Switching

Dear all.

I have a topo like that

Laptop--------------<LAN-NETWORK>-----------ge-0/0/12---<EX4200>-----------<ge-0/0/10>--------Server <10.15.242.172>

I'm testing single-rate three-color policer configuration

-------------

set firewall three-color-policer TEST-THREE-POLICER action loss-priority high then discard
set firewall three-color-policer TEST-THREE-POLICER single-rate color-blind
set firewall three-color-policer TEST-THREE-POLICER single-rate committed-information-rate 1500
set firewall three-color-policer TEST-THREE-POLICER single-rate committed-burst-size 20k
set firewall three-color-policer TEST-THREE-POLICER single-rate excess-burst-size 20k

-----------

set firewall family ethernet-switching filter PHANLOAI term 1A from protocol icmp
set firewall family ethernet-switching filter PHANLOAI term 1A then three-color-policer single-rate TEST-THREE-POLICER
set firewall family ethernet-switching filter PHANLOAI term 2A then accept

And then, I apply this firewall-filter into ge-0/0/12 interface

set interfaces ge-0/0/12 unit 0 family ethernet-switching filter input PHANLOAI

From my laptop, I ping continously to 10.15.242.172, here is result

Pinging 10.15.242.172 with 1000 bytes of data&colon;
Reply from 10.15.242.172: bytes=1000 time=70ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=30ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=52ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=44ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=29ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=34ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=29ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=48ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=31ms TTL=126
Reply from 10.15.242.172: bytes=1000 time=84ms TTL=126
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=31ms TTL=126
Request timed out.
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=33ms TTL=126
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=38ms TTL=126
Request timed out.
Request timed out.
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=31ms TTL=126
Request timed out.
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=29ms TTL=126
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=30ms TTL=126
Request timed out.
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=31ms TTL=126
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=97ms TTL=126
Request timed out.
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=30ms TTL=126
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=34ms TTL=126
Request timed out.
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=31ms TTL=126
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=57ms TTL=126
Request timed out.
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=29ms TTL=126
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=60ms TTL=126
Request timed out.
Request timed out.
Reply from 10.15.242.172: bytes=1000 time=93ms TTL=126

-----------

Somebody help me to explain it ? I think the root cause is from these parameters: committed-burst-size 20k; excess-burst-size 20k. But I really don't understand what they mean and how they effect ping result.

Anybody helps me ? It's quite hard to understand three-color marking on Junos.

Traffic that is not exceeding either committed-information-rate (1500) or committed-burst-size 20k is green traffic and implicitly allowed. Traffic that is exceeding committed-burst-size 20k but not the excess-burst-size 20K is yellow and marked with medium-high loss priority then transmitted. Packet that is exceeding excess-burst-size 20k is marked as red (action loss priority high and then dropped).

1st Issue:- All traffic initiated from your laptop will be marked as yellow because it will defiantly cross 1500 limit , remember default packet size for ethernet  (1538 bytes including preamble, inter frame gap and delimiter)

2nd Issue:- 2nd issue , committed-burst-size 20k and excess-burst-size 20K are of same value , which is not technically correct. Because all traffic exceeding CBS 20K will be marked as yellow and same time it will also increase EBS and will be marked to red and subject to drop action.

3rd Issue:- Does traffic really exceeding 20k , dont think that only ICMP  traffic is passing through interface. Try command monition traffic interface ge-0/0/X you will see traffic for many protocol e.g. ARP , LLDP if enabled , spanning tree BPDUs etc.  Now you just need to confirm that all these traffic is exceeding 20K , use show interface ge-0/0/x extensive | match "Traffic statistics" . This will give you idea about traffic statistics for further analysis

---

@Route-Champ wrote:

Traffic that is not exceeding either committed-information-rate (1500) or committed-burst-size 20k is green traffic and implicitly allowed. Traffic that is exceeding committed-burst-size 20k but not the excess-burst-size 20K is yellow and marked with medium-high loss priority then transmitted. Packet that is exceeding excess-burst-size 20k is marked as red (action loss priority high and then dropped).

