Configuring an Interface Policer Using Tricolor Marking Policing

You can configure a policer to limit traffic on an interface in the ingress or egress direction. Instead of policing each address family individually on an interface, you can aggregate policing with one policer. This single aggregated policer is known as the logical-interface policer. You can configure tricolor marking policing to limit the bandwidth through a logical interface.

To configure a policer on a logical interface using tricolor marking policing, include the action statement and the logical-interface-policer statement at the [edit firewall three-color-policer name] hierarchy level:

[edit firewall]

three-color-policer name {

    action {

        loss-priority high then discard;

    }

    logical-interface-policer;

    single-rate {

        (color-aware | color-blind);

        committed-information-rate bps;

        committed-burst-size bytes;

        excess-burst-size bytes;

    }

    two-rate {

        (color-aware | color-blind); 

        committed-information-rate bps; 

        committed-burst-size bytes; 

        peak-information-rate bps; 

        peak-burst-size bytes; 

    } 

}

For detailed information about bandwidth policers on a logical interface, see Configuring an Aggregate Policer.

You can configure separate policing on the ingress and egress direction on the logical interface.

Example: Rate-Limiting Bandwidth Using Tricolor Marking Policing

Configure tricolor marking policing on a logical interface to rate-limit the bandwidth on the logical interface.

[edit firewall]

three-color-policer trtcm-1 {

    action {

        loss-priority high then discard;

    }

    logical-interface-policer;

    two-rate {

        color-blind;

        committed-information-rate 1500000;

        committed-burst-size 150k;

        peak-information-rate 3m;

        peak-burst-size 300k;

    }

}