Basic Single-Rate Three-Color Policers
Single-Rate Three-Color Policer Overview
A single-rate three-color policer defines a bandwidth limit and a maximum burst size for guaranteed traffic and a second burst size for peak traffic. A single-rate three-color policer is most useful when a service is structured according to packet length and not peak arrival rate.
Single-rate three-color policing meters a traffic stream based on the following configured traffic criteria:
Committed information rate (CIR)—Bandwidth limit for guaranteed traffic.
Committed burst size (CBS)—Maximum packet size permitted for bursts of data that exceed the CIR.
Excess burst size (EBS)—Maximum packet size permitted for peak traffic.
Single-rate tricolor marking (single-rate TCM) classifies traffic as belonging to one of three color categories and performs congestion-control actions on the packets based on the color marking:
Green—Traffic that conforms to either the bandwidth limit or the burst size for guaranteed traffic (CIR or CBS). For a green traffic flow, single-rate marks the packets with an implicit loss priority of
lowand transmits the packets.Yellow—Traffic that exceeds both the bandwidth limit and the burst size for guaranteed traffic (CIR and CBS) but not the burst size for peak traffic (EBS). For a yellow traffic flow, single-rate marks the packets with an implicit loss priority of
medium-highand transmits the packets.Red—Traffic that exceeds the burst size for peak traffic (EBS), single-rate marks packets with an implicit loss priority of
highand, optionally, discards the packets.
If congestion occurs downstream, the packets with higher loss priority are more likely to be discarded.
For both single-rate and two-rate three-color policers, the only configurable action is to discard packets in a red traffic flow.
The discard action for a tricolor marking policer
for a firewall filter is supported
on the M120 routers, M320 routers with Enhanced-III FPCs, M7i and
M10i routers with the Enhanced CFEB (CFEB-E), and MX Series routers
with MPCs, so it is not necessary to include the logical-interface-policer statement for them.
See Also
Example: Configuring a Single-Rate Three-Color Policer
This example shows how to configure a single-rate three-color policer.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
A single-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic, plus a second burst-size limit for excess traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green, and nonconforming traffic falls into one of two categories:
Nonconforming traffic that does not exceed the burst size for excess traffic is categorized as yellow.
Nonconforming traffic that exceeds the burst size for excess traffic is categorized as red.
Each category is associated with an action. For green traffic,
packets are implicitly set with a loss-priority value of low and then transmitted. For yellow traffic, packets are implicitly
set with a loss-priority value of medium-high and then
transmitted. For red traffic, packets are implicitly set with a loss-priority
value of high and then transmitted. If the policer configuration
includes the optional action statement (action loss-priority high then discard), then packets in a red flow are discarded instead.
You can apply a three-color policer to Layer 3 traffic as a firewall filter policer only. You reference the policer from a stateless firewall filter term, and then you apply the filter to the input or output of a logical interface at the protocol level.
Topology
In this example, you apply a color-aware, single-rate three-color
policer to the input IPv4 traffic at logical interface ge-2/0/5.0. The IPv4 firewall filter term that references the policer does not
apply any packet-filtering. The filter is used only to apply the three-color
policer to the interface.
You configure the policer to rate-limit traffic to a bandwidth
limit of 40 Mbps and a burst-size limit of 100 KB for green
traffic but also allow an excess burst-size limit of 200 KB for
yellow traffic. Only nonconforming traffic that exceeds the peak burst-size
limit is categorized as red. In this example, you configure the three-color
policer action loss-priority high then discard, which overrides
the implicit marking of red traffic to a high loss priority.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring a Single-Rate Three-Color Policer
- Configuring an IPv4 Stateless Firewall Filter That References the Policer
- Applying the Filter to the Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set firewall three-color-policer srTCM1-ca single-rate color-aware set firewall three-color-policer srTCM1-ca single-rate committed-information-rate 40m set firewall three-color-policer srTCM1-ca single-rate committed-burst-size 100k set firewall three-color-policer srTCM1-ca single-rate excess-burst-size 200k set firewall three-color-policer srTCM1-ca action loss-priority high then discard set firewall family inet filter filter-srtcm1ca-all term 1 then three-color-policer single-rate srTCM1-ca set class-of-service interfaces ge-2/0/5 unit 0 forwarding-class af set interfaces ge-2/0/5 unit 0 family inet address 10.20.130.1/24 set interfaces ge-2/0/5 unit 0 family inet filter input filter-srtcm1ca-all
Configuring a Single-Rate Three-Color Policer
Step-by-Step Procedure
To configure a single-rate three-color policer:
Enable configuration of a three-color policer.
[edit] user@host# edit firewall three-color-policer srTCM1-ca
Configure the color mode of the single-rate three-color policer.
[edit firewall three-color-policer srTCM1-ca] user@host# set single-rate color-aware
Configure the single-rate guaranteed traffic limits.
[edit firewall three-color-policer srTCM1-ca] user@host# set single-rate committed-information-rate 40m user@host# set single-rate committed-burst-size 100k
Configure the single-rate burst-size limit that is used to classify nonconforming traffic.
[edit firewall three-color-policer srTCM1-ca] user@host# set single-rate excess-burst-size 200k
(Optional) Configure the action for nonconforming traffic.
[edit firewall three-color-policer srTCM1-ca] user@host# set action loss-priority high then discard
For three-color policers, the only configurable action is to discard packets in a red traffic flow. In this example, packets in a red traffic flow have been implicitly marked with a
highpacket loss priority (PLP) level because the traffic flow exceeded the rate-limiting defined by the single rate-limit (specified by thecommitted-information-rate 40mstatement) and the larger burst-size limit (specified by theexcess-burst-size 200kstatement). Because the optionalactionstatement is included, this example takes the more severe action of discarding packets in a red traffic flow.
Results
Confirm the configuration of the hierarchical policer
by entering the show firewall configuration command. If
the command output does not display the intended configuration, repeat
the instructions in this procedure to correct the configuration.
three-color-policer srTCM1-ca {
action {
loss-priority high then discard;
}
single-rate {
color-aware;
committed-information-rate 40m;
committed-burst-size 100k;
excess-burst-size 200k;
}
}
Configuring an IPv4 Stateless Firewall Filter That References the Policer
Step-by-Step Procedure
To configure a standard stateless firewall filter that references the policer:
Enable configuration of an IPv4 standard stateless firewall filter.
[edit] user@host# edit firewall family inet filter filter-srtcm1ca-all
Specify the filter term that references the policer.
[edit firewall family inet filter filter-srtcm1ca-all] user@host# set term 1 then three-color-policer single-rate srTCM1-ca
Note that the term does not specify any match conditions. The firewall filter passes all packets to the policer.
Results
Confirm the configuration of the firewall filter by entering
the show firewall configuration mode command. If the command
output does not display the intended configuration, repeat the instructions
in this procedure to correct the configuration.
[edit]
user@host# show firewall
family inet {
filter filter-srtcm1ca-all {
term 1 {
then {
three-color-policer {
single-rate srTCM1-ca;
}
}
}
}
}
three-color-policer srTCM1-ca {
action {
loss-priority high then discard;
}
single-rate {
color-aware;
committed-information-rate 40m;
committed-burst-size 100k;
excess-burst-size 200k;
}
}
Applying the Filter to the Logical Interface
Step-by-Step Procedure
To apply the filter to the logical interface:
(MX Series routers only) (Optional) Reclassify all incoming packets on the logical interface
ge-2/0/5.0to assured forwarding, regardless of any preexisting classification.[edit] user@host# set class-of-service interfaces ge-2/0/5 unit 0 forwarding-class af
The classifier name can be a configured classifier or one of the default classifiers.
Enable configuration of the logical interface.
[edit] user@host# edit interfaces ge-2/0/5 unit 0 family inet
Configure an IP address.
[edit interfaces ge-2/0/5 unit 0 family inet] user@host# set address 10.20.130.1/24
Reference the filter as an input filter.
[edit interfaces ge-2/0/5 unit 0 family inet] user@host# set filter input filter-srtcm1ca-all
Results
Confirm the configuration of the interface by entering
the show class-of-service and show interfaces configuration mode commands. If the command output does not display
the intended configuration, repeat the instructions in this procedure
to correct the configuration.
[edit]
user@host# show class-of-service
interfaces {
ge-2/0/5 {
unit 0 {
forwarding-class af;
}
}
}
[edit]
user@host# show interfaces
ge-2/0/5 {
unit 0 {
family inet {
filter {
input filter-srtcm1ca-all;
}
address 10.20.130.1/24;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Displaying the Firewall Filters Applied to the Logical Interface
Purpose
Verify that the firewall filter is applied to IPv4 input traffic at the logical interface.
Action
Use the show interfaces operational mode
command for the logical interface ge-2/0/5.0, and specify detail mode. The Protocol inet section
of the command output displays IPv4 information for the logical interface.
Within that section, the Input Filters field
displays the name of the firewall filter applied to IPv4 input traffic
at the logical interface.
user@host> show interfaces ge-2/0/5.0 detail
Logical interface ge-2/0/5.0 (Index 105) (SNMP ifIndex 556) (Generation 170)
Flags: Device-Down SNMP-Traps 0x4004000 Encapsulation: ENET2
Traffic statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Protocol inet, MTU: 1500, Generation: 242, Route table: 0
Flags: Sendbcast-pkt-to-re
Input Filters: filter-srtcm1ca-all
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.20.130/24, Local: 10.20.130.1, Broadcast: 10.20.130.255,
Generation: 171
Protocol multiservice, MTU: Unlimited, Generation: 243, Route table: 0
Policer: Input: __default_arp_policer__