Example: Configuring Interface and Firewall Filter Policers at the Same Interface

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you configure three single-rate two-color policers and apply the policers to the IPv4 input traffic at the same single-tag VLAN logical interface. Two policers are applied to the interface through a firewall filter, and one policer is applied directly to the interface.

You configure one policer, named p-all-1m-5k-discard, to rate-limit traffic to 1 Mbps with a burst size of 5000 bytes. You apply this policer directly to IPv4 input traffic at the logical interface. When you apply a policer directly to protocol-specific traffic at a logical interface, the policer is said to be applied as an interface policer.

• You configure the policer named p-icmp-500k-500k-discard to rate-limit traffic to 500 Kbps with a burst size of 500 K bytes by discarding packets that do not conform to these limits. You configure one of the firewall filter terms to apply this policer to Internet Control Message Protocol (ICMP) packets.
• You configure the policer named p-ftp-10p-500k-discard to rate-limit traffic to a 10 percent bandwidth with a burst size of 500 KB by discarding packets that do not conform to these limits. You configure another firewall-filter term to apply this policer to File Transfer Protocol (FTP) packets.

A policer that you configure with a bandwidth limit expressed as a percentage value (rather than as an absolute bandwidth value) is called a bandwidth policer. Only single-rate two-color policers can be configured with a percentage bandwidth specification. By default, a bandwidth policer rate-limits traffic to the specified percentage of the line rate of the physical interface underlying the target logical interface.

Topology

You configure the target logical interface as a single-tag VLAN logical interface on a Fast Ethernet interface operating at 100 Mbps. This means that the policer you configure with the 10-percent bandwidth-limit (the policer that you apply to FTP packets) rate-limits the FTP traffic on this interface to 10 Mbps.

Note: In this example, you do not configure the bandwidth policer as a logical-bandwidth policer. Therefore, the percentage is based on the physical media rate rather than on the configured shaping rate of the logical interface.

The firewall filter that you configure to reference two of the policers must be configured as an interface-specific filter. Because the policer that is used to rate-limit FTP packets specifies the bandwidth limit as a percentage value, the firewall filter that references this policer must be configured as an interface-specific filter. Thus, if this firewall filter were to be applied to multiple interfaces instead of just the Fast Ethernet interface in this example, unique policers and counters would be created for each interface to which the filter is applied.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

• Configuring the Single-Tag VLAN Logical Interface
• Configuring the Three Policers
• Configuring the IPv4 Firewall Filter
• Applying the Interface Policer and Firewall Filter Policers to the Logical Interface

CLI Quick Configuration

Configuring the Single-Tag VLAN Logical Interface

Step-by-Step Procedure

1. Enable configuration of the Fast Ethernet interface.

   [edit]user@host# edit interfaces fe-0/1/1

2. Enable single-tag VLAN framing.

   [edit interfaces fe-0/1/1]user@host# set vlan-tagging

3. Bind VLAN IDs to the logical interfaces.

   [edit interfaces fe-0/1/1]user@host# set unit 0 vlan-id 100user@host# set unit 1 vlan-id 101

4. Configure IPv4 on the single-tag VLAN logical interfaces.

   [edit interfaces fe-0/1/1]user@host# set unit 0 family inet address 10.20.15.1/24user@host# set unit 1 family inet address 10.20.240.1/24

Results

Configuring the Three Policers

Step-by-Step Procedure

1. Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth of 1 Mbps and a burst size of 5000 bytes.

   Note: You apply this policer directly to all IPv4 input traffic at the single-tag VLAN logical interface, so the packets will not be filtered before being subjected to rate limiting.

   [edit]user@host# edit firewall policer p-all-1m-5k-discard

2. Configure the first policer.

   [edit firewall policer p-all-1m-5k-discard]user@host# set if-exceeding bandwidth-limit 1muser@host# set if-exceeding burst-size-limit 5kuser@host# set then discard

3. Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth specified as “10 percent” and a burst size of 500,000 bytes.

   You apply this policer only to the FTP traffic at the single-tag VLAN logical interface.

   You apply this policer as the action of an IPv4 firewall filter term that matches FTP packets from TCP.

   [edit firewall policer p-all-1m-5k-discard]user@host# up [edit]user@host# edit firewall policer p-ftp-10p-500k-discard

4. Configure policing limits and actions.

   [edit firewall policer p-ftp-10p-500k-discard]user@host# set if-exceeding bandwidth-percent 10user@host# set if-exceeding burst-size-limit 500kuser@host# set then discard
   Because the bandwidth limit is specified as a percentage, the firewall filter that references this policer must be configured as an interface-specific filter.

   Note: If you wanted this policer to rate-limit to 10 percent of the logical interface configured shaping rate (rather than to 10 percent of the physical interface media rate), you would need to include the logical-bandwidth-policer statement at the [edit firewall policer p-all-1m-5k-discard] hierarchy level. This type of policer is called a logical-bandwidth policer.

5. Enable configuration of the IPv4 firewall filter policer for ICMP packets.

   [edit firewall policer p-ftp-10p-500k-discard]user@host# up [edit]user@host# edit firewall policer p-icmp-500k-500k-discard

6. Configure policing limits and actions.

   [edit firewall policer p-icmp-500k-500k-discard]user@host# set if-exceeding bandwidth-limit 500kuser@host# set if-exceeding burst-size-limit 500kuser@host# set then discard

Results

Configuring the IPv4 Firewall Filter

Step-by-Step Procedure

1. Enable configuration of the IPv4 firewall filter.

   [edit]user@host# edit firewall family inet filter filter-ipv4-with-limits

2. Configure the firewall filter as interface-specific.

   [edit firewall family inet filter filter-ipv4-with-limits]user@host# set interface-specific
   The firewall filter must be interface-specific because one of the policers referenced is configured with a bandwidth limit expressed as a percentage value.

