Switching

Hello,

I need some help. I want to limit bandwith in a LACP aggregate port ( this port has two ge interface). I thought used policiers for limit bandwith, but i read, policiers no working in aggregate interface (ae). Is this true?. I though configure something like this:

set firewall policer LB-policer logical-bandwidth-policer
set firewall policer LB-policer if-exceeding bandwidth-limit 200m
set firewall policer LB-policer if-exceeding burst-size-limit 125k
set firewall policer LB-policer then discard
set interfaces ae0 unit 0 family inet policer input LB-policer
set interfaces ae0 unit 0 family inet policer output LB-policer

If i can not cofigure policier, do someone know i could configure?

Thanks

There is no issue with applying policer (through firewall filiter) on ae. There are many other ways to rate limit traffic. You may apply shape-rate on logical interface under class of service configuration hierarchy . It may vary on different platform. You may also use virtual channel to apply rate limit traffice on logical interfaces.

Reference link

https://www.juniper.net/techpubs/en_US/junos12.1/topics/topic-map/policer-single-rate-two-color-bandwidth.html

****************First approach to apply policer through filiter************************

set firewall policer limit-1m if-exceeding bandwidth-limit 1m
set firewall policer limit-1m if-exceeding burst-size-limit 5m
set firewall policer limit-1m then discard
set firewall filter test-filter term 1 then policer limit-1m
set interfaces ae0 unit 0 family inet filter input test-filter

********************2nd approach to apply per unit scheduling through class of service ****************
set interfaces ae0 per-unit-scheduler
set class-of-service interfaces ae0 unit 0 shaping-rate 1m

Pleas mark this as accepted solution if it solves your problem

Kudos a good way of appreciation

Kashif Nawaz

JNCIP-Sec , JNCIS-Ent, JNCIS-Sec, JNCIA-Junos

hello route-champ,

Thanks for your answer. I configured:

firewall {
family ethernet-switching {
filter LIMITE-200M {
interface-specific;
term default {
then policer POLICER-200M;
}
}
}
policer POLICER-200M {
filter-specific;
if-exceeding {
bandwidth-limit 200m;
burst-size-limit 125k;
}
then discard;
}
}

interfaces {
ae1 {
description Q-in-Q_1003;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
filter {
input LIMITE-200M;
}
}
}
}
}

I tried set in the interface ae1 unit 0 "output LIMITE-200m" but the EX reject the command. Do you know why the device reject the command?. Do you know if my config configuration is going to work fine?, i have some dude

You mean set interfaces ae1 unit 0 family ethernet-switching filter output LIMITE-200m is giving a commit error or command is not acceptable. There should not be issue, but i have personal experience(with EX 4200 ) outtput filiter even if configured does not work, I have also read it somewhere .

Pleas mark this as accepted solution if it solves your problem

Kudos a good way of appreciation

Kashif Nawaz

JNCIP-Sec , JNCIS-Ent, JNCIS-Sec, JNCIA-Junos

command is not acceptable. I read in the link you gave me:

Guidelines for Applying a Bandwidth Policer

• You can use a bandwidth policer to rate-limit protocol-specific traffic (not family any) at the input or output of a logical interface.
• You can apply a bandwidth policer directly to protocol-specific input or output traffic at a logical interface.

• To send only selected packets to a bandwidth policer, you can reference the bandwidth policer from a stateless firewall filter term and then apply the filter to logical interface traffic for a specific protocol family.

  • To reference a logical bandwidth policer from a firewall filter, you must include the interface-specific statement in the firewall filter configuration.
  • You cannot use a bandwidth policer for forwarding-table filters.
• You cannot apply a bandwidth policer to an aggregate interface, a tunnel interface, or a software interface.

I dont understand the line i mark in color blue, probably this is the cause which the EX doesnt permit to configure the output policier.

Bandwidth policer configuration option are not consistent among different type of Junos based devices.  I have tested your configuration on EX 4200 with Junos 11.4 there is absolute no issue with configuration acceptance , then i tried to configure per-unit-scheduler on EX 4200 but option is not available (even for physical interface) i was totally astonished . But per-unit-scheduler option is available in branch SRX (tested on SRX 210) even for st0 and ae0.

******************************************************************************

here is my configuration and no issue at least during configuration acceptance , results for actual rate-limit not tested

root@test-switch# set unit 0 family ethernet-switching filter input ?
Possible completions:
  200M-policer      

******************************************************************************

Hence you have not applied any specific match condition in your firewall filiter, you may try to configure shaping-rate for ae1 under class of service configuration stanza. This technique might  fulfill your requirement 

set class-of-service interfaces ae1 shaping-rate ,

Pleas mark this as accepted solution if it solves your problem

Kudos a good way of appreciation

Kashif Nawaz

JNCIP-Sec , JNCIS-Ent, JNCIS-Sec, JNCIA-Junos