Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Simple Filters and Policers Overview

You can configure simple filters and policers to handle oversubscribed traffic in SRX1400, SRX3400, SRX3600, SRX5600 and SRX5800 firewalls. In Junos OS, policers can be configured as part of the firewall filter hierarchy. (Platform support depends on the Junos OS release in your installation.)

Note:

For SRX5600 and SRX5800 firewalls, the simple filter or policing actions can be applied only to logical interfaces residing in an SRX5000 line Flex IOC (FIOC) because only an SRX5000 line FIOC supports the simple filter and policing features on the SRX5600 and SRX5800 firewalls.

The simple filter functionality consists of the following:

  • Classifying packets according to configured policies

  • Taking appropriate actions based on the results of classification

In Junos OS, ingress traffic policers can limit the rate of incoming traffic. The main reasons to use traffic policing are:

  • To enforce traffic rates to conform to the service-level agreement (SLA)

  • To protect next hops, such as protecting the central point and the SPU from being overwhelmed by excess traffic like DOS attacks

  • For SRX5000 line firewalls with FIOC, use of ingress traffic policers can prevent the central point and the SPU from being overwhelmed by traffic, for example in a DDoS attack.

Using the results of packet classification and traffic metering, a policer can take one of the following actions for a packet: forward a conforming (green) packet or drop a nonconforming (yellow) packet. Policers always discard a nonconforming red packet. Traffic metering supports the algorithm of the two-rate tricolor marker (TCM). (See RFC 2698, A Two Rate Three Color Marker.)