-----Original Message-----
From: nznog-request(a)list.waikato.ac.nz [mailto:nznog-request(a)list.waikato.ac.nz]
Sent: Wednesday, 28 January 2009 11:07 a.m.
To: nznog(a)list.waikato.ac.nz
Subject: NZNOG Digest, Vol 73, Issue 24
Send NZNOG mailing list submissions to
nznog(a)list.waikato.ac.nz
To subscribe or unsubscribe via the World Wide Web, visit
http://list.waikato.ac.nz/mailman/listinfo/nznog
or, via email, send a message with subject or body 'help' to
nznog-request(a)list.waikato.ac.nz
You can reach the person managing the list at
nznog-owner(a)list.waikato.ac.nz
When replying, please edit your Subject line so it is more specific
than "Re: Contents of NZNOG digest..."
Today's Topics:
1. Re: Juniper J2320, rate limit based on bgp community
(national/international) (Truman Boyes)
2. Re: Juniper J2320, rate limit based on bgp community
(national/international) (Barry Murphy)
3. Vendor reception at NZNOG - Open to all (Nathan Ward)
4. Re: Vendor reception at NZNOG - Open to all (Neil Gardner)
5. Re: Vendor reception at NZNOG - Open to all (Nathan Ward)
6. NZRR Route Registry Update (NZRR Database Notifications)
7. NZRR Route Registry Update (NZRR Database Notifications)
8. NZNOG IRC Channel (Mark Foster)
9. Re: NZNOG IRC Channel (Scott Howard)
10. NZNOG streams... (Neil Gardner)
----------------------------------------------------------------------
Message: 1
Date: Tue, 27 Jan 2009 11:56:25 +1100
From: Truman Boyes
Hi All..
To try and better explain what barry is trying to do.. hes trying to traffic shape certain IP addresses on his network based on the BGP community a specific route is a member of..
Eg domestic traffic is a member of community 100 and international is 200
Eg 1.2.3.4 on his network communicating with a route dest in community 100 = 128k Eg 1.2.3.4 on his network communicating with a route dest in community 200 = 64k
I do this on our cisco's using BGP with ip-qos-map's and a service policy on the interface.. hes looking for the juniper equivalent..
Any ideas?
Kind Regards,
Craig Spiers - Network Manager Solarix Limited DDI: +64 9 974 4753 | FAX: +64 9 523 8057 FAULTS: 0800 89 41 42 MOB: +64 21 857 183 | email: craig.spiers(a)staff.solarix.co.nz The information contained in this email is privileged and confidential and intended for the addressee only. If you are not the intended recipient you are asked to respect that confidentiality and not disclose, copy or make
use of its contents. If received in error you are asked to destroy this email and contact the sender immediately.
-----Original Message----- From: Barry Murphy [mailto:barry(a)unix.co.nz] Sent: Thursday, 22 January 2009 3:42 p.m. To: Nznog Subject: [nznog] Juniper J2320,rate limit based on bgp community (national/international)
Hey Guys,
Hope this fits in with the AUP, however I'd hope so as not many forums show how to rate-limit based on national/international traffic as they don't bill accordingly, however in NZ this is standard practice so hoping someone with juniper knowledge can assist me here.
Basically I want to allow all traffic to/from national without rate-limit, then restrict international, for eg 128k.
icepick(a)NCCORE01# show firewall policer 128k { if-exceeding { bandwidth-limit 128k; burst-size-limit 4500; } then discard; } filter 128k { term 1 { from { forwarding-class assured-forwarding; } then accept; } term 2 { from { forwarding-class best-effort; } then { policer 128k; accept; } } }
icepick(a)NCCORE01# show policy-options policy-statement Orcon-Primary- In term 1 { from community [ Orcon-Local Orcon-National Orcon-Peering Orcon-Telstra Orcon-Telecom ]; then { local-preference 110; forwarding-class assured-forwarding; accept; } } term 2 { from { route-filter 0.0.0.0/0 upto /24; } then { local-preference 110; forwarding-class best-effort; accept; } } term 3 { from { route-filter 0.0.0.0/0 exact; } then { local-preference 120; accept; } } term 4 { then reject; }
icepick(a)NCCORE01# show interfaces ge-0/0/1 unit 55 description "Test interface"; vlan-id 55; family inet { filter { input 128k; output 128k; } address 113.21.x.x/29; }
The problem I'm running into is all traffic is being rate-limited at 128k, rather than just the international. I was able to find one example located at http://archives.devshed.com/forums/networking-100/policer-based-on-commu nity-2015343.html however this describes the use of destination-class where I only have forwarding-class so I'm not sure if this has been depreciated or renamed or not supported by J2320.
I understand this may be a question for JTAC, however I'd like to hear from users here in NZ that have managed to get this going with junos. To keep the list sane, please reply offlist, if many people are interested I'll post the working solution after being tested for archive purposes.
Public holiday for Aucklanders next monday, extra long weekend of beer, mmmmm
Thanks Barry
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
------------------------------
Message: 2
Date: Tue, 27 Jan 2009 14:02:09 +1300
From: Barry Murphy
Hey there,
What you want is destination class policing / source class policing based on destination class usage (DCU) This allows you to have policing based on BGP communities instead of managing prefix lists. This is supported on J-series since 8.5R1.
