Two-Color Policer Configuration Overview

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, you can configure and apply single-rate two-color policers to Layer 3 traffic.

Note:

For vSRX Virtual Firewall, SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, and SRX4600 firewalls, we recommend limiting the traffic rate in a given policer to 80 Mbps or less.

Table 1 describes the hierarchy levels at which you can configure and apply them.

Table 1: Two-Color Policer Configuration and Application Overview
Policer Configuration	Layer 3 Application	Key Points
Single-Rate Two-Color Policer Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface. Can be applied as an interface policer or as a firewall filter policer.
Basic policer configuration: [edit firewall] policer `policer-name` { if-exceeding { bandwidth-limit `bps`; burst-size-limit `bytes`; } then { discard; forwarding-class `class-name`; loss-priority `supported-value`; } }	Method A—Apply as an interface policer at the protocol family level: [edit interfaces] `interface-name` { unit `unit-number` { family `family-name` { policer { input `policer-name`; output `policer-name`; } } } } Method B—Apply as a firewall filter policer at the protocol family level: [edit firewall] family `family-name` { filter `filter-name` { interface-specific; # (`*`) from { ... `match-conditions` ... } then { policer `policer-name`; } } } [edit interfaces] `interface-name` { unit `unit-number` { family `family-name` { filter { input `filter-name`; output `filter-name`; } ... `protocol-configuration` ... } } }	Policer configuration: Use `bandwidth-limit bps` to specify an absolute value. Firewall filter configuration (`*`) If applying to multiple interfaces, include the `interface-specific` statement to create unique policers and counters for each interface. Interface policer verification: Use the `show interfaces (detail \| extensive)` operational mode command. Use the `show policer` operational mode command. Firewall filter policer verification: Use the `show interfaces (detail \| extensive)` operational mode command. Use the `show firewall filter filter-name` operational mode command.
Logical Interface (Aggregate) Policer Defines traffic rate limiting that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer. Can be applied directly to a logical interface configuration only.
Logical interface policer configuration: [edit firewall] policer `policer-name` { logical-interface-policer; if-exceeding { bandwidth-limit `bps`; burst-size-limit `bytes`; } then { discard; forwarding-class `class-name`; loss-priority `supported-value`; } }	Method A—Apply as an interface policer only: [edit interfaces] `interface-name` { unit `unit-number` { policer { # All protocols input `policer-name`; output `policer-name`; } family `family-name` { policer { # One protocol input `policer-name`; output `policer-name`; } } } } Method B—Apply as a firewall filter policer at the protocol family level: [edit firewall] family `family-name` { filter `filter-name` { interface-specific; term `term-name`{ from { ... `match-conditions` ... } } then { policer `policer-name`; } } }	Policer configuration: Include the `logical-interface-policer` statement. Two options for interface policer application: To rate-limit all traffic types, regardless of the protocol family, apply the logical interface policer at the logical unit level. To rate-limit traffic of a specific protocol family, apply the logical interface policer at the protocol family level. Interface policer verification: Use the `show interfaces (detail \| extensive)` operational mode command. Use the `show policer` operational mode command.

Release History Table

Release

Description

15.1X49-D40

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, you can configure and apply single-rate two-color policers to Layer 3 traffic.

Two-Color Policer Configuration Overview

Related Documentation