ON THIS PAGE
Example: Performing CoS at an Egress Network Boundary by Configuring an Egress Single-Rate Two-Color Policer
This example shows how to configure an egress single-rate two-color policer. Policers use a concept known as a token bucket. The policer enforces the class-of-service (CoS) strategy for in-contract and out-of-contract traffic. You can apply a single-rate two-color policer to incoming packets, outgoing packets, or both. This example applies the policer as an output (egress) policer. This example is an introduction to policing by using an example that shows traffic policing in action.
A thorough explanation of the token bucket concept and its underlying algorithms is beyond the scope of this document. For more information about traffic policing, and CoS in general, refer to QOS-Enabled Networks—Tools and Foundations by Miguel Barreiros and Peter Lundqvist. This book is available at many online booksellers and at www.juniper.net/books.
Requirements
To verify this procedure, this example uses a traffic generator. The traffic generator can be hardware-based or it can be software running on a server or host machine.
The functionality in this procedure is widely supported on devices that run Junos OS. The example shown here was tested and verified on MX Series routers running Junos OS Release 10.4.
Overview
Single-rate two-color policing enforces a configured rate of traffic flow for a particular service level by applying implicit or configured actions to traffic that does not conform to the limits. When you apply a single-rate two-color policer to the input or output traffic at an interface, the policer meters the traffic flow to the rate limit defined by the following components:
Bandwidth limit—The average number of bits per second permitted for packets received or transmitted at the interface. You can specify the bandwidth limit as an absolute number of bits per second or as a percentage value from 1 through 100. If a percentage value is specified, the effective bandwidth limit is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate.
Burst-size limit—The maximum size permitted for bursts of data. Burst sizes are measured in bytes. We recommend two formulas for calculating burst size:
Burst size = bandwidth x allowable time for burst traffic / 8
Or
Burst size = interface mtu x 10
For information about configuring the burst size, see Determining Proper Burst Size for Traffic Policers.
Note:There is a finite buffer space for an interface. In general, the estimated total buffer depth for an interface is about 125 ms.
For a traffic flow that conforms to the configured limits (categorized as green traffic), packets are implicitly marked with a packet loss priority (PLP) level of low and are allowed to pass through the interface unrestricted.
For a traffic flow that exceeds the configured limits (categorized as red traffic), packets are handled according to the traffic-policing actions configured for the policer. This example discards packets that burst over the 15 KBps limit.
To rate-limit Layer 3 traffic, you can apply a two-color policer in the following ways:
Directly to a logical interface, at a specific protocol level.
As the action of a standard stateless firewall filter that is applied to a logical interface, at a specific protocol level. This is the technique used in this example.
To rate-limit Layer 2 traffic, you can apply a two-color policer as a logical interface policer only. You cannot apply a two-color policer to Layer 2 traffic through a firewall filter.
You can choose either bandwidth-limit or bandwidth percent within the policer, as they are mutually exclusive. You cannot configure a policer to use bandwidth percent for aggregate, tunnel, or software interfaces.
In this example, the host is a traffic generator emulating a webserver. Devices R1 and R2 are owned by a service provider. The webserver is accessed by users behind Device R2. The host will be sending traffic with a source TCP HTTP port of 80 to the users. A single-rate two-color policer is configured and applied to the interface on Device R1 that connects to Device R2. The policer enforces the contractual bandwidth availability made between the owner of the webserver (in this case emulated by the host) and the service provider that owns Devices R1 and R2 for the web traffic that flows over the link that connects Devices R1 and R2.
In accordance with the contractual bandwidth availability made between the owner of the webserver and the service provider that owns Devices R1 and R2, the policer will limit the HTTP port 80 traffic originating from the host to using 700 Mbps (70 percent) of the available bandwidth with an allowable burst rate of 10 x the MTU size of the gigabit Ethernet interface between Devices R1 and R2.
In a real-world scenario you would probably also rate-limit traffic for a variety of other ports such as FTP, SFTP, SSH, TELNET, SMTP, IMAP, and POP3 because they are often included as additional services with web hosting services.
You need to leave some additional bandwidth available that is not rate-limited for network control protocols such as routing protocols, DNS, and any other protocols required to keep network connectivity operational. This is why the firewall filter has a final accept condition on it.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit]
hierarchy level.
Device R1
set interfaces ge-2/0/5 description to-Host set interfaces ge-2/0/5 unit 0 family inet address 172.16.70.2/30 set interfaces ge-2/0/8 description to-R2 set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.1/30 set interfaces ge-2/0/8 unit 0 family inet filter output mf-classifier set interfaces lo0 unit 0 description looback-interface set interfaces lo0 unit 0 family inet address 192.168.13.1/32 set firewall policer discard if-exceeding bandwidth-limit 700m set firewall policer discard if-exceeding burst-size-limit 15k set firewall policer discard then discard set firewall family inet filter mf-classifier term t1 from protocol tcp set firewall family inet filter mf-classifier term t1 from port 80 set firewall family inet filter mf-classifier term t1 then policer discard set firewall family inet filter mf-classifier term t2 then accept set protocols ospf area 0.0.0.0 interface ge-2/0/5.0 passive set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
Device R2
set interfaces ge-2/0/7 description to-Host set interfaces ge-2/0/7 unit 0 family inet address 172.16.80.2/30 set interfaces ge-2/0/8 description to-R1 set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.2/30 set interfaces lo0 unit 0 description looback-interface set interfaces lo0 unit 0 family inet address 192.168.14.1/32 set protocols ospf area 0.0.0.0 interface ge-2/0/7.0 passive set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Device R1:
Configure the device interfaces.
