On 1/9/19 6:14 AM, Niall Donaghy wrote: > Hi Mike, > > I can give you a few hints: > > DPCE will perform poorly, depending on how many policers you > instantiate. > (hint: 10K will kill it, and hint: policers will not be accurate). > MPCs will perform better but don't burden more than you need to... > obviously > the MPC generations vary in performance. > Your prefix-action config is spot-on. > - This instantiates 1 x policer per /32. > - If you change the subnet-prefix-length to 23, what you get is > 1 x policer > *shared* between x.x.x.1 and x.x.(x+1).1, x.x.x.2 and x.x.(x+1).2, etc. > > And a caution: > > Your firewall filter config matches on 0/0. > - Uh oh! Won't this instantiate 2^32 policers? It's not > flow-based, it's > static instantiation.. > > And recommendations: > > Change matching terms to /24s instead of 0/0... > Yes - I believe this is sane, scalable to at least 20K IPs on > MPC-3D-16XGE-SFPP. > > NB: > > On every instantiation of the firewall filter referencing the > prefix-action, > you are going to have another full set of policers. > > Eg: If you have 2 links, each a LAG comprised of 2 x members, then > you'll > have 4 x sets of policers (in your case, 40K). > - If these are all on the same FPC, that's not just poor > redundancy, but > probably too many policers. :)
Hello, Thank you for the response. Can I ask you - you stated the proposed filter config matches on 0/0 and thus would (try and die!) to create 2^32 individual policers, but thats what I thought this did: filter per-user { term max-per-user { from { source-address { 0.0.0.0/0; } destination-prefix-list { my100mbps-endusers; } } then prefix-action per-user-100mbps; } Are you saying that potentially I'm allowing the creation of individual policers for each possible ipv4 address to every single one of my destination-prefix-list members? All I am really trying to say is police by destination address only. If you can suggest a modification here, I'd appreciate it. Thank you. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp