Physical Interface Policer Overview
Physical interface policers enable you to configure a single aggregate policer that can be shared across all the protocol families and logical interfaces configured on a physical interface. This single policer is referenced in one or more firewall filters, and the filters, which are defined for a specific protocol family, are then applied to one or more logical interfaces configured on the physical interface. As a result, a single physical interface policer can apply to multiple routing instances because that policer includes all the logical interfaces and protocol families configured on the physical interface even if they belong to different instances. This feature is useful when you want to perform aggregate policing for different protocol families and different logical interfaces on the same physical interface. For example, a provider edge (PE) router has numerous logical interfaces, each corresponding to a different customer, configured on the same link to a customer edge (CE) device. A customer wants to apply rate limits aggregately on a single physical interface for certain types of traffic. A single aggregate policer for the physical interface would include all the logical interfaces configured and apply to all the routing instances to which those interfaces belong.
Physical interface policing is defined within a firewall filter for each protocol family. The supported protocol families include ipv4, ipv6, vpls, mpls, and circuit cross-connect (ccc). The physical interface policer is also applied an action to each firewall filter term that references the policer. That firewall filter is then applied on a logical interface as an output or input filter.
The following limitations apply:
- You cannot apply a firewall filter that references a physical interface policer to logical interfaces that do not belong to the physical interface for which the policer has been defined.
- You cannot define a firewall filter as both a physical interface filter and as a logical interface filter using the interface-specific statement.
- You cannot define a firewall filter configured with family any as a physical interface filter. A physical interface firewall filter must be defined for a specific protocol family.
- A firewall filer that is defined as physical interface filter must reference a physical interface policer. The filter cannot reference policer configured with the interface-specific statement.
