- Downloads
- Configuring Policers
Configuring Policers
You can configure a new policer for each filter or term that requires policing. To configure term-specific policers, include the policer statement at the [edit firewall] hierarchy level:
The following sections describe the components of the policer statement and provide policer configuration examples:
Configuring Rate Limiting
To specify the rate limiting part of a policer, include an if-exceeding statement at the [edit firewall policer policer-name] hierarchy level:
You specify the bandwidth limit in bits per second (bps). You can specify the value as a complete decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000). Any value below 61,040 bps results in an effective rate of 30,520 bps. In JUNOS Release 9.4 and later, the minimum bandwidth limit that you can configure on M120, M320, and MX Series routers only is 8000 bps. The minimum bandwidth limit that you can configure for all other platforms remains 32,000 bps. The maximum bandwidth limit is 40 gigabits per second (Gbps).
You can rate-limit traffic based upon port speed. This port speed can be specified by a bandwidth percentage in a policer. You must specify the percentage as a complete decimal number between 1 and 100.
 | Note: You cannot rate-limit based on bandwidth percentage for aggregate, tunnel, and software interfaces. The bandwidth percentage policer cannot be used for forwarding table filters. Bandwidth percentage policers can only be used for interface-specific filters. |
The maximum burst size controls the amount of traffic bursting allowed. To determine the value for the burst-size limit, the preferred method is to multiply the bandwidth (expressed as bytes per second) of the interface on which you are applying the filter by the amount of time you allow a burst of traffic at that bandwidth to occur. We recommend that you use a value of 5 ms as the starting point for the allowable amount of time for a burst of traffic.
If you express the bandwidth as bits per second, use the following formula to calculate the burst size.
If you do not know the interface bandwidth, you can multiply the maximum transmission unit (MTU) of the traffic on the interface by 10 to obtain a value. For example, the burst size for an MTU of 4700 would be 47,000 bytes. At minimum, burst size should be at least 10 interface MTUs. The maximum value for the burst-size limit is 100 megabits per second (Mbps), or 12.5 megabytes per second (MBps).
For a sample filter configuration for rate limiting, see Examples: Configuring Policing.
Configuring Policer Actions
If a packet does not exceed its rate limits, it is processed further without being affected. If the packet exceeds its limits, it is handled in one of two ways, depending on what you specify:
- Discarded
- Marked for subsequent processing based on its loss priority and forwarding class
To configure a policer action, include the then statement at the [edit firewall policer policer-name] hierarchy level:
Policer actions include one or more of the following:
- discard—Discard a packet that exceeds the rate limits.
- forwarding-class class-name—Specify the forwarding class to any class name already configured for the forwarding class.
- loss-priority level—Set
the loss priority level to low, medium-low, medium-high, or high.
Note: The loss-priority action is supported only on MX Series routers; M120 and M320 routers; and M7i and M10i routers with the Enhanced CFEB (CFEB-E).
Example: Configuring a Policer Action
Discard any packet that exceeds a bandwidth of 300 kilobits per second (Kbps) and a burst-size limit of 500 kilobytes (KB):