 

1st Issue:- All traffic initiated from your laptop will be marked as yellow because it will defiantly cross 1500 limit , remember default packet size for ethernet  (1538 bytes including preamble, inter frame gap and delimiter)

2nd Issue:- 2nd issue , committed-burst-size 20k and excess-burst-size 20K are of same value , which is not technically correct. Because all traffic exceeding CBS 20K will be marked as yellow and same time it will also increase EBS and will be marked to red and subject to drop action.

3rd Issue:- Does traffic really exceeding 20k , dont think that only ICMP  traffic is passing through interface. Try command monition traffic interface ge-0/0/X you will see traffic for many protocol e.g. ARP , LLDP if enabled , spanning tree BPDUs etc.  Now you just need to confirm that all these traffic is exceeding 20K , use show interface ge-0/0/x extensive | match "Traffic statistics" . This will give you idea about traffic statistics for further analysis

 

---

Hi Route-Champ

I reconfigure some paratemer on TEST-THREE-COLOR like these

set firewall three-color-policer TEST-THREE-COLOR action loss-priority high then discard
set firewall three-color-policer TEST-THREE-COLOR single-rate committed-information-rate 15k
set firewall three-color-policer TEST-THREE-COLOR single-rate committed-burst-size 20k
set firewall three-color-policer TEST-THREE-COLOR single-rate excess-burst-size 50k

set firewall family ethernet-switching filter PHANLOAI term 1A from protocol icmp
set firewall family ethernet-switching filter PHANLOAI term 1A then log
set firewall family ethernet-switching filter PHANLOAI term 1A then count PING
set firewall family ethernet-switching filter PHANLOAI term 1A then three-color-policer single-rate TEST-THREE-COLOR

And here is ping result

Reply from 10.15.242.172: bytes=1400 time=2ms TTL=126
Reply from 10.15.242.172: bytes=1400 time=2ms TTL=126
Reply from 10.15.242.172: bytes=1400 time=2ms TTL=126
Reply from 10.15.242.172: bytes=1400 time=2ms TTL=126
Request timed out.
Reply from 10.15.242.172: bytes=1400 time=2ms TTL=125
Request timed out.
Reply from 10.15.242.172: bytes=1400 time=2ms TTL=125
Reply from 10.15.242.172: bytes=1400 time=2ms TTL=125

I add more term for other traffic

set firewall family ethernet-switching filter PHANLOAI term 3A then accept
set firewall family ethernet-switching filter PHANLOAI term 3A then log
set firewall family ethernet-switching filter PHANLOAI term 3A then count OTHER

So, Ping result is ok without being dropped. Would you please help me to exlain it ? And committed-burst-size 20k, as your explaination, I understand this is total size of all packets have allowed to transmit (all packets that are marked green), and if this number is larger than 20K, traffic will be mark yellow. That right ?

It may be possible you may have applied this filiter on multiple physical interfaces or on a single physical interface having multiple logical interfaces. This will cause creation of single instance of firewall filiter (including policer) for all interfaces or sub interfaces under consideration. Change your firewall filiter to interface-specific  (set firewall family ethernet-switching filiter "name" interface-specific) . This will create a separate instance of filiter for each interface and you may verify this. Before applying interface-specific command just run "show firewall all" command from operational mode. You will see two counters 1st named as "PING" and named with policer-name.  After configuring filiter as interface-specific run the command "show firewall all" again.  You will see that  2 counters for each sub interface will be created. One counter with name "PING" suffix subinterface name and second counter with policer-name suffix sub interface name. You may also verifier no of hits by each counter. PING counter hit means no of packet passed through firewall filiter and policer-name counter means no of packet subject to policer action. This will confirm either your traffic is being dropped by the policer or not.

Moreover make your policer color-aware , by including command color-aware in policer hierarchy .

Link for policer configuraiton :-

http://www.juniper.net/techpubs/en_US/junos13.2/topics/topic-map/policer-single-rate-three-color.html

Link for interface-specfic filiter and counter view:-

http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/firewall-filter-option-interface-specific-instances-example.html