Routing

 View Only
last person joined: yesterday 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

strange behavior firewall policer MX960

  • 1.  strange behavior firewall policer MX960

    Posted 29 days ago

    Hello. We have the following topology:

    When we apply this family inet filter to  Point-1 and run a speedtest we get 500Mb for the output, but only 280-300 Mb fo the input.  The same happens when we  apply the family inet filter at Point-2, however, when we apply the family inet filter at Point-3 we get 500Mb  for both output and  input? what could the problem ?

    show configuration firewall family inet filter TEST
    interface-specific;
    term 1 {
        then {
            policer plcr-500m-TEST;
            accept;
        }
    }

    show configuration firewall policer plcr-500m-TEST
    filter-specific;
    if-exceeding {
        bandwidth-limit 500m;
        burst-size-limit 31250000;

    show configuration interfaces aex.x
    description "X";
    vlan-id X;
    family inet {
        filter {
            output TEST;

            input TEST;
        }
        policer {
            arp arp-policer;
        }
        address x.x.x.x.x/x;

    link between MX480 and MX960 consist of 1 xe interface in a bundle

     show lacp interfaces aex
    Aggregated interface: aex
        LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
          xe-x/x/x       Actor   No    No   Yes   Yes  Yes  Yes   Fast     Active
          xe-x/x/x     Partner   No    No   Yes   Yes  Yes  Yes   Fast     Active
        LACP protocol:        Receive State  Transmit State    Mux State
          xe-x/x/x               Current     Fast periodic   Collecting distributing

    I see a difference in the max values of   Win Size and Segment Length, but i don't understand why.

    For Example:PCAP(on CE) for Point-3, this is 1 TCP  flow

    For Example:PCAP for Point-1, thi is 1 TCP  flow



    ------------------------------
    Dmitry Savolyuk
    ------------------------------