On 21/May/20 21:08, Bryan Holloway wrote:
* Rate-limit at the Layer 2 switch for both customer ingress/egress,
In the past, we did this on the routers, as most switches only supported ingress policing and egress shaping, often with very tiny buffers. Recently, some switches do now support ingress and egress policing. Being able to do this as close to the customer as possible is always most effective, especially if you run LAG's between a switch and upstream router.
* Rate-limit at the Layer 3 router upstream, i/e, or
This is how we used to do it, but became problematic when you ran LAG's between switches and routers. However, between switches supporting ingress/egress policing, as well as moving away from switch-router LAG's to native 100Gbps trunks, you can now police on the router or switch without much concern. The choice of either is determined by the number of services customers buy on a single switch port.
* Some combination thereof? E.g.: Rate-limit my traffic towards the customer closer to the core, and rate-limit ingress closer to the edge?
Where we run LAG's between routers and switches, we police on the switch. Where we run 100Gbps native trunks between switches and routers, we police on the router depending on the type of service, i.e., a Q-in-Q setup for a customer where different services being delivered on the same switch port have different policing requirements.
I've done all three on some level in my travels, but in the past it's also been oftentimes vendor-centric which hindered a scalable or "templateable" solution. (Some things police in only one direction, or only well in one direction, etc.)
Yes, we've oscillated between different methods depending, particularly, on what (switch) vendor we used.
In case someone is interested in a tangible example, imagine an Arista switch and an ASR9k router. :)
Arista do support ingress/egress policing (tested on the 7280R). The previous Juniper EX4550's we ran only shaped on egress, and that was problematic due to the small buffers it has. You should have a lot more flexibility on the ASR9000 router, except in cases where you need to police services delivered on a LAG. Mark.