Configuring Gigabit Ethernet Policers
Policers enable you to perform simple traffic policing on Gigabit Ethernet Interfaces without configuring a firewall filter. You can use this topic to configure an input priority map, an output priority map, and then apply the policy. Use this topic for information on how to configure a two-color policer and tri-color policer.
Capabilities of Gigabit Ethernet IQ PICs and Gigabit Ethernet PICs with SFPs
For Gigabit Ethernet IQ PICs and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), you can configure granular per-VLAN class-of-service (CoS) capabilities and extensive instrumentation and diagnostics on a per-VLAN and per-MAC address basis.
VLAN rewrite, tagging, and deleting enables you to use VLAN address space to support more customers and services.
VPLS allows you to provide a point-to-multipoint LAN between a set of sites in a VPN. Ethernet IQ PICs and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router) are combined with VPLS to deliver metro Ethernet service.
For Gigabit Ethernet IQ2 and IQ2-E and 10-Gigabit Ethernet IQ2
and IQ2-E interfaces, you can apply Layer 2 policing to logical
interfaces in the egress or ingress direction. Layer 2 policers are
configured at the [edit firewall] hierarchy level. You
can also control the rate of traffic sent or received on an interface
by configuring a policer overhead at the [edit chassis fpc slot-number pic slot-number] hierarchy level.
Table 1 lists the capabilities of Gigabit Ethernet IQ PICs and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router).
Capability |
Gigabit Ethernet IQ (SFP) |
Gigabit Ethernet (SFP) |
|---|---|---|
| Layer 2 | ||
802.3ad link aggregation |
Yes |
Yes |
Maximum VLANs per port |
384 |
1023 |
Maximum transmission unit (MTU) size |
9192 |
9192 |
MAC learning |
Yes |
Yes |
MAC accounting |
Yes |
Yes |
MAC filtering |
Yes |
Yes |
Destinations per port |
960 |
960 |
Sources per port |
64 |
64 |
Hierarchical MAC policers |
Yes, premium and aggregate |
No, aggregate only |
Multiple TPID support and IP service for nonstandard TPIDs |
Yes |
Yes |
Multiple Ethernet encapsulations |
Yes |
Yes |
Dual VLAN tags |
Yes |
No |
VLAN rewrite |
Yes |
No |
| Layer 2 VPNs | ||
VLAN CCC |
Yes |
Yes |
Port-based CCC |
Yes |
Yes |
Extended VLAN CCC Virtual Metropolitan Area Network (VMAN) Tag Protocol |
Yes |
Yes |
| CoS | ||
PIC-based egress queues |
Yes |
Yes |
Queued VLANs |
Yes |
No |
VPLS |
Yes |
Yes |
For more information about configuring VPLS, see the Junos OS VPNs Library for Routing Devices.
You can also configure CoS on logical IQ interfaces. For more information, see the Junos OS Class of Service User Guide for Routing Devices.
See Also
Configuring Gigabit Ethernet Policers
- Overview
- Configuring a Policer
- Specifying an Input Priority Map
- Specifying an Output Priority Map
- Applying a Policer
- Configuring MAC Address Filtering
- Example: Configuring Gigabit Ethernet Policers
Overview
On Gigabit Ethernet IQ and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), you can define rate limits for premium and aggregate traffic received on the interface. These policers allow you to perform simple traffic policing without configuring a firewall filter. First you configure the Ethernet policer profile, next you classify ingress and egress traffic, then you can apply the policer to a logical interface.
For Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), the policer rates you configure can be different than the rates on the Packet Forward Engine. The difference results from Layer 2 overhead. The PIC accounts for this difference.
On MX Series routers with Gigabit Ethernet or Fast Ethernet PICs, the following considerations apply:
Interface counters do not count the 7-byte preamble and 1-byte frame delimiter in Ethernet frames.
In MAC statistics, the frame size includes MAC header and CRC before any VLAN rewrite/imposition rules are applied.
In traffic statistics, the frame size encompasses the L2 header without CRC after any VLAN rewrite/imposition rule.
For information on understanding Ethernet frame statistics, see the MX Series Layer 2 Configuration Guide.
Configuring a Policer
To configure an Ethernet policer profile, include the ethernet-policer-profile statement at the [edit interfaces interface-name gigether-options ethernet-switch-profile] hierarchy level:
[edit interfaces interface-name gigether-options ethernet-switch-profile] ethernet-policer-profile { policer cos-policer-name { aggregate { bandwidth-limit bps; burst-size-limit bytes; } premium { bandwidth-limit bps; burst-size-limit bytes; } } }
In the Ethernet policer profile, the aggregate-priority policer is mandatory; the premium-priority policer is optional.
For aggregate and premium policers, you specify the bandwidth
limit in bits per second. You can specify the value as a complete
decimal number or as a decimal number followed by the abbreviation k (1000), m (1,000,000), or g (1,000,000,000).
There is no absolute minimum value for bandwidth limit, but any value
below 61,040 bps will result in an effective rate of 30,520 bps. The
maximum bandwidth limit is 4.29 Gbps.
The maximum burst size controls the amount of traffic bursting allowed. To determine the burst-size limit, you can multiply the bandwidth of the interface on which you are applying the filter by the amount of time you allow a burst of traffic at that bandwidth to occur:
burst size = bandwidth x allowable time for burst traffic
If you do not know the interface bandwidth, you can multiply the maximum MTU of the traffic on the interface by 10 to obtain a value. For example, the burst size for an MTU of 4700 would be 47,000 bytes. The burst size should be at least 10 interface MTUs. The maximum value for the burst-size limit is 100 MB.
Specifying an Input Priority Map
An input priority map identifies ingress traffic with specified IEEE 802.1p priority values, and classifies that traffic as premium.
If you include a premium-priority policer, you can specify an
input priority map by including the ieee802.1 premium statement
at the [edit interfaces interface-name gigether-options ethernet-policer-profile input-priority-map] hierarchy level:
[edit interfaces interface-name gigether-options ethernet-policer-profile input-priority-map]
ieee802.1p premium [ values ];
The priority values can be from 0 through 7. The remaining traffic is classified as nonpremium (or aggregate). For a configuration example, see Example: Configuring Gigabit Ethernet Policers.
On IQ2 and IQ2-E interfaces and MX Series interfaces, when a VLAN tag is pushed, the inner VLAN IEEE 802.1p bits are copied to the IEEE bits of the VLAN or VLANs being pushed. If the original packet is untagged, the IEEE bits of the VLAN or VLANs being pushed are set to 0.
Specifying an Output Priority Map
An output priority map identifies egress traffic with specified queue classification and packet loss priority (PLP), and classifies that traffic as premium.
If you include a premium-priority policer, you can specify an
output priority map by including the classifier statement
at the [edit interfaces interface-name gigether-options ethernet-policer-profile output-priority-map] hierarchy level:
[edit interfaces interface-name gigether-options ethernet-policer-profile output-priority-map] classifier { premium { forwarding-class class-name { loss-priority (high | low); } } }
You can define a forwarding class, or you can use a predefined forwarding class. Table 2 shows the predefined forwarding classes and their associated queue assignments.
Forwarding Class Name |
Queue |
|---|---|
best-effort |
Queue 0 |
expedited-forwarding |
Queue 1 |
assured-forwarding |
Queue 2 |
network-control |
Queue 3 |
For more information about CoS forwarding classes, see the Junos OS Class of Service User Guide for Routing Devices. For a configuration example, see Example: Configuring Gigabit Ethernet Policers.
Applying a Policer
On all MX Series Router interfaces, Gigabit Ethernet IQ, IQ2, and IQ2-E PICs, and Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), you can apply input and output policers that define rate limits for premium and aggregate traffic received on the logical interface. Aggregate policers are supported on Gigabit Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router).
These policers allow you to perform simple traffic policing without configuring a firewall filter.
To apply policers to specific source MAC addresses, include
the accept-source-mac statement:
accept-source-mac { mac-address mac-address { policer { input cos-policer-name; output cos-policer-name; } } }
You can include these statements at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number ][edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]
You can specify the MAC address as nn:nn:nn:nn:nn:nn or nnnn.nnnn.nnnn, where n is a hexadecimal number.
You can configure up to 64 source addresses. To specify more than
one address, include multiple mac-address statements in
the logical interface configuration.
On untagged Gigabit Ethernet interfaces you should not
configure the source-address-filter statement at the [edit interfaces ge-fpc/pic/port gigether-options] hierarchy level
and the accept-source-mac statement at the [edit interfaces
ge-fpc/pic/port gigether-options unit logical-unit-number] hierarchy level simultaneously. If these statements are configured
for the same interfaces at the same time, an error message is displayed.
On tagged Gigabit Ethernet interfaces you should not configure
the source-address-filter statement at the [edit interfaces
ge-fpc/pic/port gigether-options] hierarchy level and the accept-source-mac statement at the [edit interfaces ge-fpc/pic/port gigether-options
unit logical-unit-number] hierarchy level
with an identical MAC address specified in both filters. If these
statements are configured for the same interfaces with an identical
MAC address specified, an error message is displayed.
