Juniper Dynamic Subscriber Management – Traffic Policing

juniperjuniper-junospolicing

I've managed to get QinQ subscriber management working. Now I want to shape / police both VLAN connections. As a test I have configured this:

DYNINTF-STACKED-KANTOOR-TEST {
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-interface-unit" {
                proxy-arp restricted;
                vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                filter {
                    input "$junos-input-filter";
                    output "$junos-output-filter";
                }
                family inet {
                    unnumbered-address lo0.0 preferred-source-address 10.110.110.1;
                }
            }
        }
    }

}

The filter:

show firewall filter 17Mb 
term test {
    then policer 17Mb-policer;
}

And at last, the policer:

policer 17Mb-policer {
    if-exceeding {
        bandwidth-limit 17m;
        burst-size-limit 1m;
    }
    then discard;
}

If I for example configure police-17M on both input and output filter hierarchy in the dynamic profile then it works fine:

IPv4 Input Filter Name: police-17M-ge-1/1/4.1073936801-in
IPv4 Output Filter Name: police-17M-ge-1/1/4.1073936801-out

But this is not the way it should be..

UPDATE

This is what I now receive on the Juniper:

Apr  7 12:16:58.908497 radius-access-accept: Ingress-Policy-Name (Juniper-ERX-VSA) received: police-17M
Apr  7 12:16:58.908552 radius-access-accept: Egress-Policy-Name (Juniper-ERX-VSA) received: police-17M

However, showing this subscriber in extensive mode, I don't see it being applied to the dynamic interface. Any idea why?

Best Answer

So you need two dynamic profiles. A VLAN and an IP profile. The VLAN profile is for creating dynamic profiles and the IP profile is for applying filters to them.

Notice the use of $junos-underlhing-interface-unit which is basically the dynamically created unit by the VLAN profile.

VLAN profile:

DYNINTF-VLAN-DHCP-INET-KPN {
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-interface-unit" {
                proxy-arp restricted;
                vlan-id "$junos-vlan-id";
                family inet {
                    unnumbered-address lo0.0 preferred-source-address 10.110.110.1;
                }
            }
        }
    }
 }

IP profile:

 DYNSUB-IP-PROFILE-KPN {
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-underlying-interface-unit" {
                family inet {
                    filter {
                        input "$junos-input-filter";
                        output "$junos-output-filter";
                    }
                }
            }
        }
    }
}

In my situation, i have two VLAN profiles. One for single and one for stacked VLAN customers. The IP profile is configured under the DHCP group for the whole interface while only the stacked VLAN profiles should use them. If anyone got an idea for this, I'm happy to hear you out :-)

Related Solutions

Routing – Isolating Juniper Management Plane

This can easily turn into a debate, sure you could do management in different logical-system, but what are the perceived gains? You're still going to need to protect the main instance just the same.
In my opinion you gain nothing but you add complexity, which means added risk of downtime.

It would be different matter on SUP2T or Nexus7k with CMP, where you truly have separate out-of-band interface available.

My recommendation would be to optimize for least complexity, do on-band ssh management via normal main instance and have RS232 (alas, necessary evil) as back-up out-of-band.

If you go through this route, it'll work, there will be some inconveniences like copying software, but you can cope with it, with 'set cli logical-system MGMT'

You need two solution, one for normal day-to-day work, and another for OOB, when system or network is broken. OOB is easy, you need RS232, as RS232 is only solution you can use, to try to reboot box when junos is not running or unresponsive (set system debugger-on-break).
For your main day-to-day work, it's more debatable, you have three options:

use on-band (same routes as production INET)
use routing-instance (you'll get routing separation, but use same copy of RPD, but I guess you're using FXP0, which is not supported here)
use logical-system, another copy of RPD is ran just for MGMT

You mentioned need to have symmetric route. I assume from this, that you want to use FXP0 for MGMT and you have another competing route for return traffic, which you need, as NMS server network is used for something else than just NMS, which is bit worrying.
In my opinion FXP0 is simply not needed, as it's not OOB (like CMP is) you cannot even protect FXP0 port via FW filter, as it's not HW interface.

But if we assume that you want to keep using FXP0 then you indeed pretty-much MUST put it in logical-system, even if you didn't have competing route for NMS, you'd still need to put FXP0 in logical-system, otherwise you expose your NMS network to attacks from the on-band, which you cannot protect, as you cannot put HW FW filter in the FXP0 interface.

Cisco – Traffic Policing

I would use vlan-based policing which works better on these switches. This is an example matching a speed value of 48Mb

mls qos
!
interface GigabitEthernet1/0/2
 switchport access vlan 500
 switchport mode access
 mls qos vlan-based
!
class-map match-all CUSTOMER_1
 match input-interface  GigabitEthernet1/0/2
!
policy-map VLAN500_POLICE
 class CUSTOMER_1
  police 48000000 18000000 exceed-action drop
!
policy-map VLAN500_PARENT
 class class-default
  set dscp default
  service-policy VLAN500_POLICE
!
interface Vlan500
 service-policy input VLAN500_PARENT

Under the parent policy you have to 'set' something in order for it to work. This could be anything so in this example I'm simply setting the dscp to 0

Best Answer

Related Solutions

Routing – Isolating Juniper Management Plane

Cisco – Traffic Policing

Related Topic