Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Two-Color and Three-Color Policers at Layer 2

Two-Color Policing at Layer 2 Overview

Guidelines for Configuring Two-Color Policing of Layer 2 Traffic

The following guidelines apply to two-color policing of Layer 2 traffic:

  • You can apply a two-color policer to ingress or egress Layer 2 traffic at a logical interface hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit Ethernet interface (xe-) only.

  • A single logical interface supports Layer 2 policing in both directions.

  • You can apply a two-color policer to Layer 2 traffic as a logical interface policer only. You cannot apply a two-color policer to Layer 2 traffic as a stateless firewall filter action.

  • You can apply a two-color policer to Layer 2 traffic by referencing the policer in the interface configuration at the logical unit level, and not at the protocol level.

For information about configuring three-color policing of Layer 2 traffic, see Three-Color Policing at Layer 2 Overview.

Statement Hierarchy for Configuring a Two-Color Policer for Layer 2 Traffic

To enable a single-rate two-color policer to rate-limit Layer 2 traffic, include the logical-interface-policer statement in the policer configuration.

You can include the configuration at the following hierarchy levels:

  • [edit]

  • [edit logical-systems logical-system-name]

Statement Hierarchy for Applying a Two-Color Policer to Layer 2 Traffic

To apply a logical interface policer to Layer 2 traffic, include the layer2-policer input-policer policer-name statement or the layer2-policer output-policer policer-name statement to a supported logical interface. Use the input-policer or output-policer statements to apply a two-color policer at Layer 2.

You can include the configuration at the following hierarchy levels:

  • [edit]

  • [edit logical-systems logical-system-name]

Three-Color Policing at Layer 2 Overview

Guidelines for Configuring Three-Color Policing of Layer 2 Traffic

The following guidelines apply to three-color policing of Layer 2 traffic:

  • You can apply a three-color policer to Layer 2 traffic at a logical interface hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit Ethernet interface (xe-) only.

  • A single logical interface supports Layer 2 policing in both directions.

  • You can apply a three-color policer to Layer 2 traffic as a logical interface policer only. You cannot apply a two-color policer to Layer 2 traffic as a stateless firewall filter action.

  • You can apply a three-color policer to Layer 2 traffic by referencing the policer in the interface configuration at the logical unit level, and not at the protocol level.

  • You can apply a color-aware three-color policer to Layer 2 traffic in the egress direction only, but you apply a color-blind three-color policer to Layer 2 traffic in either direction.

For information about configuring two-color policing of Layer 2 traffic, see Two-Color Policing at Layer 2 Overview.

Statement Hierarchy for Configuring a Three-Color Policer for Layer 2 Traffic

To enable a single-rate or two-rate three-color policer to rate-limit Layer 2 traffic, include the logical-interface-policer statement in the three-color-policer configuration.

You can include the configuration at the following hierarchy levels:

  • [edit]

  • [edit logical-systems logical-system-name]

Statement Hierarchy for Applying a Three-Color Policer to Layer 2 Traffic

To apply a logical interface policer to Layer 2 traffic, include the layer2-policer statement for a supported logical interface at the logical unit level. Use the input-three-color policer-name statement or output-three-color policer-name statement to specify the direction of the traffic to be policed.

You can include the configuration at the following hierarchy levels:

  • [edit]

  • [edit logical-systems logical-system-name]

Example: Configuring a Three-Color Logical Interface (Aggregate) Policer

This example shows how to configure a two-rate three-color color-blind policer as a logical interface (aggregate) policer and apply the policer directly to Layer 2 input traffic at a supported logical interface.

Requirements

Before you begin, make sure that the logical interface to which you apply the three-color logical interface policer is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit Ethernet interface (xe-) on an MX Series router.

Overview

A two-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic, plus a second set of bandwidth and burst-size limits for peak traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green, and nonconforming traffic falls into one of two categories:

  • Nonconforming traffic that does not exceed the bandwidth and burst-size limits for peak traffic is categorized as yellow.

  • Nonconforming traffic that exceeds the bandwidth and burst-size limits for peak traffic is categorized as red.

A logical interface policer defines traffic rate-limiting rules that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer.

Note:

You apply a logical interface policer directly to a logical interface at the logical unit level, and not by referencing the policer in a stateless firewall filter and then applying the filter to the logical interface at the protocol family level.

Topology

In this example, you configure the two-rate three-color policer trTCM2-cb as a color-blind logical interface policer and apply the policer to incoming Layer 2 traffic on logical interface ge-1/3/1.0.

Note:

When using a three-color policer to rate-limit Layer 2 traffic, color-aware policing can be applied to egress traffic only.

The policer defines guaranteed traffic rate limits such that traffic that conforms to the bandwidth limit of 40 Mbps with a 100 KB allowance for traffic bursting (based on the token-bucket formula) is categorized as green. As with any policed traffic, the packets in a green flow are implicitly set to a low loss priority and then transmitted.

Nonconforming traffic that falls within the peak traffic limits of a 60 Mbps bandwidth limit and a 200 KB allowance for traffic bursting (based on the token-bucket formula) is categorized as yellow. The packets in a yellow traffic flow are implicitly set to a medium-high loss priority and then transmitted.

Nonconforming traffic that exceeds the peak traffic limits are categorized as red. The packets in a red traffic flow are implicitly set to a high loss priority. In this example, the optional policer action for red traffic (loss-priority high then discard) is configured, so packets in a red traffic flow are discarded instead of transmitted.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Logical Interfaces

Step-by-Step Procedure

To configure the logical interfaces:

  1. Enable configuration of the interface.

  2. Configure single tagging.

  3. Configure logical interface ge-1/3/1.0.

  4. Configure logical interface ge-1/3/1.0.

Results

Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Two-Rate Three-Color Policer as a Logical Interface Policer

Step-by-Step Procedure

To configure the two-rate three-color policer as a logical interface policer:

  1. Enable configuration of a three-color policer.

  2. Specify that the policer is a logical interface (aggregate) policer.

    A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied, and the policer is applied directly to the interface rather than referenced by a firewall filter.

  3. Specify that the policer is two-rate and color-blind.

    A color-aware three-color policer takes into account any coloring markings that might have been set for a packet by another traffic policer configured at a previous network node, and any preexisting color markings are used in determining the appropriate policing action for the packet.

    Because you are applying this three-color policer applied to input at Layer 2, you must configure the policer to be color-blind.

  4. Specify the policer traffic limits used to classify a green traffic flow.

  5. Specify the additional policer traffic limits used to classify a yellow or red traffic flow.

  6. (Optional) Specify the configured policer action for packets in a red traffic flow.

    In color-aware mode, the three-color policer configured action can increase the packet loss priority (PLP) level of a packet, but never decrease it. For example, if a color-aware three-color policer meters a packet with a medium PLP marking, it can raise the PLP level to high, but cannot reduce the PLP level to low.

Results

Confirm the configuration of the three-color policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the Three-Color Policer to the Layer 2 Input at the Logical Interface

Step-by-Step Procedure

To apply the three-color policer to the Layer 2 input at the logical interface:

  1. Enable application of Layer 2 logical interface policers.

  2. Apply the three-color logical interface policer to a logical interface input.

Results

Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying Traffic Statistics and Policers for the Logical Interface

Purpose

Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

Action

Use the show interfaces operational mode command for logical interface ge-1/3/1.0, and include the detail or extensive option. The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface, and the Protocol inet section contains a Policer field that would list the policer trTCM2-cb as an input or output policer as follows:

  • Input: trTCM2-cb-ge-1/3/1.0-log_int-i

  • Output: trTCM2-cb-ge-1/3/1.0-log_int-o

The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to in the input direction only.

Displaying Statistics for the Policer

Purpose

Verify the number of packets evaluated by the policer.

Action

Use the show policer operational mode command and optionally specify the name of the policer. The command output displays the number of packets evaluated by each configured policer (or the specified policer), in each direction. For the policer trTCM2-cb, the input and output policer names are displayed as follows:

  • trTCM2-cb-ge-1/3/1.0-log_int-i

  • trTCM2-cb-e-1/3/1.0-log_int-o

The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.