I am facing problem regarding firewall policier on Juniper MX platform. We have bundle link (AE Link) consisting of 2 x 10G links on which P2P IP is configured with customer for internet access. Now the customer want to have rate limit of 4 Mbps in both direction. Using Juniper way of calculating burst size (i.e 625K for 10G link) wont simply work.
Can someone discuss and share the configuration on how to apply rate limit (firewall policier) on aggregated interface? I even went through Juniper forum but it seems like it was not concluded
The configurations are as under :-
USER@R1> show configuration interfaces ae17.888
vlan-id 888;
family inet {
policer {
input pol-4m;
output pol-4m;
}
address x.x.x.x/31;
USER@R1> show configuration firewall policer pol-4m
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 625k;
}
then discard;
}
USER@R1> show lacp interfaces ae17
Aggregated interface: ae17
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
xe-7/0/0 Actor No No Yes Yes Yes Yes Fast Active
xe-7/0/0 Partner No No Yes Yes Yes Yes Fast Active
xe-7/1/0 Actor No No Yes Yes Yes Yes Fast Active
xe-7/1/0 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State
xe-7/0/0 Current Fast periodic Collecting distributing
xe-7/1/0 Current Fast periodic Collecting distributing
Thanks
Best Answer
JunOS will divide your policer into multiple policers for each physical interface in proportion to the percentage this interface has in the AE. In your example you have two interfaces so each will get a policer for 50% of your configured rate. In summary your policer will have the expected effect even when applied on an AE.
However if you have your links on different PFEs then you need to configure an additional option in the policer:
shared-bandwidth-policer
Try it like this:
Juniper KB31589 explains this.
Please be aware that one linecard (FPC) can have multiple PFEs on it. So you may also need this knob when all ports are on the same linecard. It doesn't hurt to use it anyway.