IN THIS PAGE
Example: Configuring a Single-Rate Three-Color Policer on a Security Device
This example shows how to configure a single-rate three-color policer.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
A single-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic, plus a second burst-size limit for excess traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green, and nonconforming traffic falls into one of two categories:
Nonconforming traffic that does not exceed the burst size for excess traffic is categorized as yellow.
Nonconforming traffic that exceeds the burst size for excess traffic is categorized as red.
Each category is associated with an action. For green traffic, packets are implicitly set with a loss-priority value of low and then transmitted. For yellow traffic, packets are implicitly set with a loss-priority value of medium-high and then transmitted. For red traffic, packets are implicitly set with a loss-priority value of high and then transmitted. If the policer configuration includes the optional action statement (action loss-priority high then discard), then packets in a red flow are discarded instead.
You can apply a three-color policer to Layer 3 traffic as a firewall filter policer only. You reference the policer from a stateless firewall filter term, and then you apply the filter to the input or output of a logical interface at the protocol level.
Topology
In this example, you apply a color-aware, single-rate three-color policer to the input IPv4 traffic at IRB interface. The IPv4 firewall filter term that references the policer does not apply any packet-filtering. The filter is used only to apply the three-color policer to the interface.
You configure the policer to rate-limit traffic to a bandwidth limit of 40 Mbps and a burst-size limit of 100 KB for green traffic, but also allow an excess burst-size limit of 200 KB for yellow traffic. Only nonconforming traffic that exceeds the peak burst-size limit is categorized as red. In this example, you configure the three-color policer action loss-priority high then discard, which overrides the implicit marking of red traffic to a high loss priority.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Configuring a Single-Rate Three-Color Policer
Step-by-Step Procedure
To configure a single-rate three-color policer:
Enable configuration of a three-color policer.
[edit]user@host# edit firewall three-color-policer srTCM1-caConfigure the color mode of the single-rate three-color policer.
[edit firewall three-color-policer srTCM1-ca]user@host# set single-rate color-awareConfigure the single-rate guaranteed traffic limits.
[edit firewall three-color-policer srTCM1-ca]user@host# set single-rate committed-information-rate 40muser@host# set single-rate committed-burst-size 100kConfigure the single-rate burst-size limit that is used to classify nonconforming traffic.
[edit firewall three-color-policer srTCM1-ca]user@host# set single-rate excess-burst-size 200k- For three-color policers, the only configurable action is to discard packets in a red traffic flow. In this example, packets in a red traffic flow have been implicitly marked with a high packet loss priority (PLP) level because the traffic flow exceeded the rate-limiting defined by the single rate-limit (specified by the committed-information-rate 40m statement) and the larger burst-size limit (specified by the excess-burst-size 200k statement). Because the optional action statement is included, this example takes the more severe action of discarding packets in a red traffic flow.
(Optional) Configure the action for nonconforming traffic.
[edit firewall three-color-policer srTCM1-ca]user@host# set action loss-priority high then discard
Results
Confirm the configuration of the hierarchical policer by entering the show firewall configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
Applying the Filter to the Logical Interface
Step-by-Step Procedure
To apply the filter to the IRB interface:
Enable configuration of the IRB interface.
[edit]user@host# edit interfaces irb unit 0 family inetConfigure an IP address.
[edit interfaces irb unit 0 family inet]user@host# set address 10.20.130.1/24Reference the filter as an input filter.
[edit interfaces irb unit 0 family inet]user@host# set filter input filter-srtcm1ca-all
Results
Confirm the configuration of the interface by entering the show class-of-service and show interfaces configuration mode commands. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Displaying the Firewall Filters Applied to the IRB Interface
Purpose
Verify that the firewall filter is applied to the IRB interface.
Action
Use the show interfaces operational mode command for the logical interface ge-2/0/5.0, and specify detail mode. The Protocol inet section of the command output displays information for the IRB interface.
user@host> show interfaces irb detail Physical interface irb (Index 105) (SNMP ifIndex 556) (Generation 170)
Flags: Device-Down SNMP-Traps 0x4004000 Encapsulation: ENET2
Traffic statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Protocol inet, MTU: 1500, Generation: 242, Route table: 0
Flags: Sendbcast-pkt-to-re
Input Filters: filter-srtcm1ca-all
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.20.130/24, Local: 10.20.130.1, Broadcast: 10.20.130.255,
Generation: 171
Protocol multiservice, MTU: Unlimited, Generation: 243, Route table: 0
Policer: Input: __default_arp_policer__
Meaning
The firewall filter is applied to the IRB interface as expected.