Re: [j-nsp] Time-of-day based traffic conditioning
Dale Shaw writes:
Does anyone know of a way to enforce traffic policing or shaping based on
time of day?
Beginning in 11.3, config groups have a conditional application
mechanism, so they are only applied on certain products/models or
at certain time of day ranges.
I'll admit I've never used it, but it's a generic mechanism built
into configuration groups to handle time-of-day-based configuration:
[edit]
cli# show groups tod
when {
time 02:00 to 03:00;
}
system {
host-name in-the-maint-window;
}
Annoyingly, I can find no documentation on it, but it's not hidden.
Google(junos configuration groups when) is not helpful. A snippet
of internal documentation is appended. If I find more, I'll post it.
I know it uses our getdate() common function, so 2am == 02:00.
Thanks,
Phil
--
2.3.5 TIME
This identifies, when this particular config-group needs to be applied on the
router. It takes start time and optional end time as values. If end time is
specified, the applied config-group will be removed at the specified end time.
This will happen everyday on the specified time. If start time is relative
time e.g, 11am and end time is not specified, end time will be taken as EOD.
If start is absolute time, the applied configuration will remain, unless the
config-group start time is modified.
The syntax for specificing the time:
time start-time [to end-time];
The time format is -mm-dd.hh:mm (type time).
(Relative has just hh:mm, if 12 hours clock is used, it is needed to specify
am/pm.)
Example:
groups {
my-group-1 {
// Config-group statements
when {
time 11:00 to 15:00;
}
}
}
The config-group 'my-group-1' config statements will be applied at 11 AM and
will be removed at 3 PM daily.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Time-of-day based traffic conditioning
That's pretty cool. Looks like there's some additional knobs as well.
{master}[edit]
jnpr@R1-RE0# set groups dhanks when time 8am to 5pm
{master}[edit]
jnpr@R1-RE0# set groups dhanks when routing-engine re0
{master}[edit]
jnpr@R1-RE0# set groups dhanks snmp community dhanks authorization
read-only
{master}[edit]
jnpr@R1-RE0# set apply-groups dhanks
{master}[edit]
jnpr@R1-RE0# show snmp
{master}[edit]
jnpr@R1-RE0# show snmp | display inheritance
'dhanks' was inherited from group 'dhanks'
##
community dhanks {
##
## 'read-only' was inherited from group 'dhanks'
##
authorization read-only;
}
{master}[edit]
jnpr@R1-RE0# show snmp | display inheritance when time 6pm
{master}[edit]jnpr@R1-RE0#
Thank you,
--
Doug Hanks - JNCIE-ENT #213, JNCIE-SP #875
Sr. Systems Engineer
Juniper Networks
On 1/10/12 11:28 PM, Phil Shafer p...@juniper.net wrote:
Dale Shaw writes:
Does anyone know of a way to enforce traffic policing or shaping based on
time of day?
Beginning in 11.3, config groups have a conditional application
mechanism, so they are only applied on certain products/models or
at certain time of day ranges.
I'll admit I've never used it, but it's a generic mechanism built
into configuration groups to handle time-of-day-based configuration:
[edit]
cli# show groups tod
when {
time 02:00 to 03:00;
}
system {
host-name in-the-maint-window;
}
Annoyingly, I can find no documentation on it, but it's not hidden.
Google(junos configuration groups when) is not helpful. A snippet
of internal documentation is appended. If I find more, I'll post it.
I know it uses our getdate() common function, so 2am == 02:00.
Thanks,
Phil
--
2.3.5 TIME
This identifies, when this particular config-group needs to be applied on
the
router. It takes start time and optional end time as values. If end time
is
specified, the applied config-group will be removed at the specified end
time.
This will happen everyday on the specified time. If start time is relative
time e.g, 11am and end time is not specified, end time will be taken as
EOD.
If start is absolute time, the applied configuration will remain, unless
the
config-group start time is modified.
The syntax for specificing the time:
time start-time [to end-time];
The time format is -mm-dd.hh:mm (type time).
(Relative has just hh:mm, if 12 hours clock is used, it is needed to
specify
am/pm.)
Example:
groups {
my-group-1 {
// Config-group statements
when {
time 11:00 to 15:00;
}
}
}
The config-group 'my-group-1' config statements will be applied at 11 AM
and
will be removed at 3 PM daily.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Time-of-day based traffic conditioning
Hi there, on SRX/J series you can use schedulers and apply schedulers to security policies. On EX there are stateless filters and do not know if they support such thing. Regards, Misha On Jan 10, 2012 6:30 AM, Dale Shaw dale.shaw+j-...@gmail.com wrote: Hi all, Does anyone know of a way to enforce traffic policing or shaping based on time of day? Platforms available to us: EX-series (EX4200 predominantly), J-series (J2320/J6350) and SRX-series (SRX240, SRX650, SRX3K, SRX5K). I'm looking for a way -- preferably a built-in way (avoiding scripts if possible) -- to limit a particular application's throughput during business hours. The application is NetApp SnapMirror. I suspect a far better option would be to control transmission rates at the source but I'd like to investigate JUNOS-based controls as well. cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Time-of-day based traffic conditioning
Hi Misha, On Tue, Jan 10, 2012 at 4:05 PM, Misha Gzirishvili misha.gzirishv...@gmail.com wrote: Hi there, on SRX/J series you can use schedulers and apply schedulers to security policies. On EX there are stateless filters and do not know if they support such thing. Regards, Misha Yes but the actions available within a security policy (count, deny, log, permit, reject) do not seem to include anything that can trigger a policer or any other kind of traffic conditioner. Similarly, stateless filters don't seem to include any hooks back into the time-of-day scheduler definitions. cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Time-of-day based traffic conditioning
On Tuesday 10 of January 2012 13:28:11 Dale Shaw wrote: I'm looking for a way -- preferably a built-in way (avoiding scripts if possible) -- to limit a particular application's throughput during business hours. It seems there's no built-in mechanism. If you really need it, you can use slax script: http://www.juniper.net/us/en/community/junos/script- automation/library/configuration/cs-time-based-filters/ Artur ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Time-of-day based traffic conditioning
Okay, it's ugly, but: Write a policy on the SRX that is attached to a scheduler. Make the then action of the policy permit application-services idp. Write an IDP policy that has a then action to re-write DSCP markings for this traffic. Write a CoS policy on your EXs to police traffic matching that DSCP value - I've never been able to re-write AND police on those values in the SRX on one flow. Just remember - schedulers only enable and disable policies, so make sure you permit the traffic in a fall-through policy. Ideally you'd put the business-hours policy at the top and attach it to the IDP rule/scheduler, then have a policy below it for the out-of-hours. Cheers, Ben On 10/01/2012, at 12:28 PM, Dale Shaw wrote: Hi all, Does anyone know of a way to enforce traffic policing or shaping based on time of day? Platforms available to us: EX-series (EX4200 predominantly), J-series (J2320/J6350) and SRX-series (SRX240, SRX650, SRX3K, SRX5K). I'm looking for a way -- preferably a built-in way (avoiding scripts if possible) -- to limit a particular application's throughput during business hours. The application is NetApp SnapMirror. I suspect a far better option would be to control transmission rates at the source but I'd like to investigate JUNOS-based controls as well. cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
