Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Prefix-Specific Counting and Policing Overview

 

Separate Counting and Policing for Each IPv4 Address Range

Prefix-specific counting and policing enables you to configure an IPv4 firewall filter term that matches on a source or destination address, applies a single-rate two-color policer as the term action, but associates the matched packet with a specific counter and policer instance based on the source or destination in the packet header. You can implicitly create a separate counter or policer instance for a single address or for a group of addresses.

Prefix-specific counting and policing uses a prefix-specific action configuration that specifies the name of the policer you want to apply, whether prefix-specific counting is to be enabled, and a source or destination address prefix range.

The prefix range specifies between 1 and 16 sequential set bits of an IPv4 address mask. The length of the prefix range determines the size of the counter and policer set, which consists of as few as 2 or as many as 65,536 counter and policer instances. The position of the bits of the prefix range determines the indexing of filter-matched packets into the set of instances.

Note

A prefix-specific action is specific to a source or destination prefix range, but it is not specific to a particular source or destination address range, and it is not specific to a particular interface.

To apply a prefix-specific action to the traffic at an interface, you configure a firewall filter term that matches on source or destination addresses, and then you apply the firewall filter to the interface. The flow of filtered traffic is rate-limited using prefix-specific counter and policer instances that are selected per packet based on the source or destination address in the header of the filtered packet.

Prefix-Specific Action Configuration

To configure a prefix-specific action, you specify the following information:

  • Prefix-specific action name—Name that can be referenced as the action of an IPv4 standard firewall filter term that matches packets on source or destination addresses.

  • Policer name—Name of a single-rate two-color policer for which you want to implicitly create prefix-specific instances.

    Note

    For aggregated Ethernet interfaces, you can configure a prefix-specific action that references a logical interface policer (also called an aggregate policer). You can reference this type of prefix-specific action from an IPv4 standard firewall filter and then apply the filter at the aggregate level of the interface.

  • Counting option—Option to include if you want to enable prefix-specific counters.

  • Filter-specific option—Option to include if you want a single counter and policer set to be shared across all terms in the firewall filter. A prefix-specific action that operates in this way is said to operate in filter-specific mode. If you do not enable this option, the prefix-specific action operates in term-specific mode, meaning that a separate counter and policer set is created for each filter term that references the prefix-specific action.

  • Source address prefix length—Length of the address prefix, from 0 through 32, to be used with a packet matched on the source address.

  • Destination address prefix length—Length of the address prefix, from 0 through 32, to be used with a packet matched on the destination address.

  • Subnet prefix length—Length of the subnet prefix, from 0 through 32, to be used with a packet matched on either the source or destination address.

You must configure source and destination address prefix lengths to be from 1 to 16 bits longer than the subnet prefix length. If you configure source or destination address prefix lengths to be more than 16 bits beyond the configured subnet prefix length, an error occurs when you try to commit the configuration.

Counter and Policer Set Size and Indexing

The number of prefix-specific actions (counters or policers) implicitly created for a prefix-specific action is determined by the length of the address prefix and the length of the subnet prefix:

  • Size of Counter and Policer Set = 2^(source-or-destination-prefix-length - subnet-prefix-length)

Table 1 shows examples of counter and policer set size and indexing.

Table 1: Examples of Counter and Policer Set Size and Indexing

Example Prefix Lengths Specified in the Prefix-Specific Action

Calculation of Counter or Policer Set Size

Indexing of Instances

source-prefix-length = 32 

subnet-prefix-length = 16

Size = 2^(32 - 16) = 2^16 = 65,536 instances

Note: This calculation shows the largest counter or policer set size supported.

Instance 0:

x.x.0.0

Instance 1:

x.x.0.1

Instance 65535:

x.x.255.255

source-prefix-length = 32 

subnet-prefix-length = 24

Size = 2^(32 - 24) = 2^8 = 256 instances

Instance 0:

x.x.x.0

Instance 1:

x.x.x.1

Instance 255:

x.x.x.255

source-prefix-length = 32 

subnet-prefix-length = 25

Size = 2^(32 - 25) = 2^7 = 128 instances

Instance 0:

x.x.x.0

Instance 1:

x.x.x.1

Instance 127:

x.x.x.127

source-prefix-length = 24 

subnet-prefix-length = 20

Size = 2^(24 - 20) = 2^4 = 16 instances

Instance 0:

x.x.0.x

Instance 1:

x.x.1.x

Instance 15:

x.x.15.x