Hi Luca, What I meant is that the input policing (applied on your LAN interface) is working per design, even if you see traffic rate on your LAN interface in the inbound direction higher than what you set.
The rate you see (via show interface extensive, or monitor interface) is the rate BEFORE policing. If you set up graph for it, the graph most likely shows the rate before policing as well. Unfortunately, I dont know how to check the rate AFTER policing. I am sure your policer is dropping traffic, and you can see the number of drops via "show firewall". You may be able to work out roughly the rate of dropping based on the change in this number. In reality, if customer traffic is mainly TCP then the effect of your policer droping would most likely bring the inbound traffic (BEFORE pilicing) to the rate you set. But if their traffic is UDP, or of DoS nature, you will still see the incoming traffic rate higer than your policing rate. Regards, Huan On 28/01/2013, at 11:01 PM, Luca Salvatore <l...@ninefold.com> wrote: > The firewall where this is configured has hundereds of customer interfaces on > them > I can't apply a policer to the WAN interface as that will police the entier > link (300Mb) down to a slow speed. I need to police each customer to 40Mb on > their own interface. > > As its just the outbound policer that isn't working correctly, it does > police, but much higher than the 40Mb it is configured to run at > > > ________________________________ > From: Huan Pham [drie.huanp...@gmail.com] > Sent: Saturday, 26 January 2013 1:50 PM > To: Luca Salvatore > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] Burst size for policing > > Hi Luca, > > _I think_ the stats that show for inbound rate (65M-70M) on the interface > maybe the one before you do policing. It may not be the rate after dropping. > On the other hand traffic shown outbound already subject of your outbound > policy. > > Could you check the traffic that leaves the router (e.g. outbound to the > LAN). If your router has only two interfaces (e.g. WAN and LAN, and you apply > the policing on the WAN interface), then the outbound rate on the other > interface (LAN interface) is the rate after your WAN inbound policing. > > Cheers, > > Huan > > > > On Sat, Jan 26, 2013 at 8:20 AM, Luca Salvatore > <l...@ninefold.com<mailto:l...@ninefold.com>> wrote: > Hi Guys, > > Got some issues with my policing configuation on a SRX650. > I have it configured to police inbound and outbound traffic to 40Mb. > > The config to make this happen is: > > configuration firewall policer police-customer | display set > set firewall policer police-customer if-exceeding bandwidth-limit 39m > set firewall policer police-customer if-exceeding burst-size-limit 1m > set firewall policer police-customer then discard > > So this works really well for outbound traffic - speeds test show that it > sits right on 40Mb. > However for my inbound traffic I see that speeds get well above 40Mb - around > 65 to 70 actually. > > The policier is applied to the customers interface in both the inbound and > outbound direction. > > I'm thinking the burst size could be too big perhaps? > > Thanks. > Luca. > > > _______________________________________________ > juniper-nsp mailing list > juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