3. Enable configuration of a filter term to rate-limit FTP packets.

   [edit firewall family inet filter filter-ipv4-with-limits]user@host# edit term t-ftp [edit firewall family inet filter filter-ipv4-with-limits term t-ftp]user@host# set from protocol tcpuser@host# set from port [ ftp ftp-data ]
   FTP messages are sent over TCP port 20 (ftp) and received over TCP port 21 (ftp-data).

4. Configure the filter term to match FTP packets.

   [edit firewall family inet filter filter-ipv4-with-limits term t-ftp]user@host# set then policer p-ftp-10p-500k-discard

5. Enable configuration of a filter term to rate-limit ICMP packets.

   [edit firewall family inet filter filter-ipv4-with-limits term t-ftp]user@host# up [edit firewall family inet filter filter-ipv4-with-limits]user@host# edit term t-icmp

6. Configure the filter term for ICMP packets

   [edit firewall family inet filter filter-ipv4-with-limits term t-icmp]user@host# set from protocol icmpuser@host# set then policer p-icmp-500k-500k-discard

7. Configure a filter term to accept all other packets without policing.

   [edit firewall family inet filter filter-ipv4-with-limits term t-icmp]user@host# up [edit firewall family inet filter filter-ipv4-with-limits]user@host# set term catch-all then accept

Results

Applying the Interface Policer and Firewall Filter Policers to the Logical Interface

Step-by-Step Procedure

1. Enable configuration of IPv4 on the logical interface.

   [edit]user@host# edit interfaces fe-0/1/1 unit 1 family inet

2. Apply the firewall filter policers to the interface.

   [edit interfaces fe-0/1/1 unit 1 family inet]user@host# set filter input filter-ipv4-with-limits

3. Apply the interface policer to the interface.

   [edit interfaces fe-0/1/1 unit 1 family inet]user@host# set policer input p-all-1m-5k-discard
   Input packets at fe-0/1/1.0 are evaluated against the interface policer before they are evaluated against the firewall filter policers. For more information, see Order of Policer and Firewall Filter Operations.

Results

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

• Displaying Policers Applied Directly to the Logical Interface
• Displaying Statistics for the Policer Applied Directly to the Logical Interface
• Displaying the Policers and Firewall Filters Applied to an Interface
• Displaying Statistics for the Firewall Filter Policers

Displaying Policers Applied Directly to the Logical Interface

Purpose

Verify that the interface policer is evaluated when packets are received on the logical interface.

Action

Use the show interfaces policers operational mode command for logical interface fe-0/1/1.1. The command output section for the Proto column and Input Policer column shows that the policer p-all-1m-5k-discard is evaluated when packets are received on the logical interface.

Interface       Admin Link Proto Input Policer         Output Policer
fe-0/1/1.1      up    up        
                           inet  p-all-1m-5k-discard-fe-0/1/1.1-inet-i

In this example, the interface policer is applied to logical interface traffic in the input direction only.

Displaying Statistics for the Policer Applied Directly to the Logical Interface

Purpose

Verify the number of packets evaluated by the interface policer.

Action

Use the show policer operational mode command and optionally specify the name of the policer. The command output displays the number of packets evaluated by each configured policer (or the specified policer), in each direction.

Policers:
Name                                                Bytes              Packets
p-all-1m-5k-discard-fe-0/1/1.1-inet-i                 200                    5

Displaying the Policers and Firewall Filters Applied to an Interface

Purpose

Verify that the firewall filter filter-ipv4-with-limits is applied to the IPv4 input traffic at logical interface fe-0/1/1.1.

Action

Use the show interfaces statistics operational mode command for logical interface fe-0/1/1.1, and include the detail option. Under the Protocol inet section of the command output section, the Input Filters and Policer lines display the names of filter and policer applied to the logical interface in the input direction.

  Logical interface fe-0/1/1.1 (Index 83) (SNMP ifIndex 545) (Generation 153)
    Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.100 ]  Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Transit statistics:
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                    0                    0 pps
     Output packets:                    0                    0 pps
    Protocol inet, MTU: 1500, Generation: 176, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Input Filters: filter-ipv4-with-limits-fe-0/1/1.1-i
      Policer: Input: p-all-1m-5k-discard-fe-0/1/1.1-inet-i
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.20.130/24, Local: 10.20.130.1, Broadcast: 10.20.130.255,
        Generation: 169

Displaying Statistics for the Firewall Filter Policers

Purpose

Verify the number of packets evaluated by the firewall filter policers.

Action

Use the show firewall operational mode command for the filter you applied to the logical interface.

Filter: filter-ipv4-with-limits-fe-0/1/1.1-i                              
Policers:
Name                                                Bytes              Packets
p-ftp-10p-500k-discard-t-ftp-fe-0/1/1.1-i               0                    0
p-icmp-500k-500k-discard-t-icmp-fe-0/1/1.1-i            0                    0

The command output displays the names of the policers (p-ftp-10p-500k-discard and p-icmp-500k-500k-discard), combined with the names of the filter terms (t-ftp and t-icmp, respectively) under which the policer action is specified. The policer-specific output lines display the number of packets that matched the filter term. This is only the number of out-of-specification (out-of-spec) packet counts, not all packets policed by the policer.