Applying Tricolor Marking Policers to Firewall Filters

To rate-limit traffic by applying a tricolor marking policer to a firewall filter, include the three-color-policer statement:

three-color-policer {(single-rate | two-rate) policer-name;}

You can include this statement at the following hierarchy levels:

[edit firewall family family filter filter-name term rule-name then]
[edit firewall filter filter-name term rule-name then]

In the family statement, the protocol family can be any, ccc, inet, inet6, mpls, or vpls.

You must identify the referenced policer as a single-rate or two-rate policer, and this statement must match the configured TCM policer. Otherwise, an error message appears in the configuration listing.

For example, if you configure srTCM as a single-rate TCM policer and try to apply it as a two-rate policer, the following message appears:

[edit firewall]user@host# show three-color-policer srTCMsingle-rate {color-aware;. . .}user@host# show filter TESTERterm A {then {three-color-policer {#### Warning: Referenced two-rate policer does not exist##two-rate srTCM;}}}

Example: Applying a Two-Rate Tricolor Marking Policer to a Firewall Filter

Apply the trtcm1-cb policer to a firewall filter:

firewall {three-color-policer trtcm1-cb { # Configure the trtcm1-cb policer.two-rate {color-blind;committed-information-rate 1048576;committed-burst-size 65536;peak-information-rate 10485760;peak-burst-size 131072;}}filter fil { # Configure the fil firewall filter, applying the trtcm1-cb policer.term default {then {three-color-policer {two-rate trtcm1-cb;}}}

For more information about applying policers to firewall filters, see the Junos Policy Framework Configuration Guide.