Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Gigabit Ethernet Policers

 

Policers enable you to perform simple traffic policing on Gigabit Ethernet Interfaces without configuring a firewall filter. You can use this topic to configure an input priority map, an output priority map, and then apply the policy. Use this topic for information on how to configure a two-color policer and tri-color policer.

Capabilities of Gigabit Ethernet IQ PICs and Gigabit Ethernet PICs with SFPs

For Gigabit Ethernet IQ PICs and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), you can configure granular per-VLAN class-of-service (CoS) capabilities and extensive instrumentation and diagnostics on a per-VLAN and per-MAC address basis.

VLAN rewrite, tagging, and deleting enables you to use VLAN address space to support more customers and services.

VPLS allows you to provide a point-to-multipoint LAN between a set of sites in a VPN. Ethernet IQ PICs and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router) are combined with VPLS to deliver metro Ethernet service.

For Gigabit Ethernet IQ2 and IQ2-E and 10-Gigabit Ethernet IQ2 and IQ2-E interfaces, you can apply Layer 2 policing to logical interfaces in the egress or ingress direction. Layer 2 policers are configured at the [edit firewall] hierarchy level. You can also control the rate of traffic sent or received on an interface by configuring a policer overhead at the [edit chassis fpc slot-number pic slot-number] hierarchy level.

Table 1 lists the capabilities of Gigabit Ethernet IQ PICs and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router).

Table 1: Capabilities of Gigabit Ethernet IQ and Gigabit Ethernet with SFPs

Capability

Gigabit Ethernet IQ (SFP)

Gigabit Ethernet (SFP)

Layer 2

802.3ad link aggregation

Yes

Yes

Maximum VLANs per port

384

1023

Maximum transmission unit (MTU) size

9192

9192

MAC learning

Yes

Yes

MAC accounting

Yes

Yes

MAC filtering

Yes

Yes

Destinations per port

960

960

Sources per port

64

64

Hierarchical MAC policers

Yes, premium and aggregate

No, aggregate only

Multiple TPID support and IP service for nonstandard TPIDs

Yes

Yes

Multiple Ethernet encapsulations

Yes

Yes

Dual VLAN tags

Yes

No

VLAN rewrite

Yes

No

Layer 2 VPNs

VLAN CCC

Yes

Yes

Port-based CCC

Yes

Yes

Extended VLAN CCC Virtual Metropolitan Area Network (VMAN) Tag Protocol

Yes

Yes

CoS

PIC-based egress queues

Yes

Yes

Queued VLANs

Yes

No

VPLS

Yes

Yes

For more information about configuring VPLS, see the Junos OS VPNs Library for Routing Devices.

You can also configure CoS on logical IQ interfaces. For more information, see the Class of Service Feature Guide (Routers and EX9200 Switches).

Configuring Gigabit Ethernet Policers

Overview

On Gigabit Ethernet IQ and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), you can define rate limits for premium and aggregate traffic received on the interface. These policers allow you to perform simple traffic policing without configuring a firewall filter. First you configure the Ethernet policer profile, next you classify ingress and egress traffic, then you can apply the policer to a logical interface.

For Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), the policer rates you configure can be different than the rates on the Packet Forward Engine. The difference results from Layer 2 overhead. The PIC accounts for this difference.

Note

On MX Series routers with Gigabit Ethernet or Fast Ethernet PICs, the following considerations apply:

  • Interface counters do not count the 7-byte preamble and 1-byte frame delimiter in Ethernet frames.

  • In MAC statistics, the frame size includes MAC header and CRC before any VLAN rewrite/imposition rules are applied.

  • In traffic statistics, the frame size encompasses the L2 header without CRC after any VLAN rewrite/imposition rule.

For information on understanding Ethernet frame statistics, see the MX Series Layer 2 Configuration Guide.

Configuring a Policer

To configure an Ethernet policer profile, include the ethernet-policer-profile statement at the [edit interfaces interface-name gigether-options ethernet-switch-profile] hierarchy level:

In the Ethernet policer profile, the aggregate-priority policer is mandatory; the premium-priority policer is optional.

For aggregate and premium policers, you specify the bandwidth limit in bits per second. You can specify the value as a complete decimal number or as a decimal number followed by the abbreviation k (1000), (1,000,000), or g (1,000,000,000). There is no absolute minimum value for bandwidth limit, but any value below 61,040 bps will result in an effective rate of 30,520 bps. The maximum bandwidth limit is 4.29 Gbps.

