Apply Policers

Policers allow you to perform simple traffic policing on specific interfaces or Layer 2 VPNs without configuring a firewall filter. To apply policers, include the policer statement when configuring the logical interface at the [edit interfaces interface-name unit logical-unit-number family (ccc | inet | tcc)] hierarchy level:

[edit interfaces]

interfaces interface-name {

    unit logical-unit-number {

        family (ccc | inet | tcc) {

            policer { 

                arp policer-template-name;

                input policer-template-name;

                output policer-template-name;

            }

        }

    }

}

 To use policing on a CCC or TCC interface, you must include the family (ccc | tcc) statement at the 
[edit interfaces interface-name unit logical-unit-number family inet] hierarchy level.

In the arp statement, list the name of one policer template to be evaluated when Address Resolution Protocol (ARP) packets are received on the interface. By default, an ARP policer is installed that is shared among all the Ethernet interfaces on which you have configured the family inet statement. If you want more stringent or lenient policing of ARP packets, you can configure an interface-specific policer and apply it to the interface. You configure an ARP policer just as you would configure any other policer, at the [edit firewall policer] hierarchy level. If you apply this policer to an interface, the default ARP packet policer is overridden. If you delete this policer, the default policer takes effect again.

In the input statement, list the name of one policer template to be evaluated when packets are received on the interface.

In the output statement, list the name of one policer template to be evaluated when packets are transmitted on the interface.

You can configure a different policer on each protocol family under an interface. You can configure one input policer only and one output policer only for each protocol family. You can use the same policer one or more times. On M-series routers, you can apply to multiple interfaces a policer that polices the total traffic arriving on those interfaces. This does not work the same way on T-series platforms because on T-series platforms, interfaces can reside on different Packet Forwarding Engines (PFEs).

If you apply both policers and firewall filters to an interface, policers are evaluated closest to the wire: Input policers are evaluated before input firewall filters, and output policers are evaluated after output firewall filters.

If you apply the policer to the interface lo0, it is applied to packets received or transmitted by the Routing Engine.

For more information about policers, see the JUNOS Internet Software Configuration Guide: Policy Framework.