Mailing List Archive

prefix-specific policers with multiple match conditions
Hi,

An advanced question on prefix-specific policers.

The example documentation is rather terse about the case of multiple match
conditions. That is (example from the docs):

firewall {
policer 1Mbps-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
}
family inet {
prefix-action per-source-policer {
policer 1Mbps-policer;
subnet-prefix-length 24;
source-prefix-length 32;
}
}
filter limit-all-hosts {
term one {
from {
source-address {
10.10.10.0/24;
}
}
then prefix-action per-source-policer;
}
}
}

gives 256 policers. But now replace the last with:

filter limit-all-hosts {
term one {
from {
source-address {
10.10.10.0/24;
10.20.30.0/24;
}
}
then prefix-action per-source-policer;
}
}

, and you still have 256 policers and counters, each of them having
{10.10.10.0, 10.10.30.0},{10.10.10.1, 10.10.30.1}, etc.

Needless to say, this seems like a completely useless "feature". It would
be much more desirable to have 256+256 policers and counters, with no
overlap.

Is there a way to achieve this effect, "continuing from one match
condition to another without overlapping" ?

What I'd like to achieve is like:


source-address {
1.1/16;
2.2/16;
}

and:

subnet-prefix-length 16;
source-prefix-length 24;

that is, be able to monitor how much each /24 (or some other address
block) in our network is eating capacity, and possibly to police it to a
lower rate. This, too, will create an overlap though.

Or would a dirty hack here be using "subnet-prefix-length 15" (to generate
2*256 policers/counters) -- even though the match conditions are not
consecutive -- work?

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
prefix-specific policers with multiple match conditions [ In reply to ]
Hello Pekka,

I am not sure if you already received a response on this or not. The way
I would do this is to create two PSA's:

scapshaw@homer# show firewall
policer 1M-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
policer 1m-policer2 {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 63k;
}
then discard;
}
family inet {
prefix-action host-policer {
policer 1M-policer;
count;
filter-specific;
subnet-prefix-length 24;
source-prefix-length 32;
}
prefix-action host-policer2 {
policer 1m-policer2;
count;
filter-specific;
subnet-prefix-length 24;
source-prefix-length 32;
}
}
filter fair-bw {
term a {
from {
source-address {
10.10.10.0/24;
}
}
then prefix-action host-policer;
}
term b {
from {
source-address {
10.20.30.0/24;
}
}
then prefix-action host-policer2;
}
term c {
then accept;
}
}

[edit]

Thanks
Sean


On Wed, 7 May 2003, Pekka Savola wrote:

> Hi,
>
> An advanced question on prefix-specific policers.
>
> The example documentation is rather terse about the case of multiple match
> conditions. That is (example from the docs):
>
> firewall {
> policer 1Mbps-policer {
> if-exceeding {
> bandwidth-limit 1m;
> burst-size-limit 63k;
> }
> }
> family inet {
> prefix-action per-source-policer {
> policer 1Mbps-policer;
> subnet-prefix-length 24;
> source-prefix-length 32;
> }
> }
> filter limit-all-hosts {
> term one {
> from {
> source-address {
> 10.10.10.0/24;
> }
> }
> then prefix-action per-source-policer;
> }
> }
> }
>
> gives 256 policers. But now replace the last with:
>
> filter limit-all-hosts {
> term one {
> from {
> source-address {
> 10.10.10.0/24;
> 10.20.30.0/24;
> }
> }
> then prefix-action per-source-policer;
> }
> }
>
> , and you still have 256 policers and counters, each of them having
> {10.10.10.0, 10.10.30.0},{10.10.10.1, 10.10.30.1}, etc.
>
> Needless to say, this seems like a completely useless "feature". It would
> be much more desirable to have 256+256 policers and counters, with no
> overlap.
>
> Is there a way to achieve this effect, "continuing from one match
> condition to another without overlapping" ?
>
> What I'd like to achieve is like:
>
>
> source-address {
> 1.1/16;
> 2.2/16;
> }
>
> and:
>
> subnet-prefix-length 16;
> source-prefix-length 24;
>
> that is, be able to monitor how much each /24 (or some other address
> block) in our network is eating capacity, and possibly to police it to a
> lower rate. This, too, will create an overlap though.
>
> Or would a dirty hack here be using "subnet-prefix-length 15" (to generate
> 2*256 policers/counters) -- even though the match conditions are not
> consecutive -- work?
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>