The maximum burst size controls the amount of traffic bursting allowed. To determine the burst-size limit, you can multiply the bandwidth of the interface on which you are applying the filter by the amount of time you allow a burst of traffic at that bandwidth to occur:

If you do not know the interface bandwidth, you can multiply the maximum MTU of the traffic on the interface by 10 to obtain a value. For example, the burst size for an MTU of 4700 would be 47,000 bytes. The burst size should be at least 10 interface MTUs. The maximum value for the burst-size limit is 100 MB.

Specifying an Input Priority Map

An input priority map identifies ingress traffic with specified IEEE 802.1p priority values, and classifies that traffic as premium.

If you include a premium-priority policer, you can specify an input priority map by including the ieee802.1 premium statement at the [edit interfaces interface-name gigether-options ethernet-policer-profile input-priority-map] hierarchy level:

The priority values can be from 0 through 7. The remaining traffic is classified as nonpremium (or aggregate). For a configuration example, see Example: Configuring Gigabit Ethernet Policers.

Note

On IQ2 and IQ2-E interfaces and MX Series interfaces, when a VLAN tag is pushed, the inner VLAN IEEE 802.1p bits are copied to the IEEE bits of the VLAN or VLANs being pushed. If the original packet is untagged, the IEEE bits of the VLAN or VLANs being pushed are set to 0.

Specifying an Output Priority Map

An output priority map identifies egress traffic with specified queue classification and packet loss priority (PLP), and classifies that traffic as premium.

If you include a premium-priority policer, you can specify an output priority map by including the classifier statement at the [edit interfaces interface-name gigether-options ethernet-policer-profile output-priority-map] hierarchy level:

You can define a forwarding class, or you can use a predefined forwarding class. Table 2 shows the predefined forwarding classes and their associated queue assignments.

Table 2: Default Forwarding Classes

Forwarding Class Name

Queue

best-effort

Queue 0

expedited-forwarding

Queue 1

assured-forwarding

Queue 2

network-control

Queue 3

For more information about CoS forwarding classes, see the Class of Service Feature Guide (Routers and EX9200 Switches). For a configuration example, see Example: Configuring Gigabit Ethernet Policers.

Applying a Policer

On all MX Series Router interfaces, Gigabit Ethernet IQ, IQ2, and IQ2-E PICs, and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), you can apply input and output policers that define rate limits for premium and aggregate traffic received on the logical interface. Aggregate policers are supported on Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router).

These policers allow you to perform simple traffic policing without configuring a firewall filter.

To apply policers to specific source MAC addresses, include the accept-source-mac statement:

You can include these statements at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number ]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

You can specify the MAC address as nn:nn:nn:nn:nn:nn or nnnn.nnnn.nnnn, where n is a hexadecimal number. You can configure up to 64 source addresses. To specify more than one address, include multiple mac-address statements in the logical interface configuration.

Note

On untagged Gigabit Ethernet interfaces you should not configure the source-address-filter statement at the [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level and the accept-source-mac statement at the [edit interfaces ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level simultaneously. If these statements are configured for the same interfaces at the same time, an error message is displayed.

On tagged Gigabit Ethernet interfaces you should not configure the source-address-filter statement at the [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level and the accept-source-mac statement at the [edit interfaces ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level with an identical MAC address specified in both filters. If these statements are configured for the same interfaces with an identical MAC address specified, an error message is displayed.

Note

If the remote Ethernet card is changed, the interface does not accept traffic from the new card because the new card has a different MAC address.

The MAC addresses you include in the configuration are entered into the router’s MAC database. To view the router’s MAC database, enter the show interfaces mac-database interface-name command:

In the input statement, list the name of one policer template to be evaluated when packets are received on the interface.

In the output statement, list the name of one policer template to be evaluated when packets are transmitted on the interface.

Note

On IQ2 and IQ2-E PIC interfaces, the default value for maximum retention of entries in the MAC address table has changed, for cases in which the table is not full. The new holding time is 12 hours. The previous retention time of 3 minutes is still in effect when the table is full.

You can use the same policer one or more times.

If you apply both policers and firewall filters to an interface, input policers are evaluated before input firewall filters, and output policers are evaluated after output firewall filters.

Configuring MAC Address Filtering

You cannot explicitly define traffic with specific source MAC addresses to be rejected; however, for Gigabit Ethernet IQ and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), and for Gigabit Ethernet DPCs on MX Series routers, you can block all incoming packets that do not have a source address specified in the accept-source-mac statement. For more information about the accept-source-mac statement, see Applying a Policer.

To enable this blocking, include the source-filtering statement at the [edit interfaces interface-name gigether-options] hierarchy level:

For more information about the source-filtering statement, see Configuring MAC Address Filtering for Ethernet Interfaces.

