Example: VLAN Rate Limit Hierarchical Policy for Interface Groups Configuration

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

JUNOSe 9.1.x Policy Management Configuration Guide > Creating Hierarchical Policies for Interface Groups > Example: VLAN Rate Limit Hierarchical Policy for Interface Groups Configuration
Example: VLAN Rate Limit Hierarchical Policy for Interface Groups Configuration

In this example, three users from a small business office are connected to an E-series router through the same VLAN interface. The contracted maximum for the business is 1 Mbps in the upstream direction. The downstream direction is served through QoS profiles and therefore is not shown here.

Figure 9 shows the following:

User user_pol1 is attached to the first user's IP interface and does not have a rate limit.

User user_pol2 is attached the second user's interface and has an individual rate limit of 300Kbps and preferred voice traffic at 64Kbps.

User user_pol3 is attached to the third user's interface and has some traffic marked with a low delay (Dsfield = 4), but there are no rate limitations applied.

Policer instance VLAN_RATE is shared across all three instances of EPG1 and limits the total upstream traffic from three users to 1 Mbps.

Figure 9: VLAN Rate-Limit Configuration
Create a rate limit to enforce the contracted maximum for the small business. Create an external parent group to hold this rate limit.
host1(config)#rate-limit-profile VLAN_RATE two-rate hierarchical
host1(config-rate-limit-profile)#committed-rate 1000000
host1(config-rate-limit-profile)#committed-action transmit final
host1(config-rate-limit-profile)#exit
host1(config)#parent-group EPG1
host1(config-parent-group)#rate-limit-profile VLAN_RATE
host1(config-parent-group)#exit
Verify the parent group configuration.
host1#show parent-group EPG1
                                  Parent Group Table
                                  ------ ----- ------
Parent Group EPG1
   Reference count: 0
   Rate limit profile: VLAN_RATE
Create a policy list to attach to user 1.
host1(config)#policy-parameter A hierarchical
host1(config-policy-parameter)#exit
host1(config)#ip policy-list USER_POL1
host1(config-policy-list)#classifier-group * external parent-group EPG1 

parameter A
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
Verify the policy list configuration.
host1#show policy-list USER_POL1
                                  Policy Table
                                  ------ ----- 
IP Policy USER_POL1
   Administrative state: enable
   Reference count:      0
   Classifier control list: *, precedence 100, external parent-group EPG1 
parameter A
      forward
Create a policy list to attach to user 2. Also, create a rate limit to police voice traffic and another rate limit to police all traffic for user 2. Because voice traffic is preferred, it borrows the tokens unconditionally from all aggregate policers in the hierarchy.
host1(config)#rate-limit-profile VOICE_RATE two-rate hierarchical
host1(config-rate-limit-profile)#committed-rate 64000
host1(config-rate-limit-profile)#committed-action transmit unconditional
host1(config-rate-limit-profile)#exit
host1(config)#rate-limit-profile USER_RATE two-rate hierarchical
host1(config-rate-limit-profile)#committed-rate 300000
host1(config-rate-limit-profile)#committed-action transmit conditional
host1(config-rate-limit-profile)#exit
host1(config)#ip classifier-list VOICE_CLACL udp any any eq 10000
host1(config)#ip policy-list USER_POL2
host1(config-policy-list)#classifier-group VOICE_CLACL parent-group IPG1
host1(config-policy-list-classifier-group)#rate-limit-profile VOICE_RATE
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group * parent-group IPG1
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#parent-group IPG1 external parent-group EPG1 

parameter A
host1(config-policy-list-parent-group)#rate-limit-profile USER_RATE
host1(config-policy-list-parent-group)#exit
host1(config-policy-list)#exit
Verify the policy list configuration.
host1#show policy-list USER_POL1
                                  Policy Table
                                  ------ ----- 
IP Policy USER_POL2
   Administrative state: enable
   Reference count:      0
   Classifier control list: VOICE_CLACL, precedence 100, parent-group IPG1
      rate-limit-profile VOICE_RATE
   Classifier control list: *, precedence 100, parent-group IPG1
      forward
   Parent group: IPG1, external parent-group EPG1 parameter A
      rate-limit-profile USER_RATE
Create a policy list to attach to user 3 and mark Dsfield=4 traffic with a special traffic class.
host1(config)#ip classifier-list DSFIELD4_CLACL ip any any dsfield 4
host1(config)#ip policy-list USER_POL3
host1(config-policy-list)#classifier-group DSFIELD4_CLACL external parent-group 
EPG1 parameter A
host1(config-policy-list-classifier-group)#traffic-class LOW_DROP
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group * external parent-group EPG1 

parameter A
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#exit
The policies created earlier are attached statically to the user's corresponding entry interface in the E-series router. In this case, fast3/0.1 connects to user 1, fast3/0.2 connects to user 2, and fast3/0.3 connects to user 3.
Create the major interface.
host1(config)#interface fastEthernet 3/0
host1(config-interface)#encapsulation vlan
host1(config-interface)#exit
Create an interface for user 1, attach USER_POL1, and map parameter A to the VLAN interface stacked below the shared IP interface.
host1(config)#interface fastEthernet 3/0.1
host1(config-interface)#vlan id 1
host1(config-interface)#exit
host1(config)#interface ip 3/0.1.1
host1(config-interface)#ip policy-parameter hierarchical A vlan
host1(config-interface)#ip policy input USER_POL1 statistics enabled
host1(config-interface)#exit
Create the interface for user 2, attach USER_POL2, and map parameter A to the VLAN interface.
host1(config)#interface ip 3/0.1.2
host1(config-interface)#ip policy-parameter hierarchical A vlan
host1(config-interface)#ip policy input USER_POL2 statistics enabled
host1(config-interface)#exit
Create the interface for user 3, attach USER_POL3, and map parameter A to the VLAN interface.
host1(config)#interface ip 3/0.1.3
host1(config-interface)#ip policy-parameter hierarchical A vlan
host1(config-interface)#ip policy input USER_POL3 statistics enabled
host1(config-interface)#exit
For dynamic users, under each user's record in RADIUS, you can specify the ingress policy name. However, you can only specify the policy parameter through the profile.
host1(config)#profile PPPOE_PROF1
host1(config-profile)#ip policy-parameter hierarchical A vlan
host1(config-profile)#exit
host1(config)#interface fastEthernet 3/0.1
host1(config-interface)#vlan id 1
host1(config-interface)#encapsulation pppoe
host1(config-interface)#profile PPPOE_PROF1
host1(config-interface)#pppoe auto-configure
host1(config-interface)#exit

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]