Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Basic Single-Rate Two-Color Policers

 

Single-Rate Two-Color Policer Overview

Single-rate two color policing enforces a configured rate of traffic flow for a particular service level by applying implicit or configured actions to traffic that does not conform to the limits. When you apply a single-rate two-color policer to the input or output traffic at an interface, the policer meters the traffic flow to the rate limit defined by the following components:

  • Bandwidth limit—The average number of bits per second permitted for packets received or transmitted at the interface. You can specify the bandwidth limit as an absolute number of bits per second or as a percentage value from 1 through 100. If a percentage value is specified, the effective bandwidth limit is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate.

  • Packets per second (pps) limit (MX Series with MPC only)–The average number of packets per second permitted for packets received or transmitted at the interface. You specify the pps limit as an absolute number of packets per second.

  • Burst-size limit—The maximum size permitted for bursts of data.

  • Packet burst limit–

For a traffic flow that conforms to the configured limits (categorized as green traffic), packets are implicitly marked with a packet loss priority (PLP) level of low and are allowed to pass through the interface unrestricted.

For a traffic flow that exceeds the configured limits (categorized as red traffic), packets are handled according to the traffic-policing actions configured for the policer. The action might be to discard the packet, or the action might be to re-mark the packet with a specified forwarding class, a specified PLP, or both, and then transmit the packet.

To rate-limit Layer 3 traffic, you can apply a two-color policer in the following ways:

  • Directly to a logical interface, at a specific protocol level.

  • As the action of a standard stateless firewall filter that is applied to a logical interface, at a specific protocol level.

To rate-limit Layer 2 traffic, you can apply a two-color policer as a logical interface policer only. You cannot apply a two-color policer to Layer 2 traffic through a firewall filter.

Example: Limiting Inbound Traffic at Your Network Border by Configuring an Ingress Single-Rate Two-Color Policer

This example shows you how to configure an ingress single-rate two-color policer to filter incoming traffic. The policer enforces the class-of-service (CoS) strategy for in-contract and out-of-contract traffic. You can apply a single-rate two-color policer to incoming packets, outgoing packets, or both. This example applies the policer as an input (ingress) policer. The goal of this topic is to provide you with an introduction to policing by using a example that shows traffic policing in action.

Policers use a concept known as a token bucket to allocate system resources based on the parameters defined for the policer. A thorough explanation of the token bucket concept and its underlying algorithms is beyond the scope of this document. For more information about traffic policing, and CoS in general, refer to QOS-Enabled Networks—Tools and Foundations by Miguel Barreiros and Peter Lundqvist. This book is available at many online booksellers and at www.juniper.net/books.

Requirements

To verify this procedure, this example uses a traffic generator. The traffic generator can be hardware-based or it can be software running on a server or host machine.

The functionality in this procedure is widely supported on devices that run Junos OS. The example shown here was tested and verified on MX Series routers running Junos OS Release 10.4.

Overview

Single-rate two-color policing enforces a configured rate of traffic flow for a particular service level by applying implicit or configured actions to traffic that does not conform to the limits. When you apply a single-rate two-color policer to the input or output traffic at an interface, the policer meters the traffic flow to the rate limit defined by the following components:

  • Bandwidth limit—The average number of bits per second permitted for packets received or transmitted at the interface. You can specify the bandwidth limit as an absolute number of bits per second or as a percentage value from 1 through 100. If a percentage value is specified, the effective bandwidth limit is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate.

  • Burst-size limit—The maximum size permitted for bursts of data. Burst sizes are measured in bytes. We recommend two formulas for calculating burst size:

    Burst size = bandwidth x allowable time for burst traffic / 8

    Or

    Burst size = interface mtu x 10

    For information about configuring the burst size, see Determining Proper Burst Size for Traffic Policers.

    Note

    There is a finite buffer space for an interface. In general, the estimated total buffer depth for an interface is about 125 ms.

For a traffic flow that conforms to the configured limits (categorized as green traffic), packets are implicitly marked with a packet loss priority (PLP) level of low and are allowed to pass through the interface unrestricted.

For a traffic flow that exceeds the configured limits (categorized as red traffic), packets are handled according to the traffic-policing actions configured for the policer. This example discards packets that burst over the 15 KBps limit.

To rate-limit Layer 3 traffic, you can apply a two-color policer in the following ways:

  • Directly to a logical interface, at a specific protocol level.

  • As the action of a standard stateless firewall filter that is applied to a logical interface, at a specific protocol level. This is the technique used in this example.

To rate-limit Layer 2 traffic, you can apply a two-color policer as a logical interface policer only. You cannot apply a two-color policer to Layer 2 traffic through a firewall filter.

Caution

You can choose either bandwidth-limit or bandwidth percent within the policer, as they are mutually exclusive. You cannot configure a policer to use bandwidth percent for aggregate, tunnel, and software interfaces.

In this example, the host is a traffic generator emulating a webserver. Devices R1 and R2 are owned by a service provider. The webserver is accessed by users on Device Host2. Device Host1 will be sending traffic with a source TCP HTTP port of 80 to the users. A single-rate two-color policer is configured and applied to the interface on Device R1 that connects to Device Host1. The policer enforces the contractual bandwidth availability made between the owner of the webserver and the service provider that owns Device R1 for the web traffic that flows over the link that connects Device Host1 to Device R1.

In accordance with the contractual bandwidth availability made between the owner of the webserver and the service provider that owns Devices R1 and R2, the policer will limit the HTTP port 80 traffic originating from Device Host1 to using 700 Mbps (70 percent) of the available bandwidth with an allowable burst rate of 10 x the MTU size of the gigabit Ethernet interface between the host Device Host1 and Device R1.

Note

In a real-world scenario you would probably also rate limit traffic for a variety of other ports such as FTP, SFTP, SSH, TELNET, SMTP, IMAP, and POP3 because they are often included as additional services with web hosting services.

Note

You need to leave some additional bandwidth available that is not rate limited for network control protocols such as routing protocols, DNS, and any other protocols required to keep network connectivity operational. This is why the firewall filter has a final accept condition on it.

Topology

This example uses the topology in Figure 1.

Figure 1: Single-Rate Two-Color Policer Scenario
Single-Rate Two-Color Policer Scenario

Figure 2 shows the policing behavior.

Figure 2: Traffic Limiting in a Single-Rate Two-Color Policer Scenario
Traffic Limiting in a Single-Rate
Two-Color Policer Scenario

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device R1

Device R2

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device R1:

  1. Configure the device interfaces.
  2. Apply the firewall filter to interface ge-2/0/5 as an input filter.
  3. Configure the policer to rate-limit to a bandwidth of 700 Mbps and a burst size of 15000 KBps for HTTP traffic (TCP port 80).
  4. Configure the policer to discard packets in the red traffic flow.
  5. Configure the two conditions of the firewall to accept all TCP traffic to port HTTP (port 80).
  6. Configure the firewall action to rate-limit HTTP TCP traffic using the policer.
  7. At the end of the firewall filter, configure a default action that accepts all other traffic.

    Otherwise, all traffic that arrives on the interface and is not explicitly accepted by the firewall is discarded.

  8. Configure OSPF.

Step-by-Step Procedure

To configure Device R2:

  1. Configure the device interfaces.
  2. Configure OSPF.

Results

From configuration mode, confirm your configuration by entering the show interfaces , show firewall, and show protocols ospf commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring Device R1, enter commit from configuration mode.

If you are done configuring Device R2, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Clearing the Counters

Purpose

Confirm that the firewall counters are cleared.

Action

On Device R1, run the clear firewall all command to reset the firewall counters to 0.

user@R1> clear firewall all

Sending TCP Traffic into the Network and Monitoring the Discards

Purpose

Make sure that the traffic of interest that is sent is rate-limited on the input interface (ge-2/0/5).

Action

  1. Use a traffic generator to send 10 TCP packets with a source port of 80.

    The -s flag sets the source port. The -k flag causes the source port to remain steady at 80 instead of incrementing. The -c flag sets the number of packets to 10. The -d flag sets the packet size.

    The destination IP address of 172.16.80.1 belongs to Device Host 2 that is connected to Device R2. The user on Device Host 2 has requested a webpage from Device Host 1 (the webserver emulated by the traffic generator on Device Host 1). The packets that being rate-limited are sent from Device Host 1 in response to the request from Device Host 2.

    Note

    In this example the policer numbers are reduced to a bandwidth limit of 8 Kbps and a burst size limit of 1500 KBps to ensure that some packets are dropped during this test.

    [root@host]# hping 172.16.80.1 -c 10 -s 80 -k -d 300
  2. On Device R1, check the firewall counters by using the show firewall command.

    user@R1> show firewall

Meaning

In Steps 1 and 2 the output from both devices shows that 4 packets were discarded This means that there was at least 8 Kbps of green (in-contract HTTP port 80) traffic and that the 1500 KBps burst option for red out-of-contract HTTP port 80 traffic was exceeded.

See also

  • Junos OS Routing Protocols and Policies Configuration Guide for Security Devices

Example: Configuring Interface and Firewall Filter Policers at the Same Interface

This example shows how to configure three single-rate two-color policers and apply the policers to the IPv4 input traffic at the same single-tag virtual LAN (VLAN) logical interface.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you configure three single-rate two-color policers and apply the policers to the IPv4 input traffic at the same single-tag VLAN logical interface. Two policers are applied to the interface through a firewall filter, and one policer is applied directly to the interface.

You configure one policer, named p-all-1m-5k-discard, to rate-limit traffic to 1 Mbps with a burst size of 5000 bytes. You apply this policer directly to IPv4 input traffic at the logical interface. When you apply a policer directly to protocol-specific traffic at a logical interface, the policer is said to be applied as an interface policer.

You configure the other two policers to allow burst sizes of 500 KB, and you apply these policers to IPv4 input traffic at the logical interface by using an IPv4 standard stateless firewall filter. When you apply a policer to protocol-specific traffic at a logical interface through a firewall filter action, the policer is said to be applied as a firewall-filter policer.

  • You configure the policer named p-icmp-500k-500k-discard to rate-limit traffic to 500 Kbps with a burst size of 500 K bytes by discarding packets that do not conform to these limits. You configure one of the firewall filter terms to apply this policer to Internet Control Message Protocol (ICMP) packets.

  • You configure the policer named p-ftp-10p-500k-discard to rate-limit traffic to a 10 percent bandwidth with a burst size of 500 KB by discarding packets that do not conform to these limits. You configure another firewall-filter term to apply this policer to File Transfer Protocol (FTP) packets.

A policer that you configure with a bandwidth limit expressed as a percentage value (rather than as an absolute bandwidth value) is called a bandwidth policer. Only single-rate two-color policers can be configured with a percentage bandwidth specification. By default, a bandwidth policer rate-limits traffic to the specified percentage of the line rate of the physical interface underlying the target logical interface.

Topology

You configure the target logical interface as a single-tag VLAN logical interface on a Fast Ethernet interface operating at 100 Mbps. This means that the policer you configure with the 10-percent bandwidth-limit (the policer that you apply to FTP packets) rate-limits the FTP traffic on this interface to 10 Mbps.

Note

In this example, you do not configure the bandwidth policer as a logical-bandwidth policer. Therefore, the percentage is based on the physical media rate rather than on the configured shaping rate of the logical interface.

The firewall filter that you configure to reference two of the policers must be configured as an interface-specific filter. Because the policer that is used to rate-limit FTP packets specifies the bandwidth limit as a percentage value, the firewall filter that references this policer must be configured as an interface-specific filter. Thus, if this firewall filter were to be applied to multiple interfaces instead of just the Fast Ethernet interface in this example, unique policers and counters would be created for each interface to which the filter is applied.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Single-Tag VLAN Logical Interface

Step-by-Step Procedure

To configure the single-tag VLAN logical interface:

  1. Enable configuration of the Fast Ethernet interface.

  2. Enable single-tag VLAN framing.

  3. Bind VLAN IDs to the logical interfaces.

  4. Configure IPv4 on the single-tag VLAN logical interfaces.

Results

Confirm the configuration of the VLAN by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Three Policers

Step-by-Step Procedure

To configure the three policers:

  1. Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth of 1 Mbps and a burst size of 5000 bytes.

    Note

    You apply this policer directly to all IPv4 input traffic at the single-tag VLAN logical interface, so the packets will not be filtered before being subjected to rate limiting.