To accept traffic even though it does not have a source address specified in the accept-source-mac statement, include the no-source-filtering statement at the [edit interfaces interface-name gigether-options] hierarchy level:

Example: Configuring Gigabit Ethernet Policers

Example

This example illustrates the following:

  • Configure interface ge-6/0/0 to treat priority values 2 and 3 as premium. On ingress, this means that IEEE 802.1p priority values 2 and 3 are treated as premium. On egress, it means traffic that is classified into queue 0 or 1 with PLP of low and queue 2 or 3 with PLP of high, is treated as premium.

  • Define a policer that limits the premium bandwidth to 100 Mbps and burst size to 3 k, and the aggregate bandwidth to 200 Mbps and burst size to 3 k.

  • Specify that frames received from the MAC address 00:01:02:03:04:05 and the VLAN ID 600 are subject to the policer on input and output. On input, this means frames received with the source MAC address 00:01:02:03:04:05 and the VLAN ID 600 are subject to the policer. On output, this means frames transmitted from the router with the destination MAC address 00:01:02:03:04:05 and the VLAN ID 600 are subject to the policer.

Example Configuration

Configuring Gigabit Ethernet Two-Color and Tricolor Policers

Overview

For Gigabit Ethernet and 10-Gigabit Ethernet IQ2 and IQ2-E interfaces on M Series and T Series routers, you can configure two-color and tricolor marking policers and apply them to logical interfaces to prevent traffic on the interface from consuming bandwidth inappropriately.

Networks police traffic by limiting the input or output transmission rate of a class of traffic on the basis of user-defined criteria. Policing traffic allows you to control the maximum rate of traffic sent or received on an interface and to partition a network into multiple priority levels or classes of service.

Policers require you to apply a burst size and bandwidth limit to the traffic flow, and set a consequence for packets that exceed these limits—usually a higher loss priority, so that packets exceeding the policer limits are discarded first.

Juniper Networks router architectures support three types of policer:

  • Two-color policer—A two-color policer (or “policer” when used without qualification) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit in some way, or simply discard them. A policer is most useful for metering traffic at the port (physical interface) level.

  • Single-rate tricolor marking (single-rate TCM)—A single-rate tricolor marking policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and excess burst size (EBS).

    Starting in Junos OS Release 13.1, traffic is classified into three categories: Green, Red, and Yellow. Following list describes the categories:

    • Green—Burst size of the packets that arrive is less than the sum of the configured CIR and CBS.

    • Red—Burst size of the packets that arrive is greater than the sum of the configured CIR and EBS.

    • Yellow—Burst size of the packets that arrive is greater than the CBS but less than the EBS.

    Single-rate TCM is most useful when a service is structured according to packet length and not peak arrival rate.

  • Two-rate Tricolor Marking (two-rate TCM)—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and peak information rate (PIR), along with their associated burst sizes, the CBS and EBS.

    Traffic is classified into the following three categories:

    • Green—Burst size of the packets that arrive is less than the sum of the configured CIR and CBS.

    • Red—Burst size of the packets that arrive is greater than the sum of the configured PIR and EBS.

    • Yellow—Traffic does not belong to either the green or the red category.

    Two-rate TCM is most useful when a service is structured according to arrival rates and not necessarily packet length.

Note

Unlike policing (described in Configuring Gigabit Ethernet Policers), configuring two-color policers and tricolor marking policers requires that you configure a firewall filter.

Configuring a Policer

Two-color and tricolor marking policers are configured at the [edit firewall] hierarchy level.

A tricolor marking policer polices traffic on the basis of metering rates, including the CIR, the PIR, their associated burst sizes, and any policing actions configured for the traffic.

To configure tricolor policer marking, include the three-color-policer statement with options at the [edit firewall] hierarchy level:

For more information about configuring tricolor policer markings, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide and the Class of Service Feature Guide (Routers and EX9200 Switches).

Applying a Policer

Apply a two-color policer or tricolor policer to a logical interface to prevent traffic on the interface from consuming bandwidth inappropriately. To apply two-color or tricolor policers, include the layer2-policer statement:

You can include these statements at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]

Use the input-policer statement to apply a two-color policer to received packets on a logical interface and the input-three-color statement to apply a tricolor policer. Use the output-policer statement to apply a two-color policer to transmitted packets on a logical interface and the output-three-color statement to apply a tricolor policer. The specified policers must be configured at the [edit firewall] hierarchy level. For each interface, you can configure a three-color policer or two-color input policer or output policers—you cannot configure both a three-color policer and a two-color policer.

Example: Configuring and Applying a Policer

Configure tricolor policers and apply them to an interface:

Configure a two-color policer and apply it to an interface:

Release History Table
Release
Description
Starting in Junos OS Release 13.1, traffic is classified into three categories: Green, Red, and Yellow.