.neustar.biz > GPG Key ID: 0xB5E3803D > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp