Re: [j-nsp] Aggregate policer config
Hello Matthew, This looks like yet another sales guy craziness and the answer should have been no way. I'm wondering how your OPS folks are going to support this aggregate-fw-filter based policing. As in couple of months no one is going to recall there are some PFE restrictions. adam -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Matthew Crocker Sent: 07 April 2015 22:16 To: jnsp list Subject: [j-nsp] Aggregate policer config Hello, A customer with two connections to my mx240. I want to police their total bandwidth to 800mbps. Right now I have a 800mbps policer but that gives them 800mbps on each circuit. Customer Interface 1 is a VLAN on a 10G interface Customer Interface 2 is a VLAN on a 1G interface Each interface has its own /30 IP subnet with a BGP session on each customer IP Customer buys X bandwidth we want to give them X bandwidth over a pair of circuits. If one circuit goes down the policer needs to be set to the X bandwidth the purchased. Thanks -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp --- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com --- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Aggregate policer config
On 9 Apr 2015, at 10:22 am, Mark Tees markt...@gmail.com wrote: I would be curious to know if/how the aggregate behaviour works between different line cards/PFE. I was wondering this too, so I did a bit of digging - Page 198 of Doug Hanks' MX Series book suggests it doesn't - quoting: The same filter can be applied to multiple interfaces at the same time. By default on MX Routers, these filters will sum (or aggregate) their counters and policing actions when those interfaces share a PFE. I've only got MX80s here in the lab just now, which I think share a PFE for both FPC 0 and FPC1 - I can apply the same filter/policer to both a 10G and a 1G interface and get the aggregate bandwidth between interfaces to be dictated by the policer. Just to clarify here: set firewall policer POLICER-800M filter-specific set firewall policer POLICER-800M if-exceeding bandwidth-limit 800m set firewall policer POLICER-800M if-exceeding burst-size-limit 10m set firewall policer POLICER-800M then discard This should result in the policer/counter actions being created per the filter they are used in but still shared within that filter providing interface-specific is not used right? Yes, correct, however I suspect that the policer aggregate would again be per PFE. So, back to the OP's question - you *should* be able to use a single filter, provided both your customer's links are on an MPC1 or MPC3E with 1G / 10G MICs. If that's not the case, then stick with the per-interface 800M policer and just apply local-preference to your customers routes as you import them to ensure their traffic is always preferred via the 10G link (while it's up), and use MED/metric to encourage them to use the 10G link for their outbound. Cheers, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Aggregate policer config
Err, I thought he had unlike-speeds for interfaces? Customer Interface 1 is a VLAN on a 10G interface Customer Interface 2 is a VLAN on a 1G interface Unless he does active-passive 1+1, but dunno if JunOS supports unlike physical interface speeds. plus means direct physical connection, instead of out an aggregated/VLAN'ed interface into his Layer-2 transport/switching/fan-out network. I suggested doing a firewall filter (non interface-specific) against the VLANs on egress, which calls a single (specific/dedicated) policer. May have to play with the knobs on the filter if it's on different PFEs. - Ck. On 08/04/2015, at 11:35 PM, Mark Tinka mark.ti...@seacom.mu wrote: Peter, Would an aggregate interface assist in this? If It can be done in your logical scheme, the aggregate interface would provide a simple way to apply the entire X bandwidth no matter the pipes up. Juniper do support aggregate application of a normal policer, where the bandwidth is shared between all member links in the LAG. So yes, this is a viable option. Of course, it means the customer needs to support LACP, but on the bright side, you now only need one BGP session to the customer. The limitation with this is that if the customer has more than one router, it breaks the solution unless they can support MC-LAG. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Aggregate policer config
I would be curious to know if/how the aggregate behaviour works between different line cards/PFE. Just to clarify here: set firewall policer POLICER-800M filter-specific set firewall policer POLICER-800M if-exceeding bandwidth-limit 800m set firewall policer POLICER-800M if-exceeding burst-size-limit 10m set firewall policer POLICER-800M then discard This should result in the policer/counter actions being created per the filter they are used in but still shared within that filter providing interface-specific is not used right? On Thu, Apr 9, 2015 at 10:00 AM, Ben Dale bd...@comlinx.com.au wrote: Aggregate policing should be the default behaviour for a *filter*, as long as you don't apply the interface-specific knob. Create a dedicated filter for this customer and apply it to both interfaces. set firewall family any filter CUST-A-800M term POLICE-800M then policer POLICER-800M set firewall family any filter CUST-A-800M term POLICE-800M then accept traffic over either interface will contribute to the filter counter. The policer itself can be generic/re-used by other filters as long as you *include* filter-specific. set firewall policer POLICER-800M filter-specific set firewall policer POLICER-800M if-exceeding bandwidth-limit 800m set firewall policer POLICER-800M if-exceeding burst-size-limit 10m set firewall policer POLICER-800M then discard Cheers, Ben On 8 Apr 2015, at 7:15 am, Matthew Crocker matt...@corp.crocker.com wrote: Hello, A customer with two connections to my mx240. I want to police their total bandwidth to 800mbps. Right now I have a 800mbps policer but that gives them 800mbps on each circuit. Customer Interface 1 is a VLAN on a 10G interface Customer Interface 2 is a VLAN on a 1G interface Each interface has its own /30 IP subnet with a BGP session on each customer IP Customer buys X bandwidth we want to give them X bandwidth over a pair of circuits. If one circuit goes down the policer needs to be set to the X bandwidth the purchased. Thanks -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Regards, Mark L. Tees ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Aggregate policer config
Aggregate policing should be the default behaviour for a *filter*, as long as you don't apply the interface-specific knob. Create a dedicated filter for this customer and apply it to both interfaces. set firewall family any filter CUST-A-800M term POLICE-800M then policer POLICER-800M set firewall family any filter CUST-A-800M term POLICE-800M then accept traffic over either interface will contribute to the filter counter. The policer itself can be generic/re-used by other filters as long as you *include* filter-specific. set firewall policer POLICER-800M filter-specific set firewall policer POLICER-800M if-exceeding bandwidth-limit 800m set firewall policer POLICER-800M if-exceeding burst-size-limit 10m set firewall policer POLICER-800M then discard Cheers, Ben On 8 Apr 2015, at 7:15 am, Matthew Crocker matt...@corp.crocker.com wrote: Hello, A customer with two connections to my mx240. I want to police their total bandwidth to 800mbps. Right now I have a 800mbps policer but that gives them 800mbps on each circuit. Customer Interface 1 is a VLAN on a 10G interface Customer Interface 2 is a VLAN on a 1G interface Each interface has its own /30 IP subnet with a BGP session on each customer IP Customer buys X bandwidth we want to give them X bandwidth over a pair of circuits. If one circuit goes down the policer needs to be set to the X bandwidth the purchased. Thanks -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Aggregate policer config
Peter, Would an aggregate interface assist in this? If It can be done in your logical scheme, the aggregate interface would provide a simple way to apply the entire X bandwidth no matter the pipes up. Thank you, *Levi Pederson* Mankato Networks LLC cell | 612.481.0769 work | 612.787.7392 levipeder...@mankatonetworks.net On Wed, Apr 8, 2015 at 7:39 AM, Peter Ehiwe petereh...@gmail.com wrote: have you considered writing an event script for this ? On Tue, Apr 7, 2015 at 10:15 PM, Matthew Crocker matt...@corp.crocker.com wrote: Hello, A customer with two connections to my mx240. I want to police their total bandwidth to 800mbps. Right now I have a 800mbps policer but that gives them 800mbps on each circuit. Customer Interface 1 is a VLAN on a 10G interface Customer Interface 2 is a VLAN on a 1G interface Each interface has its own /30 IP subnet with a BGP session on each customer IP Customer buys X bandwidth we want to give them X bandwidth over a pair of circuits. If one circuit goes down the policer needs to be set to the X bandwidth the purchased. Thanks -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Aggregate policer config
have you considered writing an event script for this ? On Tue, Apr 7, 2015 at 10:15 PM, Matthew Crocker matt...@corp.crocker.com wrote: Hello, A customer with two connections to my mx240. I want to police their total bandwidth to 800mbps. Right now I have a 800mbps policer but that gives them 800mbps on each circuit. Customer Interface 1 is a VLAN on a 10G interface Customer Interface 2 is a VLAN on a 1G interface Each interface has its own /30 IP subnet with a BGP session on each customer IP Customer buys X bandwidth we want to give them X bandwidth over a pair of circuits. If one circuit goes down the policer needs to be set to the X bandwidth the purchased. Thanks -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Aggregate policer config
On 8/Apr/15 15:27, Levi Pederson wrote: Peter, Would an aggregate interface assist in this? If It can be done in your logical scheme, the aggregate interface would provide a simple way to apply the entire X bandwidth no matter the pipes up. Juniper do support aggregate application of a normal policer, where the bandwidth is shared between all member links in the LAG. So yes, this is a viable option. Of course, it means the customer needs to support LACP, but on the bright side, you now only need one BGP session to the customer. The limitation with this is that if the customer has more than one router, it breaks the solution unless they can support MC-LAG. Mark. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Aggregate policer config
Hello, A customer with two connections to my mx240. I want to police their total bandwidth to 800mbps. Right now I have a 800mbps policer but that gives them 800mbps on each circuit. Customer Interface 1 is a VLAN on a 10G interface Customer Interface 2 is a VLAN on a 1G interface Each interface has its own /30 IP subnet with a BGP session on each customer IP Customer buys X bandwidth we want to give them X bandwidth over a pair of circuits. If one circuit goes down the policer needs to be set to the X bandwidth the purchased. Thanks -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp