Related Documentation
- QFX Series
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
Overview of Policers
A switch polices traffic by limiting the input or output transmission rate of a class of traffic according to user-defined criteria. Policing (or rate-limiting) traffic allows you to control the maximum rate of traffic sent or received on an interface and to provide multiple priority levels or classes of service.
Policer Overview
You use policers to apply limits to traffic flow and set consequences for packets that exceed these limits—usually applying a higher loss priority—so that if packets encounter downstream congestion, they can be discarded first. Policers apply only to unicast packets.
Policers provide two functions: metering and marking. A policer meters (measures) each packet against traffic rates and burst sizes that you configure. It then passes the packet and the metering result to the marker, which assigns a packet loss priority that corresponds to the metering result. Figure 1 illustrates this process.
Figure 1: Flow of Tricolor Marking Policer Operation
After you name and configure a policer, you use it by specifying it as an action in one or more firewall filters.
Policer Types
A switch supports three types of policers:
- Single-rate two-color marker—A two-color policer
(or “policer” when used without qualification) meters
the traffic stream and classifies packets into two categories of packet
loss priority (PLP) according to a configured bandwidth and burst-size
limit. You can mark packets that exceed the bandwidth and burst-size
limit with a specified PLP or simply discard them.
You can specify this type of policer in an ingress or egress firewall.
Note: A two-color policer is most useful for metering traffic at the port (physical interface) level.
- Single-rate three-color marker—This type of policer
is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification
system for a Differentiated Services (DiffServ) environment. This
type of policer meters traffic based on one rate—the configured
committed information rate (CIR) as well as the committed burst size
(CBS) and the excess burst size (EBS). The CIR specifies the average
rate at which bits are admitted to the switch. The CBS specifies the
usual burst size in bytes and the EBS specifies the maximum burst
size in bytes. The EBS must be greater than or equal to the CBS, and
neither can be 0.
You can specify this type of policer in an ingress or egress firewall.
Note: A single-rate three-color marker (TCM) is most useful when a service is structured according to packet length and not peak arrival rate.
- Two-rate three-color marker—This type of policer
is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding per-hop-behavior classification
system for a Differentiated Services environment. This type of policer
meters traffic based on two rates—the CIR and peak information
rate (PIR) along with their associated burst sizes, the CBS and peak
burst size (PBS). The PIR specifies the maximum rate at which bits
are admitted to the network and must be greater than or equal to the
CIR.
You can specify this type of policer in an ingress or egress firewall.
Note: A two-rate three-color policer is most useful when a service is structured according to arrival rates and not necessarily packet length.
See Table 1 for information about how metering results are applied for each of these policer types.
Policer Actions
Policer actions are implicit or explicit and vary by policer type. Implicit means that Junos OS assigns the loss priority automatically. Table 1 describes the policer actions.
Table 1: Policer Actions
Policer | Marking | Implicit Action | Configurable Action |
|---|---|---|---|
Single-rate two-color | Green (conforming) | Assign low loss priority | None |
Red (nonconforming) | None | Discard | |
Single-rate three-color | Green (conforming) | Assign low loss priority | None |
Yellow (above the CIR and CBS) | Assign medium-high loss priority | None | |
Red (above the EBS) | Assign high loss priority | Discard | |
Two-rate three-color | Green (conforming) | Assign low loss priority | None |
Yellow (above the CIR and CBS) | Assign medium-high loss priority | None | |
Red (above the PIR and PBS) | Assign high loss priority | Discard |
| Note: If you specify a policer in an egress firewall filter, the only supported action is discard. |
Policer Colors
Single-rate and two-rate three-color policers can operate in two modes:
- Color-blind—In color-blind mode, the three-color policer assumes that all packets examined have not been previously marked or metered. In other words, the three-color policer is “blind” to any previous coloring a packet might have had.
- Color-aware—In color-aware mode, the three-color policer assumes that all packets examined have been previously marked or metered. In other words, the three-color policer is “aware” of the previous coloring a packet might have had. In color-aware mode, the three-color policer can increase the PLP of a packet but cannot decrease it. For example, if a color-aware three-color policer meters a packet with a medium PLP marking, it can raise the PLP level to high but cannot reduce the PLP level to low.
Suggested Naming Convention for Policers
We recommend that you use the naming convention policertypeTCM#-color type when configuring three-color policers and policer# when configuring two-color policers. TCM stands for three-color marker. Because policers can be numerous and must be applied correctly to work, a simple naming convention makes it easier to apply the policers properly. For example, the first single-rate, color-aware three-color policer configured would be named srTCM1-ca. The second two-rate, color-blind three-color configured would be named trTCM2-cb. The elements of this naming convention are explained below:
- sr (single-rate)
- tr (two-rate)
- TCM (tricolor marking)
- 1 or 2 (number of marker)
- ca (color-aware)
- cb (color-blind)
Policer Counters
Each policer that you configure includes an implicit counter that counts the number of packets that exceed the rate limits that are specified for the policer. If you use the same policer in multiple terms—either within the same filter or in different filters—the implicit counter counts all the packets that are policed in all of these terms. If you want to obtain separate packet counts for each term, use these options:
- Configure a unique policer for each term.
- Configure only one policer, but use a unique, explicit counter in each term.
Policer Algorithms
Policing uses the token-bucket algorithm, which enforces a limit on average bandwidth while allowing bursts up to a specified maximum value. It offers more flexibility than the leaky bucket algorithm in allowing a certain amount of bursty traffic before it starts discarding packets.
How Many Policers are Supported?
You can configure and commit the following numbers of policers on QFX3500 and QFX3600 devices when they are operating as standalone switches:
- Two-color policers used in ingress firewall filters: 768
- Three-color policers used in ingress firewall filters: 768
- Two-color policers used in egress firewall filters: 510
- Three-color policers used in egress firewall filters: 255
Related Documentation
- QFX Series
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
