Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Policers to Control Traffic Rates (CLI Procedure)

 

You can configure policers to rate limit traffic on EX Series switches. After you configure a policer, you can include it in an ingress firewall filter configuration.

When you configure a firewall filter, you can specify a policer action for any term or terms within the filter. All traffic that matches a term that contains a policer action goes through the policer that the term references. Each policer that you configure includes an implicit counter. To get term-specific packet counts, you must configure a separate policer for each filter term that requires policing.

Note

On all EX Series switches except EX8200 switches, each policer that you configure includes an implicit counter. To ensure term-specific packet counts, configure a policer for each term in the filter that requires policing. For EX8200 switches, configure a policer and associate it with a global management counter using the counter option.

The following policer limits apply on a switch:

  • A maximum of 512 policers can be configured for port firewall filters.

  • A maximum of 512 policers can be configured for VLAN and Layer 3 firewall filters.

If the number of policers in the firewall filter configuration exceeds these limits, the switch returns the following message when you commit the configuration:

This topic includes these tasks:

Configuring Policers

To configure a policer:

  1. Specify the name of the policer:
    [edit firewall]

    user@switch# set policer policer-one

    The policer name can include letters, numbers, and hyphens (-) and can contain up to 64 characters.

  2. Specify the filter-specific statement to configure a policer to act as a filter-specific policer; else proceed to step 3:
    [edit firewall]

    user@switch# set policer policer-one filter-specific

    If you do not specify the filter-specific statement, the policer acts as a term-specific policer by default.

  3. Configure rate limiting for the policer:
    1. Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
      [edit firewall policer policer-one]

      user@switch# set if-exceeding bandwidth-limit 300k

      The range for the bandwidth limit is 1k through 102.3g bps.

    2. Specify the burst-size limit (the maximum allowed burst size in bytes) to control the amount of traffic bursting:
      [edit firewall policer policer-one]

      user@switch# set if-exceeding burst-size-limit 500k

      To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

      burst size = (bandwidth) * (allowable time for burst traffic)

      The range for the burst-size limit is 1 through 2,147,450,880 bytes.

  4. Specify the policer action discard to discard packets that exceed the rate limits:
    [edit firewall policer]

    user@switch# set policer-one then (Policer Action) discard

    Discard is the only supported policer action.

  5. On EX8200 switches, you must assign a global management counter to the policer to obtain policer statistics:
    [edit firewall policer]

    user@switch# set policer-one counter counter-id 0

    In this sample statement, the global management counter ID is 0. You can assign any number of policers to the global management counter. The policer statistics displayed for each counter are the collective statistics of all policers assigned to that counter.

Specifying Policers in a Firewall Filter Configuration

To reference a policer for a single firewall, configure a filter term that includes the policer action:

[edit firewall family ethernet-switching]

user@switch# set filter limit-hosts term term-one from source-address 192.0.2.0/28

users@witch# set filter limit-hosts term term-one then policer policer-one

Applying a Firewall Filter That Is Configured with a Policer

A firewall filter that is configured with one or more policer actions, like any other firewall filter, must be applied to a port, VLAN, or Layer 3 interface. For information about applying firewall filters, see the sections on applying firewall filters in Configuring Firewall Filters (CLI Procedure).