Technical Documentation

Physical Interface Policers Configuration

A physical interface policer defines rate-limiting parameters for all the logical interfaces and protocol families configured on a physical interface. These logical interfaces can belong to different routing instances. You reference the policer within one or more firewall filters. You must also apply the physical interface policer as an action for each term used to define a set of match conditions for traffic on which you want to perform rate limiting. You apply the firewall filters as input or output filters to the logical interfaces configured on the physical interface referenced in the policer.

The following sections describe how to configure a physical interface policer, reference the policer within a firewall filter, apply the policer as an action for a firewall filter, and apply (to a logical interface) a firewall filter that references a physical interface filter.

Configuring Physical Interface Policers

To configure a policer for a physical interface:

  1. Include the physical-interface-policer statement at the [edit firewall policer policer-name] hierarchy level.
  2. Include the if-exceeding statement at the [edit firewall policer policer-name] hierarchy level to define rate-limiting parameters for the policer.

    For the if-exceeding statement, you must configure the following parameters:

    • bandwidth-limit bps—Traffic rate, in bits per second (bps)
    • burst-size-limit bytes—Maximum burst size, in bytes
  3. Include the then policer-action statement at the [edit firewall policer policer-name] hierarchy level to apply an action to the policer.

    For policer-action, you can apply the following:

    • discard—Discard a packet that exceeds the rate limits
    • loss-priority level—Set the loss priority level to low, medium-low, medium-high, high.
    • forwarding-class class-name—Specify the forwarding class for any class-name already configured.

In the following example, a physical interface policer, shared-police1, is configured to rate-limit traffic at 100,000,000 bps and to permit a maximum burst of traffic of 500,000 bytes. The discard action results in the discarding of packets that exceed the configured rate limits.

[edit]firewall {policer shared-police1 {physical-interface-policer;if-exceeding {bandwidth-limit 100m;burst-size-limit 500k;}then {discard;}}}

Configuring Firewall Filters That Reference Physical Interface Policers

To use a physical interface policer, you must reference it in a firewall filter. For each filter, you also configure one or more terms for which you configure match conditions to define the types of traffic on which you limit traffic. To apply the policer to traffic that meets the match conditions in a term, you configure the physical interface policer as an action for the term.

To configure a firewall filter that references a physical interface policer:

  1. Include the physical-interface-filter statement at the [edit firewall family family-name filter filter-name] hierarchy level.

    Note: You cannot specify family any. You must configure a specific protocol family for a firewall filter that references a physical interface policer.

  2. Include the term term-name statement at the [edit firewall family family-name filter filter-name] hierarchy level to define a term.
  3. Include the from match-conditions statement at the [edit firewall family family-name filter filter-name term term-name] hierarchy level to define the characteristics that packets must have to have rate limiting performed as defined in the physical interface policer.

    For more information about configuring specific match conditions, see Overview of Match Conditions in Firewall Filter Terms.

  4. Include the then policer policer-name statement at the [edit firewall family family-name filter filter-name term term-name] hierarchy level to apply the specified physical interface policer as an action for the specified term. The rate-limiting parameters defined in the physical interface policer are performed on any traffic that matches the conditions defined in the term.

In the following example, a firewall filter is configured that references a physical interface filter. The filter is configured with family inet as the protocol family. A term tcp-police-1 is defined to match any IPv4 traffic that is received through TCP with the IP precedence fields critical-ecp, immediate, or priority. IPv4 traffic that matches these characteristics has rate limiting performed, as defined in the shared-police1 policer, which is applied as an action to the term tcp-police-1. A second term, tcp-police-2, is defined to match IPv4 traffic received through TCP with the IP precedence fields internet-control or routine. IPv4 traffic that matches these characteristics has rate limiting performed, as defined in the shared-police1 policer, which is applied as an action to the term tcp-police-2.

[edit firewall]family inet {filter inet-filter {physical-interface-filter;term tcp-police-1 {from {precedence [ critical-ecp immediate priority ];protocol tcp;}then policer shared-police1;}term tcp-police-2 {from {precedence [ internet-control routine ];protocol tcp;}then policer shared-police1}}}

Applying Firewall Filters That Reference Physical Interface Policers

After you configure a firewall filter that references a physical interface policer, you apply it as an input or an output filter to a logical interface.

To apply a firewall filter that references a physical interface policer as an input filter:

  • Include the input filter-name statement at the [edit interfaces interface-name unit logical-unit-number family family-name filter] hierarchy level.

To apply a firewall filter that references a physical interface policer as an output filter:

  • Include the output filter-name statement at the [edit interfaces interface-name unit logical-unit-number family family-name] hierarchy level.

In the following example, firewall filter inet-filter is applied to family inet on interface ge-1/2/0.0. The filter is applied to incoming IPv4 traffic on the interface.

[edit]interfaces {ge-1/2/0 {unit 0 {family inet {filter {input inet-filter;}address 10.100.16.2/24}}}}

Published: 2010-04-15