Apply Policers

Policers allow you to perform simple traffic policing on specific interfaces or Layer 2 VPNs without configuring a firewall filter. To apply policers, include the policer statement:

policer { 

    arp policer-template-name;

    input policer-template-name;

    output policer-template-name;

}

You can configure these statements at the following hierarchy levels:

• [edit interfaces interface-name unit logical-unit-number family family]
• [edit logical-routers logical-router-name interfaces interface-name unit logical-unit-number family family]

In the family statement, the protocol family can be ccc, inet, tcc, or vpls.

In the arp statement, list the name of one policer template to be evaluated when Address Resolution Protocol (ARP) packets are received on the interface. By default, an ARP policer is installed that is shared among all the Ethernet interfaces on which you have configured the family inet statement. If you want more stringent or lenient policing of ARP packets, you can configure an interface-specific policer and apply it to the interface. You configure an ARP policer just as you would configure any other policer, at the [edit firewall policer] hierarchy level. If you apply this policer to an interface, the default ARP packet policer is overridden. If you delete this policer, the default policer takes effect again.

In the input statement, list the name of one policer template to be evaluated when packets are received on the interface.

In the output statement, list the name of one policer template to be evaluated when packets are transmitted on the interface.

To use policing on a CCC or TCC interface, you must configure the CCC or TCC protocol family.

You can configure a different policer on each protocol family on an interface, with one input policer and one output policer for each family. When you apply policers, you can configure the family ccc, inet, tcc, or vpls only, and one Address Resolution Protocol (ARP) policer for the family inet protocol only. Each time a policer is referenced, a separate copy of the policer is installed on the PFE for that interface.

If you apply both policers and firewall filters to an interface, input policers are evaluated before input firewall filters, and output policers are evaluated after output firewall filters.

If you apply the policer to the interface lo0, it is applied to packets received or transmitted by the Routing Engine.

For more information about policers, see the JUNOS Internet Software Configuration Guide: Policy Framework.