Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Two-Color and Three-Color Logical Interface Policers

Logical Interface (Aggregate) Policer Overview

A logical interface policer—also called an aggregate policer—is a two-color or three-color policer that defines traffic rate limiting that you can apply to input or output traffic for multiple protocol families on the same logical interface without creating multiple instances of the policer.

To configure a single-rate two-color logical interface policer, include the logical-interface-policer statement at one of the following hierarchy levels:

To configure a single-rate or two-rate three-color logical interface policer, include the logical-interface-policer statement at one of the following hierarchy levels:

Note:

A three-color policer can be applied to Layer 2 traffic as a logical interface policer only. You cannot apply a three-color policer to Layer 2 traffic as a physical interface policer (through a firewall filter).

You apply a logical interface policer to Layer 3 traffic directly to the interface configuration at the logical unit level (to rate-limit all traffic types, regardless of the protocol family) or at the protocol family level (to rate-limit traffic of a specific protocol family). It is OK to reference a logical interface policer from a stateless firewall filter term and then apply the filter to a logical interface.

You can apply a logical interface policer to unicast traffic only. For information about configuring a stateless firewall filter for flooded traffic, see “Applying Forwarding Table Filters” in the “Traffic Sampling, Forwarding, and Monitoring” section of the Routing Policies, Firewall Filters, and Traffic Policers User Guide.

To display a logical interface policer on a particular interface, issue the show interfaces policers operational mode command.

Example: Configuring a Two-Color Logical Interface (Aggregate) Policer

This example shows how to configure a single-rate two-color policer as a logical interface policer and apply it to incoming IPv4 traffic on a logical interface.

Requirements

Before you begin, make sure that the logical interface to which you apply the two-color logical interface policer is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit Ethernet interface (xe-).

Overview

In this example, you configure the single-rate two-color policer policer_IFL as a logical interface policer and apply it to incoming IPv4 traffic at logical interface ge-1/3/1.0.

Topology

If the input IPv4 traffic on the physical interface ge-1/3/1 exceeds the bandwidth limit equal to 90 percent of the media rate with a 300 KB burst-size limit, then the logical interface policer policer_IFL rate-limits the input IPv4 traffic on the logical interface ge-1/3/1.0. Configure the policer to mark nonconforming traffic by setting packet loss priority (PLP) levels to high and classifying packets as best-effort.

As the incoming IPv4 traffic rate on the physical interface slows and conforms to the configured limits, Junos OS stops marking the incoming IPv4 packets at the logical interface.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Logical Interfaces

Step-by-Step Procedure

To configure the logical interfaces:

  1. Enable configuration of the interface.

  2. Configure single tagging.

  3. Configure logical interface ge-1/3/1.0.

  4. Configure logical interface ge-1/3/1.0.

Results

Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Single-Rate Two-Color Policer as a Logical Interface Policer

Step-by-Step Procedure

To configure a single-rate two-color policer as a logical interface policer:

  1. Enable configuration of a single-rate two-color policer.

  2. Specify that the policer is a logical interface (aggregate) policer.

    A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied. The policer is applied directly to the interface rather than referenced by a firewall filter.

  3. Specify the policer traffic limits.

    • Specify the bandwidth limit.

      • To specify the bandwidth limit as an absolute rate, from 8,000 bits per second through 50,000,000,000 bits per second, include the bandwidth-limit bps statement.

      • To specify the bandwidth limit as a percentage of the physical port speed on the interface, include the bandwidth-percent percent statement.

      In this example, the CLI commands and output are based on a bandwidth limit specified as a percentage rather than as an absolute rate.

    • Specify the burst-size limit, from 1,500 bytes through 100,000,000,000 bytes, which is the maximum packet size to be permitted for bursts of data that exceed the specified bandwidth limit.

  4. Specify the policer actions to be taken on traffic that exceeds the configured rate limits.

    • To discard the packet, include the discard statement.

    • To set the loss-priority value of the packet, include the loss-priority (low | medium-low | medium-high | high) statement.

    • To classify the packet to a forwarding class, include the forwarding-class (forwarding-class | assured-forwarding | best-effort | expedited-forwarding | network-control) statement.

    In this example, the CLI commands and output are based on both setting the packet loss priority level and classifying the packet.

Results

Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface

Step-by-Step Procedure

To apply the two-color logical interface policer to input IPv4 traffic a logical interface:

  1. Enable configuration of the logical interface.

  2. Apply the policer to all traffic types or to a specific traffic type on the logical interface.

    • To apply the policer to all traffic types, regardless of the protocol family, include the policer (input | output) policer-name statement at the [edit interfaces interface-name unit number] hierarchy level.

    • To apply the policer to traffic of a specific protocol family, include the policer (input | output) policer-name statement at the [edit interfaces interface-name unit unit-number family family-name] hierarchy level.

    To apply the logical interface policer to incoming packets, use the policer input policer-name statement. To apply the logical interface policer to outgoing packets, use the policer output policer-name statement.

    In this example, the CLI commands and output are based on rate-limiting the IPv4 input traffic at logical interface ge-1/3/1.0.

Results

Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying Traffic Statistics and Policers for the Logical Interface

Purpose

Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

Action

Use the show interfaces operational mode command for logical interface ge-1/3/1.0, and include the detail or extensive option. The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface. The Protocol inet subsection contains a Policer field that would list the policer policer_IFL as an input or output logical interface policer as follows:

  • Input: policer_IFL-ge-1/3/1.0-log_int-i

  • Output: policer_IFL-ge-1/3/1.0-log_int-o

The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.

Displaying Statistics for the Policer

Purpose

Verify the number of packets evaluated by the policer.

Action

Use the show policer operational mode command and optionally specify the name of the policer. The command output displays the number of packets evaluated by each configured policer (or the specified policer), in each direction. For the policer policer_IFL, the input and output policer names are displayed as follows:

  • policer_IFL-ge-1/3/1.0-log_int-i

  • policer_IFL-ge-1/3/1.0-log_int-o

The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.

Example: Configuring a Three-Color Logical Interface (Aggregate) Policer

This example shows how to configure a two-rate three-color color-blind policer as a logical interface (aggregate) policer and apply the policer directly to Layer 2 input traffic at a supported logical interface.

Requirements

Before you begin, make sure that the logical interface to which you apply the three-color logical interface policer is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit Ethernet interface (xe-) on an MX Series router.

Overview

A two-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic, plus a second set of bandwidth and burst-size limits for peak traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green, and nonconforming traffic falls into one of two categories:

  • Nonconforming traffic that does not exceed the bandwidth and burst-size limits for peak traffic is categorized as yellow.

  • Nonconforming traffic that exceeds the bandwidth and burst-size limits for peak traffic is categorized as red.

A logical interface policer defines traffic rate-limiting rules that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer.

Note:

You apply a logical interface policer directly to a logical interface at the logical unit level, and not by referencing the policer in a stateless firewall filter and then applying the filter to the logical interface at the protocol family level.

Topology

In this example, you configure the two-rate three-color policer trTCM2-cb as a color-blind logical interface policer and apply the policer to incoming Layer 2 traffic on logical interface ge-1/3/1.0.

Note:

When using a three-color policer to rate-limit Layer 2 traffic, color-aware policing can be applied to egress traffic only.

The policer defines guaranteed traffic rate limits such that traffic that conforms to the bandwidth limit of 40 Mbps with a 100 KB allowance for traffic bursting (based on the token-bucket formula) is categorized as green. As with any policed traffic, the packets in a green flow are implicitly set to a low loss priority and then transmitted.

Nonconforming traffic that falls within the peak traffic limits of a 60 Mbps bandwidth limit and a 200 KB allowance for traffic bursting (based on the token-bucket formula) is categorized as yellow. The packets in a yellow traffic flow are implicitly set to a medium-high loss priority and then transmitted.

Nonconforming traffic that exceeds the peak traffic limits are categorized as red. The packets in a red traffic flow are implicitly set to a high loss priority. In this example, the optional policer action for red traffic (loss-priority high then discard) is configured, so packets in a red traffic flow are discarded instead of transmitted.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Logical Interfaces

Step-by-Step Procedure

To configure the logical interfaces:

  1. Enable configuration of the interface.

  2. Configure single tagging.

  3. Configure logical interface ge-1/3/1.0.

  4. Configure logical interface ge-1/3/1.0.

Results

Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Two-Rate Three-Color Policer as a Logical Interface Policer

Step-by-Step Procedure

To configure the two-rate three-color policer as a logical interface policer:

  1. Enable configuration of a three-color policer.

  2. Specify that the policer is a logical interface (aggregate) policer.

    A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied, and the policer is applied directly to the interface rather than referenced by a firewall filter.

  3. Specify that the policer is two-rate and color-blind.

    A color-aware three-color policer takes into account any coloring markings that might have been set for a packet by another traffic policer configured at a previous network node, and any preexisting color markings are used in determining the appropriate policing action for the packet.

    Because you are applying this three-color policer applied to input at Layer 2, you must configure the policer to be color-blind.

  4. Specify the policer traffic limits used to classify a green traffic flow.

  5. Specify the additional policer traffic limits used to classify a yellow or red traffic flow.

  6. (Optional) Specify the configured policer action for packets in a red traffic flow.

    In color-aware mode, the three-color policer configured action can increase the packet loss priority (PLP) level of a packet, but never decrease it. For example, if a color-aware three-color policer meters a packet with a medium PLP marking, it can raise the PLP level to high, but cannot reduce the PLP level to low.

Results

Confirm the configuration of the three-color policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the Three-Color Policer to the Layer 2 Input at the Logical Interface

Step-by-Step Procedure

To apply the three-color policer to the Layer 2 input at the logical interface:

  1. Enable application of Layer 2 logical interface policers.

  2. Apply the three-color logical interface policer to a logical interface input.

Results

Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying Traffic Statistics and Policers for the Logical Interface

Purpose

Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

Action

Use the show interfaces operational mode command for logical interface ge-1/3/1.0, and include the detail or extensive option. The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface, and the Protocol inet section contains a Policer field that would list the policer trTCM2-cb as an input or output policer as follows:

  • Input: trTCM2-cb-ge-1/3/1.0-log_int-i

  • Output: trTCM2-cb-ge-1/3/1.0-log_int-o

The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to in the input direction only.

Displaying Statistics for the Policer

Purpose

Verify the number of packets evaluated by the policer.

Action

Use the show policer operational mode command and optionally specify the name of the policer. The command output displays the number of packets evaluated by each configured policer (or the specified policer), in each direction. For the policer trTCM2-cb, the input and output policer names are displayed as follows:

  • trTCM2-cb-ge-1/3/1.0-log_int-i

  • trTCM2-cb-e-1/3/1.0-log_int-o

The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.