Basically you want to:
1. apply bgp communities to routes learned from specific peers (international tag, domestic tag, etc). 2. write a policy that matches on tagged routes, and has an action of 'then destination-class INTERNATIONAL' etc... 3. apply the policy as as export policy to the forwarding-table. 4. configure accounting for destination-class-usage on interfaces that you wish to collect account for ... 5. configure a firewall filter that matches on destination-class and polices traffic to the correct rate.
I can unicast you some configs once I dig them up from back in the day.
DCU/DCP is a highly scalable way to provide differentiated accounting / policing for specific aggregate services. I have seen this deployed with 40+ regional zones.
Cheers, Truman Boyes
On 22/01/2009, at 2:21 PM, Craig Spiers wrote:
Hi All..
To try and better explain what barry is trying to do.. hes trying to traffic shape certain IP addresses on his network based on the BGP community a specific route is a member of..
Eg domestic traffic is a member of community 100 and international is 200
Eg 1.2.3.4 on his network communicating with a route dest in community 100 = 128k Eg 1.2.3.4 on his network communicating with a route dest in community 200 = 64k
I do this on our cisco's using BGP with ip-qos-map's and a service policy on the interface.. hes looking for the juniper equivalent..
Any ideas?
Kind Regards,
Craig Spiers - Network Manager Solarix Limited DDI: +64 9 974 4753 | FAX: +64 9 523 8057 FAULTS: 0800 89 41 42 MOB: +64 21 857 183 | email: craig.spiers(a)staff.solarix.co.nz The information contained in this email is privileged and confidential and intended for the addressee only. If you are not the intended recipient you are asked to respect that confidentiality and not disclose, copy or make
use of its contents. If received in error you are asked to destroy this email and contact the sender immediately.
-----Original Message----- From: Barry Murphy [mailto:barry(a)unix.co.nz] Sent: Thursday, 22 January 2009 3:42 p.m. To: Nznog Subject: [nznog] Juniper J2320,rate limit based on bgp community (national/international)
Hey Guys,
Hope this fits in with the AUP, however I'd hope so as not many forums show how to rate-limit based on national/international traffic as they don't bill accordingly, however in NZ this is standard practice so hoping someone with juniper knowledge can assist me here.
Basically I want to allow all traffic to/from national without rate-limit, then restrict international, for eg 128k.
icepick(a)NCCORE01# show firewall policer 128k { if-exceeding { bandwidth-limit 128k; burst-size-limit 4500; } then discard; } filter 128k { term 1 { from { forwarding-class assured-forwarding; } then accept; } term 2 { from { forwarding-class best-effort; } then { policer 128k; accept; } } }
icepick(a)NCCORE01# show policy-options policy-statement Orcon-Primary- In term 1 { from community [ Orcon-Local Orcon-National Orcon-Peering Orcon-Telstra Orcon-Telecom ]; then { local-preference 110; forwarding-class assured-forwarding; accept; } } term 2 { from { route-filter 0.0.0.0/0 upto /24; } then { local-preference 110; forwarding-class best-effort; accept; } } term 3 { from { route-filter 0.0.0.0/0 exact; } then { local-preference 120; accept; } } term 4 { then reject; }
icepick(a)NCCORE01# show interfaces ge-0/0/1 unit 55 description "Test interface"; vlan-id 55; family inet { filter { input 128k; output 128k; } address 113.21.x.x/29; }
The problem I'm running into is all traffic is being rate-limited at 128k, rather than just the international. I was able to find one example located at http://archives.devshed.com/forums/networking-100/policer-based-on-commu nity-2015343.html however this describes the use of destination-class where I only have forwarding-class so I'm not sure if this has been depreciated or renamed or not supported by J2320.
I understand this may be a question for JTAC, however I'd like to hear from users here in NZ that have managed to get this going with junos. To keep the list sane, please reply offlist, if many people are interested I'll post the working solution after being tested for archive purposes.
Public holiday for Aucklanders next monday, extra long weekend of beer, mmmmm
Thanks Barry
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
------------------------------
Message: 3
Date: Tue, 27 Jan 2009 14:33:01 +1300
From: Nathan Ward
I've been politely waiting, and mid afternoon on the day before the conference seems like a reasonable time to ask again...
What's the deal with streaming of the conference talks / discussions / full and frank exchange of view sessions?
R2 are doing streaming, as per usual. I'm pretty sure we've said that
on the list already. This will be for the main conference, not the
tutorial days. So, Thurs+Fri.
We have microphones, plus microphones for anyone asking questions.
--
Nathan Ward
------------------------------
Message: 6
Date: Tue, 27 Jan 2009 16:08:54 +1300
From: NZRR Database Notifications
the DNS aliases us.undernet.org and eu.undernet.org are likely suspects if you dont know any other valid server addresses to try to connect to.
Or even the far more relevant nz.undernet.org :) (Sure, it's just a CNAME to "us", but that's not the point...) Scott