[Contents] [Prev] [Next] [Index] [Report an Error]

Policing and Marking Traffic Entering a VPLS Core

This example firewall filter allows a service provider to limit the aggregate broadcast traffic entering the virtual private LAN service (VPLS) core. The broadcast, unknown unicast, and non-IP multicast traffic received from one of the service provider's customers on a logical interface has a policer applied. The service provider has also configured a two-rate, three-color policer to limit the customer's IP multicast traffic. For more information on the configuration of policers, see the JUNOS Class of Service Configuration Guide.

The position of the router is shown in Figure 17.

Figure 17: Policing and Marking Traffic Entering a VPLS Core

Image g016834.gif

There are four major parts to the configuration:

The policer for broadcast, unknown unicast, and non-IP multicast traffic. This example marks the loss priority as high if this type of traffic exceeds 50 Kbps.
The two-rate, three-color policer for IP multicast traffic. This example configures a committed information rate (CIR) of 4 Mbps, a committed burst size of 256 Kbytes, a peak information rate of 4.1 Mbps, and a peak burst size of 256 Kbytes (the same as the CIR).
The filter that applies the two policers to VPLS.
The application of the filter to the customer interface configuration as an input filter.

Firewall Policer

This policer is used to limit the aggregate broadcast, unknown unicast, and non-IP multicast to 50 kbps:



[edit firewall]
policer bcast-unknown-unicast-non-ip-mcast-policer {


if-exceeding {
bandwidth-limit 50k;
burst-size-limit 150k;
}


then loss-priority high;
}

Three-Color Policer

This policer is used to limit the IP multicast traffic:



[edit firewall]
three-color-policer ip-multicast-traffic-policer {


two-rate {
color-blind;
committed-information-rate 4m;
committed-burst-size 256k;
peak-information-rate 4100000;
peak-burst-size 256k;
}


}

Firewall Filter

This uses the two policers to limit and mark customer traffic. The first term marks the IP mulitcast traffic based on destination MAC address, and the second term polices the broadcast, unknown unicast, and non-IP multicast traffic:



[edit firewall]
family vpls {


filter customer-1 {


term t0 {


from {


destination-mac-address {
01:00:5e:00:00:00/24;
}


}




then {


three-color-policer {
two-rate ip-multicast-traffic-policer;
}


forwarding-class expedited-forwarding;
}


}




term t1 {


from {
traffic-type [ broadcast unknown-unicast multicast ];
}


then policer bcast-unknown-unicast-non-ip-mcast-policer;
}


}


}

Apply Filter to Customer Interface

Apply filter as an input filter to ge-2/1/0:



[edit]
interfaces {


ge-2/1/0 {
vlan-tagging;
encapsulation flexible-ethernet-services;


unit 5 {
encapsulation vlan-vpls;
vlan-id 9;


family vpls {


filter {
input customer-1;
}


}


}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]