Example: Configuring Policing and Marking of Traffic Entering a VPLS Core

This example firewall filter allows a service provider to limit the aggregate broadcast traffic entering the virtual private LAN service (VPLS) core. The broadcast, unknown unicast, and non-IP multicast traffic received from one of the service provider’s customers on a logical interface has a policer applied. The service provider has also configured a two-rate, three-color policer to limit the customer’s IP multicast traffic. For more information on the configuration of policers, see the Junos OS Class of Service Configuration Guide .

The position of the router is shown in Figure 1.

Figure 1: Policing and Marking Traffic Entering a VPLS Core

• The policer for broadcast, unknown unicast, and non-IP multicast traffic. This example marks the loss priority as high if this type of traffic exceeds 50 Kbps.
• The two-rate, three-color policer for IP multicast traffic. This example configures a committed information rate (CIR) of 4 Mbps, a committed burst size of 256 Kbytes, a peak information rate of 4.1 Mbps, and a peak burst size of 256 Kbytes (the same as the CIR).
• The filter that applies the two policers to VPLS.
• The application of the filter to the customer interface configuration as an input filter.

Note: This example does not present exhaustive configuration listings for all routers in the figures. However, you can use this example with a broader configuration strategy to complete the MX Series router network Ethernet Operations, Administration, and Maintenance (OAM) configurations.

1. Configure policer bcast-unknown-unicast-non-ip-mcast-policer, a firewall policer to limit the aggregate broadcast, unknown unicast, and non-IP multicast to 50 kbps:

   [edit firewall]policer bcast-unknown-unicast-non-ip-mcast-policer {if-exceeding {bandwidth-limit 50k;burst-size-limit 150k;}then loss-priority high;}

2. Configure three-color-policer ip-multicast-traffic-policer, a three-color policer to limit the IP multicast traffic:

   [edit firewall]three-color-policer ip-multicast-traffic-policer {two-rate {color-blind;committed-information-rate 4m;committed-burst-size 256k;peak-information-rate 4100000;peak-burst-size 256k;}}

3. Configure customer-1, a firewall filter that uses the two policers to limit and mark customer traffic. The first term marks the IP multicast traffic based on the destination MAC address, and the second term polices the broadcast, unknown unicast, and non-IP multicast traffic:

   [edit firewall]family vpls {filter customer-1 {term t0 {from {destination-mac-address {01:00:5e:00:00:00/24;}}then {three-color-policer {two-rate ip-multicast-traffic-policer;}forwarding-class expedited-forwarding;}}term t1 {from {traffic-type [ broadcast unknown-unicast multicast ];}then policer bcast-unknown-unicast-non-ip-mcast-policer;}}}

4. Apply the firewall filter as an input filter to the customer interface at ge-2/1/0:

   [edit interfaces]ge-2/1/0 {vlan-tagging;encapsulation flexible-ethernet-services;unit 5 {encapsulation vlan-vpls;vlan-id 9;family vpls {filter {input customer-1;}}}}