Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Bandwidth Policers

 

Bandwidth Policer Overview

For a single-rate two-color policer only, you can specify the bandwidth limit as a percentage value from 1 through 100 instead of as an absolute number of bits per second. This type of two-color policer, called a bandwidth policer, rate-limits traffic to a bandwidth limit that is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate.

Guidelines for Configuring a Bandwidth Policer

The following guidelines apply to configuring a bandwidth policer:

  • To specify a percentage bandwidth limit, you include the bandwidth-percent percentage statement in place of the bandwidth-limit bps statement.

  • By default, a bandwidth policer calculates the percentage bandwidth limit based on the physical interface port speed. To configure a bandwidth policer to calculate the percentage bandwidth limit based on the configured logical interface shaping rate instead, include the logical-bandwidth-policer statement at the [edit firewall policer policer-name] hierarchy level. This type of bandwidth policer is called a logical bandwidth policer.

    You can configure a logical interface shaping rate by including the shaping-rate bps statement at the [edit class-of-service interfaces interface interface-name unit logical-unit-number] hierarchy level. A logical interface shaping rate causes the specified amount of bandwidth to be allocated to the logical interface.

    Note

    If you configure a logical-bandwidth policer and then apply the policer to a logical interface that is not configured with a shaping rate, then the policer rate-limits traffic on that logical interface to calculate the percentage bandwidth limit based on the physical interface port speed, even if you include the logical-bandwidth-policer statement in the bandwidth policer configuration.

  • If you reference a bandwidth policer from a stateless firewall filter term, you must include the interface-specific statement in the firewall filter configuration.

Guidelines for Applying a Bandwidth Policer

The following guidelines pertain to applying a bandwidth policer to traffic:

  • You can use a bandwidth policer to rate-limit protocol-specific traffic (not family any) at the input or output of a logical interface.

  • You can apply a bandwidth policer directly to protocol-specific input or output traffic at a logical interface.

  • To send only selected packets to a bandwidth policer, you can reference the bandwidth policer from a stateless firewall filter term and then apply the filter to logical interface traffic for a specific protocol family.

    • To reference a logical bandwidth policer from a firewall filter, you must include the interface-specific statement in the firewall filter configuration.

    • You cannot use a bandwidth policer for forwarding-table filters.

  • You cannot apply a bandwidth policer to an aggregate interface, a tunnel interface, or a software interface.

Example: Configuring a Logical Bandwidth Policer

This example shows how to configure a logical bandwidth policer.

Requirements

Before you begin, make sure that you have two logical units available on a Gigabit Ethernet interface.

Overview

In this example, you configure a single-rate two-color policer that specifies the bandwidth limit as a percentage value rather than as an absolute number of bits per second. This type of policer is called a bandwidth policer. By default, a bandwidth policer enforces a bandwidth limit based on the line rate of the underlying physical interface. As an option, you can configure a bandwidth policer to enforce a bandwidth limit based on the configured shaping rate of the logical interface. To configure this type of bandwidth policer, called a logical bandwidth policer, you include the logical-bandwidth-policer statement in the policer configuration.

To configure a logical interface shaping rate, include the shaping-rate bps statement at the [edit class-of-service interfaces interface interface-name unit logical-unit-number] hierarchy level. This class-of-service (CoS) configuration statement causes the specified amount of bandwidth to be allocated to the logical interface.

Note

If you configure a policer bandwidth limit as a percentage but a shaping rate is not configured for the target logical interface, the policer bandwidth limit is calculated as a percentage of the physical interface media rate, even if you enable the logical-bandwidth policing feature.

To apply a logical bandwidth policer to a logical interface, you can apply the policer directly to the logical interface at the protocol family level or (if you only need to rate-limit filtered packets) you can reference the policer from a stateless firewall filter configured to operate in interface-specific mode.

Topology

In this example, you configure two logical interfaces on a single Gigabit Ethernet interface and configure a shaping rate on each logical interface. On logical interface ge-1/3/0.0, you allocate 4 Mbps of bandwidth. On logical interface ge-1/3/0.1, you allocate 2 Mbps of bandwidth.