  2. Configure the first policer.

  3. Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth specified as “10 percent” and a burst size of 500,000 bytes.

    You apply this policer only to the FTP traffic at the single-tag VLAN logical interface.

    You apply this policer as the action of an IPv4 firewall filter term that matches FTP packets from TCP.

  4. Configure policing limits and actions.

    Because the bandwidth limit is specified as a percentage, the firewall filter that references this policer must be configured as an interface-specific filter.Note

    If you wanted this policer to rate-limit to 10 percent of the logical interface configured shaping rate (rather than to 10 percent of the physical interface media rate), you would need to include the logical-bandwidth-policer statement at the [edit firewall policer p-all-1m-5k-discard] hierarchy level. This type of policer is called a logical-bandwidth policer.

  5. Enable configuration of the IPv4 firewall filter policer for ICMP packets.

  6. Configure policing limits and actions.

Results

Confirm the configuration of the policers by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the IPv4 Firewall Filter

Step-by-Step Procedure

To configure the IPv4 firewall filter:

  1. Enable configuration of the IPv4 firewall filter.

  2. Configure the firewall filter as interface-specific.

    The firewall filter must be interface-specific because one of the policers referenced is configured with a bandwidth limit expressed as a percentage value.
  3. Enable configuration of a filter term to rate-limit FTP packets.

    FTP messages are sent over TCP port 20 (ftp) and received over TCP port 21 (ftp-data).
  4. Configure the filter term to match FTP packets.

  5. Enable configuration of a filter term to rate-limit ICMP packets.

  6. Configure the filter term for ICMP packets

  7. Configure a filter term to accept all other packets without policing.

Results

Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the Interface Policer and Firewall Filter Policers to the Logical Interface

Step-by-Step Procedure

To apply the three policers to the VLAN:

  1. Enable configuration of IPv4 on the logical interface.

  2. Apply the firewall filter policers to the interface.

  3. Apply the interface policer to the interface.

    Input packets at fe-0/1/1.0 are evaluated against the interface policer before they are evaluated against the firewall filter policers. For more information, see Order of Policer and Firewall Filter Operations.

Results

Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying Policers Applied Directly to the Logical Interface

Purpose

Verify that the interface policer is evaluated when packets are received on the logical interface.

Action

Use the show interfaces policers operational mode command for logical interface fe-0/1/1.1. The command output section for the Proto column and Input Policer column shows that the policer p-all-1m-5k-discard is evaluated when packets are received on the logical interface.

user@host> show interfaces policers fe-0/1/1.1

In this example, the interface policer is applied to logical interface traffic in the input direction only.

Displaying Statistics for the Policer Applied Directly to the Logical Interface

Purpose

Verify the number of packets evaluated by the interface policer.

Action

Use the show policer operational mode command and optionally specify the name of the policer. The command output displays the number of packets evaluated by each configured policer (or the specified policer), in each direction.

user@host> show policer p-all-1m-5k-discard-fe-0/1/1.1-inet-i

Displaying the Policers and Firewall Filters Applied to an Interface

Purpose

Verify that the firewall filter filter-ipv4-with-limits is applied to the IPv4 input traffic at logical interface fe-0/1/1.1.

Action

Use the show interfaces statistics operational mode command for logical interface fe-0/1/1.1, and include the detail option. Under the Protocol inet section of the command output section, the Input Filters and Policer lines display the names of filter and policer applied to the logical interface in the input direction.

user@host> show interfaces statistics fe-0/1/1.1 detail

In this example, the two firewall filter policers are applied to logical interface traffic in the input direction only.

Displaying Statistics for the Firewall Filter Policers

Purpose

Verify the number of packets evaluated by the firewall filter policers.

Action

Use the show firewall operational mode command for the filter you applied to the logical interface.

[edit]
user@host> show firewall filter filter-ipv4-with-limits-fe-0/1/1.1-i

The command output displays the names of the policers (p-ftp-10p-500k-discard and p-icmp-500k-500k-discard), combined with the names of the filter terms (t-ftp and t-icmp, respectively) under which the policer action is specified. The policer-specific output lines display the number of packets that matched the filter term. This is only the number of out-of-specification (out-of-spec) packet counts, not all packets policed by the policer.