Configuring Tricolor Marking

For T Series routers and M320 routers with Enhanced II Flexible PIC Concentrators (FPCs), you can configure single-rate or two-rate tricolor marking (TCM).

TCM extends the functionality of class-of-service (CoS) traffic policing by providing three levels of drop priority instead of two. This allows you to provision more enhanced service-level agreements (SLAs) across the Differentiated Services (DiffServ) domain by defining tricolor marking policers, and three levels of packet loss priority (PLP) for classifiers, rewrite rules, random early detection (RED) drop profiles, and firewall filters.

The color of a packet, as used or set by a tricolor marking policer, corresponds to the packet’s drop precedence (loss priority or PLP). Packets with high PLP are marked red, packets with medium PLP are marked yellow, and packets with low PLP are marked green.

The following sections describe tricolor marking policers:

Configuring Tricolor Marking Policers

A tricolor marking policer polices traffic on the basis of metering, including the committed information rate (CIR), the peak information rate (PIR), and their associated burst sizes.

To configure a tricolor marking policer, include the three-color-policer statement at the [edit firewall] hierarchy level:

[edit firewall]three-color-policer name {single-rate {(color-aware | color-blind);committed-information-rate bps;committed-burst-size bytes;excess-burst-size bytes;}two-rate {(color-aware | color-blind);committed-information-rate bps;committed-burst-size bytes;peak-information-rate bps;peak-burst-size bytes;}}

When you configure this type of policer, you can set up to three loss priorities: low, medium-high, and high.

Note: To configure a policer that marks packets so that they have medium-low loss priority, you must configure a policer at the [edit firewall policer policer-name] hierarchy level.

For example:

[edit firewall]policer 4PLP {if-exceeding {bandwidth-limit 40k;burst-size-limit 4k;}then loss-priority medium-low;}

Apply this policer at one or both of the following hierarchy levels:

[edit firewall family family filter filter-name term rule-name then policer policer-name]
[edit interfaces interface-name unit logical-unit-number family family filter]

Specify the single-rate statement to configure marking based on CIR. If a packet exceeds the CIR in a single-rate policer, it is evaluated by the CBS. Specify the committed-burst-size option value to configure the maximum number of bytes allowed for incoming packets to burst above the CIR, but still be marked green. Specify the excess-burst-size option value to configure the maximum number of bytes allowed for incoming packets to burst above the CIR, but be marked red.

Specify the two-rate statement to configure marking based on CIR and PIR. If a packet exceeds the CIR in a two-rate policer, it is evaluated by the PIR. Specify the committed-information-rate option value to configure the guaranteed bandwidth under normal line conditions, and the rate up to which packets are marked green. Specify the committed-burst-size option value to configure the maximum number of bytes allowed for incoming packets to burst above the CIR, but still be marked green.

Specify the peak-information-rate option value to configure the maximum achievable rate. Packets that exceed the CIR, but are below the PIR, are marked yellow. Packets that exceed the PIR are marked red. Specify the peak-burst-size option value to configure the maximum number of bytes allowed for incoming packets to burst above the PIR, but still be marked yellow.

For both the single-rate statement and the two-rate statement, specify the color-aware option value to configure metering by preclassification. Metering can increase a PLP, but cannot decrease it. Specify the color-blind option value to ignore any preclassification.

For more information about tricolor marking, see the JUNOS Class of Service Configuration Guide.

Example: Configuring a Tricolor Marking Policer

Configure a tricolor policer:

[edit firewall]three-color-policer trtcm1 {two-rate {color-blind;committed-information-rate 1048576;committed-burst-size 65536;peak-information-rate 10485760;peak-burst-size 131072;}}

Apply the tricolor policer to a firewall filter.

[edit firewall]filter fil {term default {then {three-color-policer {two-rate trtcm1;}}}}

Configuring Interface Policers Using Tricolor Marking Policing

You can configure a policer to limit traffic on an interface in the ingress or egress direction. Instead of policing each address family individually on an interface, you can aggregate policing with one policer. This single aggregated policer is known as the logical-interface policer. You can configure tricolor marking policing to limit the bandwidth through a logical interface.

To configure a policer on a logical interface using tricolor marking policing, include the action statement and the logical-interface-policer statement at the [edit firewall three-color-policer name] hierarchy level:

[edit firewall]three-color-policer policer-name {action {loss-priority high then discard;}logical-interface-policer;single-rate {(color-aware | color-blind);committed-information-rate bps;committed-burst-size bytes;excess-burst-size bytes;}two-rate {(color-aware | color-blind);committed-information-rate bps;committed-burst-size bytes;peak-information-rate bps;peak-burst-size bytes;}}

For detailed information about bandwidth policers on a logical interface, see Configuring Aggregate Policers.

You can configure separate policing on the ingress and egress direction on the logical interface.

Example: Rate-Limiting Bandwidth Using Tricolor Marking Policing

Configure tricolor marking policing on a logical interface to rate-limit the bandwidth on the logical interface.

[edit firewall]three-color-policer trtcm-1 {action {loss-priority high then discard;}logical-interface-policer;two-rate {color-blind;committed-information-rate 1500000;committed-burst-size 150k;peak-information-rate 3m;peak-burst-size 300k;}}