Routing

Expand all | Collapse all

best way to apply different bandwidth policers to outbound traffic on MX interface

Jump to Best Answer
  • 1.  best way to apply different bandwidth policers to outbound traffic on MX interface

    Posted 03-04-2019 06:23
      |   view attached

    Hi All,

     

    Based on attached diagram, am trying to see how best i can give customers some thing like this:

    for traffic coming from google cache, i want to subject it to 100mbps policer, other traffic, i will limit it to 100mbps policer (using output filter applied to interface).Intotal, customer will end up with 200mbps traffic usage. now, i want to give this extra google traffic only when the link to google is up (if google link is down and google-traffic is coming via upstream, i want to limit the cusotmer to only 100mbps ). 

     

    currently am using prefix-list as match condition for bandwidth filter and it matches google traffic whether google link is up or down and its congesting my upstream during link failure.  

     

    typical output filter applied to customer interface:

     

    re0# show firewall family inet filter 35MB_NET_35MB_GOOGLE
    interface-specific;
    term GOOGLE-TRAFFIC {
        from {
            prefix-list {
                GOOGLE;
            }
        }
        then {
            policer 35MB-POLICER;
            accept;
        }
    }
    term OTHER-TRAFFIC {
        then {
            policer 35MB-POLICER;
            accept;
        }
    }
    
    
    re0# show interfaces ge-1/0/3.13
    
    family inet {
        filter {
           output 35MB_NET_35MB_GOOGLE;
        }
        address x.x.x.x/30;
    }
    

     

    Is there different way i can match the google traffic under the google term? something like marking the traffic on the ingress PE1 and using Forwading-class or DSCP bit on the filter term to identfy google-traffic. is this possible?

     

    at the PE where i am peering with google directly, i am using " from interface " as match condition on the filter term and its working fine. but i cant do the same on the downstream PEs. 

     

     

     

     

     

     



  • 2.  RE: best way to apply different bandwidth policers to outbound traffic on MX interface

    Posted 03-04-2019 21:37

    Hello,

    Are You peering with GGC as ASN11344 or ASN36040 or as any other ASN (I've seen AS65535 used as well)?

    Does GGC advertise anything to You when it is up? If yes do You see the same prefixes coming from AS15169 when GGC link is down? When GGC is down, the "googling" traffic is supposed to come from AS15169.

    So, You can use JUNOS SCU (Source Class Usage) feature to separately rate-limit traffic that comes from AS11344/36040/65535 etc and rate-limit traffic from AS15169 collectively with other customer traffic.

    JUNOS SCU

    https://www.juniper.net/documentation/en_US/junos/topics/example/source-class-usage-simple-solution.html

    You can use as-path or community match to assign the SCU to the prefixes.

    HTH

    Thx

    Alex

     



  • 3.  RE: best way to apply different bandwidth policers to outbound traffic on MX interface

    Posted 03-04-2019 22:06
    Hi Alex,

    Am peering with GGC ASN# 15169 via direct PNI link. I am receiving prefixes from GGC over this link and when the link goes down( bgp dies and prefixes disappear too). My routers fall back to prefixes from upstream providers, it so happens that my upstream are also connected to same regional GGC and they announce to me the same prefixes with ASN# 15169.

    So in my network Google prefixes appear with ASN# 15169 whether it's via direct PNI link or upstream links.

    Can still consider SCU as an option?



  • 4.  RE: best way to apply different bandwidth policers to outbound traffic on MX interface

    Posted 03-04-2019 22:49

    Hello,

     


    @lish wrote:
    Hi Alex,

    Am peering with GGC ASN# 15169 via direct PNI link. I am receiving prefixes from GGC over this link and when the link goes down( bgp dies and prefixes disappear too). 

     

    Well, that's not the Google cache/GGC then but GOOG private peering. GGC is explained

    here https://support.google.com/interconnect/answer/9058809?hl=en and GGC BGP is explained here https://support.google.com/interconnect/answer/9058809?hl=en

     

    Please use correct terminology when posting, it helps a lot.

     

     


    @lish wrote:
    Hi Alex,



    Can still consider SCU as an option?


     

    Yes, You can if You consuruct as as-path regex to match on as-path from GOOG PNI which should be 

    set policy-options as-path GOOG_PNI "^15169{1,}$" ## where {1,} exists to account for prepending

    - and then another as-path regex that matches on Your upstream ASN && 15169, like below:

     

    set policy-options as-path GOOG_VIA_UPSTREAM "^65500{1,} (.*) 15169{1,}$"  ## (.*) exists to account for intermediate ASN between Your upstream & GOOG. 65500 is upstream ASN, substitute as necessary.

    - and finally consuruct a policy that matches on above as-path regexes and assigns SCU to the prefixes that match.

    You only need to do it on the PE router where Your customer CE is attached, assuming this PE router gets the GOOG prefixes via iBGP from Your ASBR.

     

    HTH

    Thx

    Alex

     



  • 5.  RE: best way to apply different bandwidth policers to outbound traffic on MX interface

    Posted 03-05-2019 01:54

    @aarseniev wrote:

    Hello,

     

    Please use correct terminology when posting, it helps a lot.

     


    Sorry about that confusion. my bad. 

     

    one more thing, once i setup the SCU and prefixes are matched. to achieve my final goal, i can reference the SCU on my filter term right ? something like this:

     

    -re0# set term 1 from source-c?
    Possible completions:
    + source-class         Match source class
    + source-class-except  Do not match source class
    
    souce-class here is reffering to the SCU name ?
    


  • 6.  RE: best way to apply different bandwidth policers to outbound traffic on MX interface
    Best Answer

    Posted 03-05-2019 03:05

    Hello,

     


    @lish wrote:

    one more thing, once i setup the SCU and prefixes are matched. to achieve my final goal, i can reference the SCU on my filter term right ?

     

    Yes, SCU can be referenced in output firewall filter 

    https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-stateless-match-conditions-address-classes.html

     

    When applying a SCU or DCU firewall filter to an interface, keep the following guidelines in mind:

    • Output interfaces—Class-based firewall filter match conditions work only for firewall filters that you apply to output interfaces. This is because the SCU and DCU are determined after route lookup occurs.

     

    HTH

    Thanks
    Alex