If the remote Ethernet card is changed, the interface does not accept traffic from the new card because the new card has a different MAC address.
The MAC addresses you include in the configuration are entered
into the router’s MAC database. To view the router’s MAC
database, enter the show interfaces mac-database interface-name command:
user@host> show interfaces mac-database interface-name
In the input statement, list the name of one policer
template to be evaluated when packets are received on the interface.
In the output statement, list the name of one policer
template to be evaluated when packets are transmitted on the interface.
On IQ2 and IQ2-E PIC interfaces, the default value for maximum retention of entries in the MAC address table has changed, for cases in which the table is not full. The new holding time is 12 hours. The previous retention time of 3 minutes is still in effect when the table is full.
You can use the same policer one or more times.
If you apply both policers and firewall filters to an interface, input policers are evaluated before input firewall filters, and output policers are evaluated after output firewall filters.
Configuring MAC Address Filtering
You cannot explicitly define traffic with specific source MAC
addresses to be rejected; however, for Gigabit Ethernet IQ and Gigabit
Ethernet PICs with SFPs (except the 10-port Gigabit Ethernet PIC and
the built-in Gigabit Ethernet port on the M7i router), and for Gigabit
Ethernet DPCs on MX Series routers, you can block all incoming packets
that do not have a source address specified in the accept-source-mac statement. For more information about the accept-source-mac statement, see Applying a Policer.
To enable this blocking, include the source-filtering statement at the [edit interfaces interface-name gigether-options] hierarchy level:
[edit interfaces interface-name gigether-options] source-filtering;
For more information about the source-filtering statement,
see Configuring MAC Address Filtering for Ethernet Interfaces.
To accept traffic even though it does not have a source address
specified in the accept-source-mac statement, include the no-source-filtering statement at the [edit interfaces interface-name gigether-options] hierarchy level:
[edit interfaces interface-name gigether-options] no-source-filtering;
Example: Configuring Gigabit Ethernet Policers
Example
This example illustrates the following:
Configure interface
ge-6/0/0to treat priority values 2 and 3 as premium. On ingress, this means that IEEE 802.1p priority values2and3are treated as premium. On egress, it means traffic that is classified into queue 0 or 1 with PLP of low and queue 2 or 3 with PLP of high, is treated as premium.Define a policer that limits the premium bandwidth to 100 Mbps and burst size to 3 k, and the aggregate bandwidth to 200 Mbps and burst size to 3 k.
Specify that frames received from the MAC address
00:01:02:03:04:05and the VLAN ID600are subject to the policer on input and output. On input, this means frames received with the source MAC address00:01:02:03:04:05and the VLAN ID 600 are subject to the policer. On output, this means frames transmitted from the router with the destination MAC address00:01:02:03:04:05and the VLAN ID600are subject to the policer.
Example Configuration
[edit interfaces]
ge-6/0/0 {
gigether-options {
ether-switch-profile {
ether-policer-profile {
input-priority-map {
ieee-802.1p {
premium [ 2 3 ];
}
}
output-priority-map {
classifier {
premium {
forwarding-class best-effort {
loss-priority low;
}
forwarding-class expedited-forwarding {
loss-priority low;
}
forwarding-class assured-forwarding {
loss-priority high;
}
forwarding-class network-control {
loss-priority high;
}
}
}
}
policer policer-1 {
premium {
bandwidth-limit 100m;
burst-size-limit 3k;
}
aggregate {
bandwidth-limit 200m;
burst-size-limit 3k;
}
}
}
}
}
unit 0 {
accept-source-mac {
mac-address 00:01:02:03:04:05 {
policer {
input policer-1;
output policer-1;
}
}
}
}
}
Configuring Gigabit Ethernet Two-Color and Tricolor Policers
Overview
For Gigabit Ethernet and 10-Gigabit Ethernet IQ2 and IQ2-E interfaces on M Series and T Series routers, you can configure two-color and tricolor marking policers and apply them to logical interfaces to prevent traffic on the interface from consuming bandwidth inappropriately.
Networks police traffic by limiting the input or output transmission rate of a class of traffic on the basis of user-defined criteria. Policing traffic allows you to control the maximum rate of traffic sent or received on an interface and to partition a network into multiple priority levels or classes of service.
Policers require you to apply a burst size and bandwidth limit to the traffic flow, and set a consequence for packets that exceed these limits—usually a higher loss priority, so that packets exceeding the policer limits are discarded first.
Juniper Networks router architectures support three types of policer:
Two-color policer—A two-color policer (or “policer” when used without qualification) meters the traffic stream and classifies packets into two categories of packet loss priority (PLP) according to a configured bandwidth and burst-size limit. You can mark packets that exceed the bandwidth and burst-size limit in some way, or simply discard them. A policer is most useful for metering traffic at the port (physical interface) level.
Single-rate tricolor marking (single-rate TCM)—A single-rate tricolor marking policer is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and excess burst size (EBS).
Starting in Junos OS Release 13.1, traffic is classified into three categories: Green, Red, and Yellow. Following list describes the categories:
Green—Burst size of the packets that arrive is less than the sum of the configured CIR and CBS.
Red—Burst size of the packets that arrive is greater than the sum of the configured CIR and EBS.
Yellow—Burst size of the packets that arrive is greater than the CBS but less than the EBS.
Single-rate TCM is most useful when a service is structured according to packet length and not peak arrival rate.
Two-rate Tricolor Marking (two-rate TCM)—This type of policer is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and peak information rate (PIR), along with their associated burst sizes, the CBS and EBS.
Traffic is classified into the following three categories:
Green—Burst size of the packets that arrive is less than the sum of the configured CIR and CBS.
Red—Burst size of the packets that arrive is greater than the sum of the configured PIR and EBS.
Yellow—Traffic does not belong to either the green or the red category.
Two-rate TCM is most useful when a service is structured according to arrival rates and not necessarily packet length.
Unlike policing (described in Configuring Gigabit Ethernet Policers), configuring two-color policers and tricolor marking policers requires that you configure a firewall filter.
Configuring a Policer
Two-color and tricolor marking policers are configured at the [edit firewall] hierarchy level.
A tricolor marking policer polices traffic on the basis of metering rates, including the CIR, the PIR, their associated burst sizes, and any policing actions configured for the traffic.
To configure tricolor policer marking, include the three-color-policer statement with options at the [edit firewall] hierarchy
level:
[edit firewall]
three-color-policer name {
action {
loss-priority high {
then discard;
}
}
single-rate {
(color-aware | color-blind);
committed-information-rate bps;
committed-burst-size bytes;
excess-burst-size bytes;
}
two-rate {
(color-aware | color-blind);
committed-information-rate bps;
committed-burst-size bytes;
peak-information-rate bps;
peak-burst-size bytes;
}
}
For more information about configuring tricolor policer markings, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide and the Junos OS Class of Service User Guide for Routing Devices.
Applying a Policer
Apply a two-color policer or tricolor policer to a logical interface
to prevent traffic on the interface from consuming bandwidth inappropriately.
To apply two-color or tricolor policers, include the layer2-policer statement:
layer2-policer { input-policer policer-name; input-three-color policer-name; output-policer policer-name; policer-name; }
You can include these statements at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number][edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]
Use the input-policer statement to apply a two-color
policer to received packets on a logical interface and the input-three-color statement to apply a tricolor policer. Use the output-policer statement to apply a two-color policer to transmitted packets on
a logical interface and the output-three-color statement
to apply a tricolor policer. The specified policers must be configured
at the [edit firewall] hierarchy level. For each interface,
you can configure a three-color policer or two-color input policer
or output policers—you cannot configure both a three-color policer
and a two-color policer.
Example: Configuring and Applying a Policer
Configure tricolor policers and apply them to an interface:
[edit firewall]
three-color-policer three-color-policer-color-blind {
logical-interface-policer;
two-rate {
color-blind;
committed-information-rate 1500000;
committed-burst-size 150;
peak-information-rate 3;
peak-burst-size 300;
}
}
three-color-policer three-color-policer-color-aware {
logical-interface-policer;
two-rate {
color-aware;
committed-information-rate 1500000;
committed-burst-size 150;
peak-information-rate 3;
peak-burst-size 300;
}
}
[edit interfaces ge-1/1/0]
unit 1 {
layer2-policer {
input-three-color three-color-policer-color-blind;
output-three-color three-color-policer-color-aware;
}
}
Configure a two-color policer and apply it to an interface:
[edit firewall]
policer two-color-policer {
logical-interface-policer;
if-exceeding {
bandwidth-percent 90;
burst-size-limit 300;
}
then loss-priority-high;
}
[edit interfaces ge-1/1/0]
unit 2 {
layer2-policer {
input-policer two-color-policer;
output-policer two-color-policer;
}
}
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.