Examples: Configuring Policing

The following example shows a complete filter configuration containing a policer. It limits all FTP traffic from a given source to certain rate limits. Traffic exceeding the limits is discarded, and the remaining traffic is accepted and counted.

[edit]firewall {policer policer-1 {if-exceeding {bandwidth-limit 400k;burst-size-limit 100k;}then {discard;}}term tcp-ftp {from {source-address 10.2.3/24;protocol tcp;destination-port ftp;}then {policer policer-1;accept;count count-ftp;}}}

The following example shows a complete filter configuration containing two policers, and includes the next term action. Policer policer-1 limits all traffic from a given source to certain rate limits, then sets the forwarding class. Policer policer-2 limits all traffic to a second set of rate limits. Traffic exceeding the limits is discarded; the remaining traffic is accepted.

[edit]firewall {policer policer-1 {if-exceeding {bandwidth-limit 10m;burst-size-limit 100k;}then {forwarding-class 0;}}policer policer-2 {if-exceeding {bandwidth-limit 100m;burst-size-limit 100k;}then {discard;}}filter f {term term-1 {then {policer policer-1;next term;}}term term-2 {then {policer policer-2;accept;}}}}

The following example limits all FTP traffic from a given source to certain rate limits, but defines the policer outside the filter, thereby creating a template that can be referenced by more than one filter or more than one term within a filter. Traffic exceeding the limits is discarded, and the remaining traffic is accepted and counted.

[edit]firewall {policer policer-1 {if-exceeding {bandwidth-limit 400k;burst-size-limit 100k;}then {discard;}}filter limit-ftp {term tcp-ftp {from {source-address 10.2.3/24;protocol tcp;destination-port ftp;}then {policer policer-1;accept;count count-ftp;}}}}

The following example shows a filter intended to thwart denial-of-service (DoS) SYN attacks:

[edit]firewall {policer syn-recvd {if-exceeding {bandwidth-limit 40k;burst-size-limit 15000;}then discard;}term allow-syn {from {source-address {192.168.12.50/32; # trusted addresses}}then {log;accept;}}term limit-syn {from {protocol tcp;tcp-initial;}then {count limit-syn;policer syn-recvd;accept;}}term default {then accept;}}[edit] # apply filter to lo0 to control traffic to the Routing Engineinterfaces {lo0 {unit 0 {family inet {filter {input syn-attack;}}address 172.16.4.53/32;}}}

The following example uses one filter to do the following:

Stop all User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) traffic destined to these addresses (in term a).
Send ICMP through the policer (in term b).

Accept ICMP traffic within contract and all other traffic (in term c).

Note: It is important to keep the terms in order; once a packet has a match within the firewall filter, it is not examined in subsequent terms. For example, if you configured the filter to send ICMP traffic through the policer before discarding ICMP and UDP traffic to the addresses (in term a), you would not get the desired result.

[edit firewall]policer policer-1 {if-exceeding {bandwidth-limit 200k;burst-size-limit 3k;}then {loss-priority high;forwarding-class 1;}}term a {from {destination-address {10.126.50.2/23;10.130.12.1/23;10.82.16.0/24 except;10.82.0.3/18;}protocol [icmp udp];}then {count packets-dropped;discard;}}term b {from {protocol icmp;}then policer policer-1;}term c {then accept;}