Juniper Networks – Rate-Limiting Policer on Aggregated Ethernet (AE) Bundle

ipv4juniperjuniper-junosjuniper-mx

I am facing problem regarding firewall policier on Juniper MX platform. We have bundle link (AE Link) consisting of 2 x 10G links on which P2P IP is configured with customer for internet access. Now the customer want to have rate limit of 4 Mbps in both direction. Using Juniper way of calculating burst size (i.e 625K for 10G link) wont simply work.

Can someone discuss and share the configuration on how to apply rate limit (firewall policier) on aggregated interface? I even went through Juniper forum but it seems like it was not concluded

https://forums.juniper.net/t5/Routing/How-to-rate-limit-ipv4-and-ipv6-family-on-a-AE-bundle-logical/td-p/324098

The configurations are as under :-

USER@R1> show configuration interfaces ae17.888 
vlan-id 888;
family inet {
    policer {
        input pol-4m;
        output pol-4m;
    }
    address x.x.x.x/31;

USER@R1> show configuration firewall policer pol-4m 
if-exceeding {
    bandwidth-limit 4m;
    burst-size-limit 625k;
}
then discard;
}

USER@R1> show lacp interfaces ae17 
Aggregated interface: ae17
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      xe-7/0/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      xe-7/0/0     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
      xe-7/1/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      xe-7/1/0     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
    LACP protocol:        Receive State  Transmit State          Mux State 
      xe-7/0/0                  Current   Fast periodic Collecting distributing
      xe-7/1/0                  Current   Fast periodic Collecting distributing

Thanks

Best Answer

JunOS will divide your policer into multiple policers for each physical interface in proportion to the percentage this interface has in the AE. In your example you have two interfaces so each will get a policer for 50% of your configured rate. In summary your policer will have the expected effect even when applied on an AE.

However if you have your links on different PFEs then you need to configure an additional option in the policer: shared-bandwidth-policer

Try it like this:

set firewall policer pol-4m shared-bandwidth-policer

Juniper KB31589 explains this.

A standard policer restricts traffic at the configured rate per PFE. In the case of AE bundles spanning multiple FPCs, the overall rate for the subscriber could exceed the configured rate (depending on the number of PFEs involved). An example of this would be a policer with bandwidth-limit 40mbps and burst-size 40Kbytes configured on an AE interface that has member links ge-0/0/0 and ge-1/0/0. When the policer is applied to the AE interface, this will result in a total bandwidth of 80Mbps as policer is configured for two PFE's.

[...]

The purpose of the “Shared-bandwidth-policer” feature is to match the effective bandwidth/burst-size made available to an aggregate bundle by enhancing the implementation of the policer on the PFE. The implementation will statically carve up the bandwidth and burst size among the PFE-complex by a factor derived from number of member-links that belong to a given PFE-complex.

Please be aware that one linecard (FPC) can have multiple PFEs on it. So you may also need this knob when all ports are on the same linecard. It doesn't hurt to use it anyway.

Related Topic