Configuring a Policer for a Firewall Filter

You can configure policers to rate limit traffic on a device. After you configure a policer, you can include it in an ingress firewall filter configuration.

When you configure a firewall filter, you can specify a policer action for any term or terms within the filter. All traffic that matches a term that contains a policer action goes through the policer that the term references. Each policer that you configure includes an implicit counter. To get term-specific packet counts, you must configure a new policer for each filter term that requires policing.

The following policer limits apply on the switch:

  1. In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure a policer.
  2. In the configuration tree, expand Firewall.
  3. Perform the configuration tasks as described in Table 29.

Note: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information.

Table 29: Configuring a Policer for a Firewall Filter



Create the policer for expedited forwarding, and give the policer a name—for example, ef-policer.

Select Policer and click Add new entry.

In the Policer name box, type ef-policer.

Set the burst limit for the policer—for example, 2k.

Set the bandwidth limit or percentage for the bandwidth allowed for this type of traffic—for example, use a bandwidth percent of 10.

  1. Select If exceeding.
  2. In the Burst Size Limit box, type a limit for the burst size allowed—for example, 2k.
  3. Select Bandwidth Limit, select bandwidth-limit.
  4. In the box, type 10.
  5. Click OK.

Enter the loss priority for packets exceeding the limits established by the policer—for example, high.

  1. Select Then.
  2. In the Comment field, enter high.
  3. Click OK.