Re: [j-nsp] rate limiting per-user prefix lists

Mon, 14 Jan 2019 09:59:32 -0800 

On 1/9/19 6:14 AM, Niall Donaghy wrote:
> Hi Mike,
>
> I can give you a few hints:
>
>       DPCE will perform poorly, depending on how many policers you 
> instantiate. 
> (hint: 10K will kill it, and hint: policers will not be accurate).
>       MPCs will perform better but don't burden more than you need to... 
> obviously 
> the MPC generations vary in performance.
>       Your prefix-action config is spot-on.
>               - This instantiates 1 x policer per /32.
>               - If you change the subnet-prefix-length to 23, what you get is 
> 1 x policer 
> *shared* between x.x.x.1 and x.x.(x+1).1, x.x.x.2 and x.x.(x+1).2, etc.
>
> And a caution:
>
>       Your firewall filter config matches on 0/0.
>               - Uh oh! Won't this instantiate 2^32 policers? It's not 
> flow-based, it's 
> static instantiation..
>
> And recommendations:
>
>       Change matching terms to /24s instead of 0/0...
>       Yes - I believe this is sane, scalable to at least 20K IPs on 
> MPC-3D-16XGE-SFPP.
>
> NB:
>
>       On every instantiation of the firewall filter referencing the 
> prefix-action, 
> you are going to have another full set of policers.
>
>       Eg: If you have 2 links, each a LAG comprised of 2 x members, then 
> you'll 
> have 4 x sets of policers (in your case, 40K).
>               - If these are all on the same FPC, that's not just poor 
> redundancy, but 
> probably too many policers. :)


Hello,

    Thank you for the response.

    Can I ask you - you stated the proposed filter config matches on 0/0
and thus would (try and die!) to create 2^32 individual policers, but
thats what I thought this did:


filter per-user {
    term max-per-user {
        from {
            source-address {
                0.0.0.0/0;
            }
            destination-prefix-list {
                my100mbps-endusers;
            }
        }
        then prefix-action per-user-100mbps;
    }

Are you saying that potentially I'm allowing the creation of individual
policers for each possible ipv4 address to every single one of my
destination-prefix-list members? All I am really trying to say is police
by destination address only. If you can suggest a modification here, I'd
appreciate it.


Thank you.




_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to