Hi, I have a setup where two Linux workstations are connected to each other via Juniper remote LSP circuit cross-connect(remote-interface-switch). Simplified setup looks like this:
workstation1 <-> M20 <-> M10i <-> workstation2 Both workstations have three sub-interfaces(VLAN interfaces). "workstation1" has following sub-interfaces: inet 10.10.1.2/24 brd 10.10.1.255 scope global eth0.534 inet 10.10.2.2/24 brd 10.10.2.255 scope global eth0.541 inet 10.10.3.2/24 brd 10.10.3.255 scope global eth0.653 ..and "workstation2" has following sub-interfaces: inet 10.10.1.1/24 brd 10.10.1.255 scope global eth0.534 inet 10.10.2.1/24 brd 10.10.2.255 scope global eth0.541 inet 10.10.3.1/24 brd 10.10.3.255 scope global eth0.653 Circuits between M20(9.4R3.5) and M10i(10.4R9.2) are up and I'm able to reach "workstation1" from "workstation2" and vice versa on all three VLAN's. Now I need to police those three circuits with a common 20Mbps policer. In other words all three family ccc interfaces both in M20 and M10i need to share same 20Mbps policer. First idea was to group three sub-interfaces in routers with "interface-set" and apply policer. Something like this: [edit firewall] root@M20# show policer bw-20Mbps { if-exceeding { bandwidth-limit 20m; burst-size-limit 512k; } then discard; } interface-set if-set { ge-1/1/0.534; ge-1/1/0.541; ge-1/1/0.653; } filter if-set-filter { term 20Mbps-policer { from { interface-set if-set; } then policer bw-20Mbps; } } [edit firewall] root@M20# While this works fine in case of inet family interfaces(I tested this and single policer is indeed shared between multiple sub-interfaces), it doesn't seem to work in case of family ccc interfaces- commit fails with "Referenced filter 'if-set-filter' is not defined" error while filter "if-set-filter" actually is defined under firewall configuration. As I understand, firewall filters for family ccc needs to be configured under [edit firewall family ccc filter filter-name] hierarchy? Under [edit firewall family ccc filter filter-name] there is no "interface-set" match condition, but there is an "interface-group" match condition. So as a next step I put all those three interfaces to same "interface-group" number 10 and applied policer "bw-20Mbps" to the "interface-group": [edit] root@M20# show interfaces ge-1/1/0 vlan-tagging; mtu 9000; encapsulation vlan-ccc; unit 534 { description CCC-test; encapsulation vlan-ccc; bandwidth 20m; vlan-id 534; family ccc { filter { input if-group-filter; group 10; } } } unit 541 { description CCC-test; encapsulation vlan-ccc; bandwidth 20m; vlan-id 541; family ccc { filter { input if-group-filter; group 10; } } } unit 653 { description CCC-test; encapsulation vlan-ccc; bandwidth 20m; vlan-id 653; family ccc { filter { input if-group-filter; group 10; } } } [edit] root@M20# show firewall policer bw-20Mbps { if-exceeding { bandwidth-limit 20m; burst-size-limit 512k; } then discard; } family ccc { filter if-group-filter { term if-group-term { from { interface-group 10; } then policer bw-20Mbps; } } } [edit] root@M20# Now if I start Iperf in bidirectional simultaneous mode in one of the workstations on all three interfaces at the same time, I get around 18Mbps on all three VLAN's while I was expecting to receive about 6.5Mbps. In other words ge-1/1/0.534, ge-1/1/0.541 and ge-1/1/0.653 do not share the bw-20Mbps policer. Am I doing this wrong? Or is it impossible to police multiple family ccc interfaces with one shared policer on M(or MX) series? regards, Martin _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp