Mailing List Archive

Hi CheeYong,

In the following example:

[edit firewall]
filter limit-ftp {
policer p1{
if-exceeding {
bandwidth-limit 400k;
burst-size-limit 20k;
}
then {
discard;
}
}

When you do 'show firewall' you will see a
counter "limit-ftp". This counter associated
with this policer and is counting the packets dropped/discarded.


term t-ftp{
from {
source-address 1.2.3/24;
protocol tcp;
destination-port ftp;
}
then {
policer limit-ftp;
accept;
count count-ftp; <== packets that passed the
policer

This counter will counter the packets that passed the policer.
In the then clause, the policer is applied first. After
this, if the packet did not get discarded, it will go
on to the next action, which is count.

Thanks,

Bob O'Hara

Systems Engineer/Northeast Region
Juniper Networks

-----Original Message-----
From: Tay Chee Yong [mailto:tcy@pacific.net.sg]
Sent: Thursday, January 30, 2003 5:44 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Policer Statistics (fwd)


Does someone has any findings for the following?

Thanks.
Cheeyong


---------- Forwarded message ----------
Date: Wed, 29 Jan 2003 01:13:48 +0800 (Singapore Standard Time)
From: Tay Chee Yong <tcy@pacific.net.sg>
To: juniper-nsp@puck.nether.net
Subject: Policer Statistics

Hi all,

I was wondering if Juniper running JUNOS 5.3 has a way of displaying a
policer's
conformed/exceeded packets/bytes, as per a Cisco's rate-limit/service
policy
show output.

Seems that the output results of the policer only shows the number of
packets
being discarded (as per the policer's action - discard)

Policer: at-0/3/0.10-in-policer
at-0/3/0.10-in-policer
0 packets

Is there a way to display more information such as number of
conformed/exceeded packets/bytes for real-time debugging using the
monitor
command?

I believe the common practice of using the policer is within the [edit
firewall
filter] hierarchy, however, we are still unable to determine how well
the
policer is functioning. From the show results, we are only able to see
the hits
on the filter.

Will the later release of JUNOS allow us to view more details about the
policer
that is applied on the filter, or interface?

Any comments is appreciated.

Many Thanks.

Regards,
Cheeyong

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

Hi Robert,

Thanks for your reply.

From our configuration, the count comes before the policer statement. Even if I
type policer statement before the count statement, the config will still display
the count statement before the policer statement, as shown below.

policer icmp-cap {
if-exceeding {
bandwidth-limit 2m;
burst-size-limit 16k;
}
then discard;
}

term icmp-anti-flooding {
from {
protocol icmp;
}
then {
count icmp-anti-flooding;
policer icmp-cap;
sample;
accept;
}
}

So does the above config means that JUNOS will count the packets matching the
filter, then apply the policer?

Regards,
Cheeyong


On Thu, 30 Jan 2003, Robert O'Hara wrote:

: Hi CheeYong,
:
: In the following example:
:
: [edit firewall]
: filter limit-ftp {
: policer p1{
: if-exceeding {
: bandwidth-limit 400k;
: burst-size-limit 20k;
: }
: then {
: discard;
: }
: }
:
: When you do 'show firewall' you will see a
: counter "limit-ftp". This counter associated
: with this policer and is counting the packets dropped/discarded.
:
:
: term t-ftp{
: from {
: source-address 1.2.3/24;
: protocol tcp;
: destination-port ftp;
: }
: then {
: policer limit-ftp;
: accept;
: count count-ftp; <== packets that passed the
: policer
:
: This counter will counter the packets that passed the policer.
: In the then clause, the policer is applied first. After
: this, if the packet did not get discarded, it will go
: on to the next action, which is count.
:
: Thanks,
:
: Bob O'Hara
:
: Systems Engineer/Northeast Region
: Juniper Networks
:
: -----Original Message-----
: From: Tay Chee Yong [mailto:tcy@pacific.net.sg]
: Sent: Thursday, January 30, 2003 5:44 AM
: To: juniper-nsp@puck.nether.net
: Subject: [j-nsp] Policer Statistics (fwd)
:
:
: Does someone has any findings for the following?
:
: Thanks.
: Cheeyong
:
:
: ---------- Forwarded message ----------
: Date: Wed, 29 Jan 2003 01:13:48 +0800 (Singapore Standard Time)
: From: Tay Chee Yong <tcy@pacific.net.sg>
: To: juniper-nsp@puck.nether.net
: Subject: Policer Statistics
:
: Hi all,
:
: I was wondering if Juniper running JUNOS 5.3 has a way of displaying a
: policer's
: conformed/exceeded packets/bytes, as per a Cisco's rate-limit/service
: policy
: show output.
:
: Seems that the output results of the policer only shows the number of
: packets
: being discarded (as per the policer's action - discard)
:
: Policer: at-0/3/0.10-in-policer
: at-0/3/0.10-in-policer
: 0 packets
:
: Is there a way to display more information such as number of
: conformed/exceeded packets/bytes for real-time debugging using the
: monitor
: command?
:
: I believe the common practice of using the policer is within the [edit
: firewall
: filter] hierarchy, however, we are still unable to determine how well
: the
: policer is functioning. From the show results, we are only able to see
: the hits
: on the filter.
:
: Will the later release of JUNOS allow us to view more details about the
: policer
: that is applied on the filter, or interface?
:
: Any comments is appreciated.
:
: Many Thanks.
:
: Regards,
: Cheeyong
:
: _______________________________________________
: juniper-nsp mailing list juniper-nsp@puck.nether.net
: http://puck.nether.net/mailman/listinfo/juniper-nsp
:

Cheeyong..

The counter that is defined in the 'then' statment counts *all* packets.
The counter that is associated with the policer when you execute the
'show firewall' command - shows the packets and bits that were policed.
You have to do a diff between the two diffferent counters.

Bob O'Hara


-----Original Message-----
From: Tay Chee Yong [mailto:tcy@pacific.net.sg]
Sent: Thursday, January 30, 2003 10:17 PM
To: Robert O'Hara
Cc: juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] Policer Statistics (fwd)


Hi Robert,

Thanks for your reply.

From our configuration, the count comes before the policer statement.
Even if I
type policer statement before the count statement, the config will still
display
the count statement before the policer statement, as shown below.

policer icmp-cap {
if-exceeding {
bandwidth-limit 2m;
burst-size-limit 16k;
}
then discard;
}

term icmp-anti-flooding {
from {
protocol icmp;
}
then {
count icmp-anti-flooding;
policer icmp-cap;
sample;
accept;
}
}

So does the above config means that JUNOS will count the packets
matching the
filter, then apply the policer?

Regards,
Cheeyong


On Thu, 30 Jan 2003, Robert O'Hara wrote:

: Hi CheeYong,
:
: In the following example:
:
: [edit firewall]
: filter limit-ftp {
: policer p1{
: if-exceeding {
: bandwidth-limit 400k;
: burst-size-limit 20k;
: }
: then {
: discard;
: }
: }
:
: When you do 'show firewall' you will see a
: counter "limit-ftp". This counter associated
: with this policer and is counting the packets dropped/discarded.
:
:
: term t-ftp{
: from {
: source-address 1.2.3/24;
: protocol tcp;
: destination-port ftp;
: }
: then {
: policer limit-ftp;
: accept;
: count count-ftp; <== packets that passed the
: policer
:
: This counter will counter the packets that passed the policer.
: In the then clause, the policer is applied first. After
: this, if the packet did not get discarded, it will go
: on to the next action, which is count.
:
: Thanks,
:
: Bob O'Hara
:
: Systems Engineer/Northeast Region
: Juniper Networks
:
: -----Original Message-----
: From: Tay Chee Yong [mailto:tcy@pacific.net.sg]
: Sent: Thursday, January 30, 2003 5:44 AM
: To: juniper-nsp@puck.nether.net
: Subject: [j-nsp] Policer Statistics (fwd)
:
:
: Does someone has any findings for the following?
:
: Thanks.
: Cheeyong
:
:
: ---------- Forwarded message ----------
: Date: Wed, 29 Jan 2003 01:13:48 +0800 (Singapore Standard Time)
: From: Tay Chee Yong <tcy@pacific.net.sg>
: To: juniper-nsp@puck.nether.net
: Subject: Policer Statistics
:
: Hi all,
:
: I was wondering if Juniper running JUNOS 5.3 has a way of displaying a
: policer's
: conformed/exceeded packets/bytes, as per a Cisco's rate-limit/service
: policy
: show output.
:
: Seems that the output results of the policer only shows the number of
: packets
: being discarded (as per the policer's action - discard)
:
: Policer: at-0/3/0.10-in-policer
: at-0/3/0.10-in-policer
: 0 packets
:
: Is there a way to display more information such as number of
: conformed/exceeded packets/bytes for real-time debugging using the
: monitor
: command?
:
: I believe the common practice of using the policer is within the [edit
: firewall
: filter] hierarchy, however, we are still unable to determine how well
: the
: policer is functioning. From the show results, we are only able to see
: the hits
: on the filter.
:
: Will the later release of JUNOS allow us to view more details about
the
: policer
: that is applied on the filter, or interface?
:
: Any comments is appreciated.
:
: Many Thanks.
:
: Regards,
: Cheeyong
:
: _______________________________________________
: juniper-nsp mailing list juniper-nsp@puck.nether.net
: http://puck.nether.net/mailman/listinfo/juniper-nsp
: