Applying an Ingress Interface Policer

Policers allow you to limit traffic of a certain class to a specified bandwidth and burst size. You can use policers to limit the amount of traffic passing into or out of an interface. SRX5600 and SRX5800 devices support two I/O cards (IOCs) (40x1 Gigabit Ethernet IOC and 4x10 Gigabit Ethernet IOC) and allow only inbound (ingress) interface policers.

Note: For applying a simple filter or policing actions to logical interfaces residing in an SRX5000 line Flex IOC (FIOC) on SRX5600 and SRX5800 devices, see Configuring Simple Filters and Policers.

Consider the following when applying a policer to an ingress interface:

You can configure a tricolor marker in the firewall; however, you cannot use the marker in the input policer (the CLI will block it). For more information on applying tricolor markers, see Example: Applying a Two-Rate Tricolor Marking Policer to a Firewall Filter.
Only the following options are valid: logical-interface-policer, if-exceeding, and then. For more information on applying a stateless firewall filter to an interface, see JUNOS Software Routing Protocols and Policies Configuration Guide for Security Devices.
For the if-exceeding option, only bandwidth-limit and burst-size-limit are valid options. The bandwidth-percent option is not supported.
For the then option, only discard is the valid option.

To filter packets transiting the device, apply the firewall filter to any nonrouting device.

ge-0/1/0 {unit 0 {family inet {policer { input ingress-p;}address 200.4.1.1/24 {arp 200.4.1.100 mac 00:00:de:ad:be:ee;}}}}

ge-0/3/0 {unit 0 {family inet {address 200.4.3.1/24 { arp 200.4.3.100 mac 00:00:de:ad:be:ef;}}}}

To view the configuration of the firewall policer ingress-p, use the show configuration firewall policer command. For example:

user@host# show configuration firewall policer ingress-p logical-interface-policer;if-exceeding {bandwidth-limit 8m;burst-size-limit 1m}then-discard;