Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Two-Color and Three-Color Policers to Control Traffic Rates

 

You can rate-limit traffic by configuring a policer and specifying it as an action modifier for a term in a firewall filter. By default, if you specify the same policer in multiple terms, Junos OS creates a separate policer instance for each term and applies rate limiting separately for each instance. For example, if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, each policer instance enforces a 1-Gbps limit. In this case, the total bandwidth allowed by the filter is 3 Gbps.

You can also configure a policer to be filter-specific, which means that Junos OS creates only one policer instance regardless of how many times the policer is referenced. When you do this, rate limiting is applied in aggregate, so if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, the total bandwidth allowed by the filter is 1 Gbps.

Note

You can include two-color policer actions on ingress firewall filters only. You can include three-color policer actions on ingress and egress filters.

Configuring Two-Color Policers

To configure a two-color policer:

  1. Specify the name of the policer, the bandwidth limit to control the traffic rate on an interface, and the maximum allowed burst size to control the amount of traffic bursting:
    [edit firewall]

    user@switch# set policer policer-name <filter-specific> if-exceeding bandwidth-limit bps burst-size-limit bytes

    The policer name can contain letters, numbers, and hyphens (-) and can have as many as 64 characters.

    The range for the bandwidth limit is 32000 (32k) through 102,300,000,000 (102300m) bps.

    To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur and divide the result by 8:

    maximum burst size = (interface bandwidth) X (allowable time for burst) / (8 bits/byte)

    The range for the burst-size limit is 1 through 2,147,450,880 bytes.

  2. Specify the policer action to discard or assign a loss priority to packets that exceed the rate limits:
    [edit firewall policer policer-name]

    user@switch# set then (discard | loss-priority low | loss-priority high)

Configuring Three-Color Policers

To configure a three-color policer:

  1. Specify the name of the policer and (optionally) whether to automatically discard packets with high loss priority (PLP):
    [edit firewall]

    user@switch# set three-color-policer policer-name

    user@switch# set three-color-policer policer-name action loss-priority high then discard
  2. Specify whether the three-color policer should be single-rate or two-rate and whether it should be color-aware or color-blind:
    [edit firewall three-color-policer policer-name]

    user@switch# set (single-rate | two-rate) (color-aware | color-blind)
  3. For single-rate three-color policers, configure the CIR, CBS, and EBS:
    [edit firewall three-color-policer policer-name single-rate]

    user@switch# set committed-information-rate bps

    user@switch# set committed-burst-size bytes

    user@switch# set excess-burst-size bytes
  4. For two-rate three-color policers, configure the CIR, CBS, PIR, and PBS:
    [edit firewall three-color-policer policer-name single-rate]

    user@switch# set committed-information-rate bps

    user@switch# set committed-burst-size bytes

    user@switch# set peak-information-rate bps

    user@switch# set peak-burst-size bytes

Specifying Policers in a Firewall Filter Configuration

To use a two-color policer, configure a filter term that includes the action policer:

[edit firewall family family-name]

user@switch# set filter filter-name term name then name

For example, the following commands apply a two-color policer to all packets sent from 192.0.2.0/24.

[edit firewall family family-name]

user@switch# set filter limit—hosts term term1 from source-address 192.0.2.0/24

user@switch# set filter limit—hosts term term1 then policer policer1

To use a three-color policer, configure a filter term that includes the action three-color-policer:

[edit firewall family name]

user@switch# set filter name term name from match-condition

user@switch# set filter name term name then three-color-policer (single-rate | two-rate) name

For example, the following commands apply a single-rate three-color policer to all packets received or sent by interface ge-0/0/6 (depending on whether the filter is an ingress or egress filter).

[edit firewall family name]

user@switch# set filter srTCM term term-one from interface ge-0/0/6

user@switch# set filter srTCM term term-one then three-color-policer single-rate srTCM1-ca

You must specify whether the three-color policer is single-rate or two-rate, and this must match the policer itself. Otherwise, the configuration listing includes an error message indicating that the three-color policer you referenced in the filter does not exist.

Applying a Firewall Filter That Includes a Policer

A firewall filter that includes one or more policer action modifiers must be applied to a port, VLAN, or Layer 3 interface like any other filter. For information about applying firewall filters, see Configuring Firewall Filters.

Note

You can include two-color policer actions on ingress firewall filters only. You can include three-color policer actions on ingress and egress filters.