Hey there, What you want is destination class policing / source class policing based on destination class usage (DCU) This allows you to have policing based on BGP communities instead of managing prefix lists. This is supported on J-series since 8.5R1. Basically you want to: 1. apply bgp communities to routes learned from specific peers (international tag, domestic tag, etc). 2. write a policy that matches on tagged routes, and has an action of 'then destination-class INTERNATIONAL' etc... 3. apply the policy as as export policy to the forwarding-table. 4. configure accounting for destination-class-usage on interfaces that you wish to collect account for ... 5. configure a firewall filter that matches on destination-class and polices traffic to the correct rate. I can unicast you some configs once I dig them up from back in the day. DCU/DCP is a highly scalable way to provide differentiated accounting / policing for specific aggregate services. I have seen this deployed with 40+ regional zones. Cheers, Truman Boyes On 22/01/2009, at 2:21 PM, Craig Spiers wrote:
Hi All..
To try and better explain what barry is trying to do.. hes trying to traffic shape certain IP addresses on his network based on the BGP community a specific route is a member of..
Eg domestic traffic is a member of community 100 and international is 200
Eg 1.2.3.4 on his network communicating with a route dest in community 100 = 128k Eg 1.2.3.4 on his network communicating with a route dest in community 200 = 64k
I do this on our cisco's using BGP with ip-qos-map's and a service policy on the interface.. hes looking for the juniper equivalent..
Any ideas?
Kind Regards,
Craig Spiers - Network Manager Solarix Limited DDI: +64 9 974 4753 | FAX: +64 9 523 8057 FAULTS: 0800 89 41 42 MOB: +64 21 857 183 | email: craig.spiers(a)staff.solarix.co.nz The information contained in this email is privileged and confidential and intended for the addressee only. If you are not the intended recipient you are asked to respect that confidentiality and not disclose, copy or make
use of its contents. If received in error you are asked to destroy this email and contact the sender immediately.
-----Original Message----- From: Barry Murphy [mailto:barry(a)unix.co.nz] Sent: Thursday, 22 January 2009 3:42 p.m. To: Nznog Subject: [nznog] Juniper J2320,rate limit based on bgp community (national/international)
Hey Guys,
Hope this fits in with the AUP, however I'd hope so as not many forums show how to rate-limit based on national/international traffic as they don't bill accordingly, however in NZ this is standard practice so hoping someone with juniper knowledge can assist me here.
Basically I want to allow all traffic to/from national without rate-limit, then restrict international, for eg 128k.
icepick(a)NCCORE01# show firewall policer 128k { if-exceeding { bandwidth-limit 128k; burst-size-limit 4500; } then discard; } filter 128k { term 1 { from { forwarding-class assured-forwarding; } then accept; } term 2 { from { forwarding-class best-effort; } then { policer 128k; accept; } } }
icepick(a)NCCORE01# show policy-options policy-statement Orcon-Primary- In term 1 { from community [ Orcon-Local Orcon-National Orcon-Peering Orcon-Telstra Orcon-Telecom ]; then { local-preference 110; forwarding-class assured-forwarding; accept; } } term 2 { from { route-filter 0.0.0.0/0 upto /24; } then { local-preference 110; forwarding-class best-effort; accept; } } term 3 { from { route-filter 0.0.0.0/0 exact; } then { local-preference 120; accept; } } term 4 { then reject; }
icepick(a)NCCORE01# show interfaces ge-0/0/1 unit 55 description "Test interface"; vlan-id 55; family inet { filter { input 128k; output 128k; } address 113.21.x.x/29; }
The problem I'm running into is all traffic is being rate-limited at 128k, rather than just the international. I was able to find one example located at http://archives.devshed.com/forums/networking-100/policer-based-on-commu nity-2015343.html however this describes the use of destination-class where I only have forwarding-class so I'm not sure if this has been depreciated or renamed or not supported by J2320.
I understand this may be a question for JTAC, however I'd like to hear from users here in NZ that have managed to get this going with junos. To keep the list sane, please reply offlist, if many people are interested I'll post the working solution after being tested for archive purposes.
Public holiday for Aucklanders next monday, extra long weekend of beer, mmmmm
Thanks Barry
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog