Switching

Hi,

I have a little problem with policer (rate limit) configuration.

There are interface VLAN that should be with PBR and rate limit.

When I'm creating firewall filter with PBR and policer in the same term and configuring interface VLAN for input filter, I have lost connectivity to the server in this VLAN.

I'm also tried to use only policer in the term, without PBR, same problem no connectivity to server. The PBR works properly in the same term, without the policer.

What I'm doing wrong?

Attached configuration (the IP's was changed)

root@NY1RT1e# show firewall family inet filter test
term test {
    from {
        source-address {
            2192.168.1.194/32;
        }
    }
    then {
        policer qos-test;
        routing-instance Outband-AMetro_PPlead-R900;
    }
}
term default {
    then accept;
}

root@NY1RT1e# show firewall policer qos-test
if-exceeding {
    bandwidth-limit 1m;
    burst-size-limit 1;
}
then discard;


root@NY1RT1e# show routing-instances
Outband-AMetro_PPlead-R900 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.10.10.1;
        }
    }
}

root@NY1RT1e# show interfaces vlan.666
family inet {
    filter {
        input test;
    }
    address 192.168.1.193/29;
}

hi Maxo,

assuming PBR is fine, please look at your policer 'burst-size-limit 1'. The value is .. bit small to pass any packet.

See http://kb.juniper.net/InfoCenter/index?page=content&id=KB19813 for advice on setting burst size

For 1Mbps: 

1)  Burst = 1000000 * 0.00025 = 250 

      or maximum packet size [bits] = 1500 * 8 = 12k

2) 10*MTU = 10*1500 = 15k

I'm not sure what's the policer granularity and EX implementation, but would start with burst size not smaller than 15k

(and test).

jtb

Hi jtb,

Thank you. It works.

Sorry for stupid mistake.