You also configure a logical bandwidth policer with a bandwidth limit of 50 percent and a maximum burst size of 125,000 bytes, and then you apply the policer to input and output traffic at the logical units configured on ge-1/3/0.0. For logical interface ge-1/3/0.0, the policer rate-limits to a bandwidth limit of 2 Mbps (50 percent of the 4 Mbps shaping rate configured for the logical interface). For logical interface ge-1/3/0.1, the policer rate-limits traffic to a bandwidth limit of 1 Mbps (50 percent of the 2 Mbps shaping rate configured for the logical interface).

If no shaping rate is configured for a target logical interface, the policer rate-limits to a bandwidth limit calculated as 50 percent of the physical interface media rate. For example, if you apply a 50 percent bandwidth policer to input or output traffic at a Gigabit Ethernet logical interface without rate shaping, the policer applies a bandwidth limit of 500 Mbps (50 percent of 1000 Mbps).

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Logical Interfaces

Step-by-Step Procedure

To configure the logical interfaces:

  1. Enable configuration of the physical interface.

  2. Configure the first logical interface.

  3. Configure the second logical interface.

Results

Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring Traffic Rate-Shaping by Specifying the Amount of Bandwidth to be Allocated to the Logical Interface

Step-by-Step Procedure

To configure rate shaping by specifying the bandwidth to be allocated to the logical interface:

  1. Enable CoS configuration on the physical interface.

  2. Configure rate shaping for the logical interfaces.

    These statements allocate 4 Mbps of bandwidth to logical unit ge-1/3/0.0 and 2 Mbps of bandwidth to logical unit ge-1/3/0.1.

Results

Confirm the configuration of the rate shaping by entering the show class-of-service configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Logical Bandwidth Policer

Step-by-Step Procedure

To configure the logical bandwidth policer:

  1. Enable configuration of a single-rate two-color policer.

  2. Configure the policer as a logical-bandwidth policer.

    This applies the rate-limiting to logical interfaces.
  3. Configure the policer traffic limits and actions.

Results

Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the Logical Bandwidth Policers to the Logical Interfaces

Step-by-Step Procedure

To configure the logical bandwidth policers to the logical interfaces:

  1. Enable configuration of the interface.

  2. Apply the logical bandwidth policer to the first logical interface.

  3. Apply the policing to the second logical interface.

Results

Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying Traffic Statistics and Policers for the Logical Interface

Purpose

Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

Action

Use the show interfaces operational mode command for logical interfaces ge-1/3/0.0 and ge-1/3/0.1, and include the detail or extensive option. The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface, and the Protocol inet section contains a Policer field that lists the policer LB-policer as an input or output policer as follows:

  • Input: LB-policer-ge-1/3/0.0-inet-i

  • Output: LB-policer-ge-1/3/0.0-inet-o

In this example, the policer is applied to logical interface traffic in both the input and output directions.

user@host> show interfaces ge-1/3/0.0 detail
user@host> show interfaces ge-1/3/0.1 detail

Displaying Statistics for the Policer

Purpose

Verify the number of packets evaluated by the policer.

Action

Use the show policer operational mode command and optionally specify the name of the policer. The command output displays the number of packets evaluated by each configured policer (or the specified policer), in each direction. For the policer LB-policer, the input and output policer names are displayed as follows:

  • LB-policer-ge-1/3/0.0-inet-i

  • LB-policer-ge-1/3/0.0-inet-o

  • LB-policer-ge-1/3/0.1-inet-i

  • LB-policer-ge-1/3/0.1-inet-o

The -inet-i suffix denotes a policer applied to logical interface input traffic, while the -inet-o suffix denotes a policer applied to logical interface output traffic. In this example, the policer is applied to both input and output traffic on logical interface ge-1/3/0.0 and logical interface ge-1/3/0.1.

user@host> show policer