[edit interfaces] user@R1#set ge-2/0/5 description to-Host user@R1#set ge-2/0/5 unit 0 family inet address 172.16.70.2/30 user@R1#set ge-2/0/8 description to-R2 user@R1#set ge-2/0/8 unit 0 family inet address 10.50.0.1/30 user@R1# set lo0 unit 0 description looback-interface user@R1#set lo0 unit 0 family inet address 192.168.13.1/32
Configure the policer to rate-limit to a bandwidth of 700 Mbps and a burst size of 15 KBps for HTTP traffic (TCP port 80).
[edit firewall policer discard] user@R1# set if-exceeding bandwidth-limit 700m user@R1# set if-exceeding burst-size-limit 15k
Configure the policer to discard packets in the red traffic flow.
[edit firewall policer discard] user@R1# set then discard
Configure the two conditions of the firewall to accept all TCP traffic to port HTTP (port 80).
[edit firewall family inet filter mf-classifier] user@R1# set term t1 from protocol tcp user@R1# set term t1 from port 80
Configure the firewall action to rate-limit HTTP TCP traffic using the policer.
[edit firewall family inet filter mf-classifier] user@R1# set term t1 then policer discard
At the end of the firewall filter, configure a default action that accepts all other traffic.
Otherwise, all traffic that arrives on the interface and is not explicitly accepted by the firewall is discarded.
[edit firewall family inet filter mf-classifier] user@R1# set term t2 then accept
Apply the firewall filter to interface ge-2/0/8 as an output filter.
[edit interfaces ge-2/0/8 unit 0 family inet] user@R1# set filter output mf-classifier
Configure OSPF.
[edit protocols ospf] user@R1# set area 0.0.0.0 interface ge-2/0/5.0 passive user@R1# set area 0.0.0.0 interface lo0.0 passive user@R1# set area 0.0.0.0 interface ge-2/0/8.0
Step-by-Step Procedure
To configure Device R2:
Configure the device interfaces.
[edit interfaces] set ge-2/0/7 description to-Host set ge-2/0/7 unit 0 family inet address 172.16.80.2/30 set ge-2/0/8 description to-R1 set ge-2/0/8 unit 0 family inet address 10.50.0.2/30 set lo0 unit 0 description looback-interface set lo0 unit 0 family inet address 192.168.14.1/32
Configure OSPF.
[edit protocols ospf] set area 0.0.0.0 interface ge-2/0/7.0 passive set area 0.0.0.0 interface lo0.0 passive set area 0.0.0.0 interface ge-2/0/8.0
Results
From configuration mode, confirm your configuration
by entering the show interfaces
, show firewall
, and show protocols OSPF
commands. If the output does
not display the intended configuration, repeat the instructions in
this example to correct the configuration.
ge-2/0/5 { description to-Host; unit 0 { family inet { address 172.16.70.2/30; } } } ge-2/0/8 { description to-R2; unit 0 { family inet { filter { output mf-classifier; } address 10.50.0.1/30; } } } lo0 { unit 0 { description looback-interface; family inet { address 192.168.13.1/32; } } }
user@R1# show firewall family inet { filter mf-classifier { term t1 { from { protocol tcp; port 80; } then policer discard; } term t2 { then accept; } } } policer discard { if-exceeding { bandwidth-limit 700m; burst-size-limit 15k; } then discard; }
policer discard { if-exceeding { bandwidth-limit 700m; burst-size-limit 15k; } then discard; }
user@R1# show protocols ospf area 0.0.0.0 { interface ge-2/0/5.0 { passive; } interface lo0.0 { passive; } interface ge-2/0/8.0; }
If you are done configuring Device R1, enter commit
from configuration mode.
user@R2# show interfaces ge-2/0/7 { description to-Host; unit 0 { family inet { address 172.16.80.2/30; } } } ge-2/0/8 { description to-R1; unit 0 { family inet { address 10.50.0.2/30; } } } lo0 { unit 0 { description looback-interface; family inet { address 192.168.14.1/32; } } }
user@R2# show protocols ospf area 0.0.0.0 { interface ge-2/0/7.0 { passive; } interface lo0.0 { passive; } interface ge-2/0/8.0; }
If you are done configuring Device R2, enter commit
from configuration mode.
Verification
Confirm that the configuration is working properly.
Clearing the Counters
Purpose
Confirm that the firewall counters are cleared.
Action
On Device R1, run the clear firewall all
command
to reset the firewall counters to 0.
user@R1> clear firewall all
Sending TCP Traffic into the Network and Monitoring the Discards
Purpose
Make sure that the traffic of interest that is sent is rate-limited on the output interface (ge-2/0/8).
Action
Use a traffic generator to send 20 TCP packets with a source port of 80.
The -s flag sets the source port. The -k flag causes the source port to remain steady at 80 instead of incrementing. The -c flag sets the number of packets to 10. The -d flag sets the packet size.
The destination IP address of 172.16.80.1 represents a user that is downstream of Device R2. The user has requested a webpage from the host (the webserver emulated by the traffic generator), and the packets are sent in response to the request.
Note:In this example the policer numbers are reduced to a bandwidth limit of 8 Kbps and a burst size limit of 1500 KBps to ensure that some packets are dropped.
[root@host]# hping 172.16.80.1 -s 80 -k -d 375 -c 20 [root@tp-lnx03 rtwright]# hping 172.16.80.1 -s 80 -k -d 375 -c 20 HPING 172.16.80.1 (eth1 172.16.80.1): NO FLAGS are set, 40 headers + 375 data bytes len=46 ip=172.16.80.1 ttl=62 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=4000.8 ms . . . --- 172.16.80.1 hping statistic --- 20 packets transmitted, 12 packets received, 40% packet loss
On Device R1, check the firewall counters by using the
show firewall
command.user@R1> show firewall user@sugar# run show firewall Filter: mf-classifier Policers: Name Bytes Packets discard-t1 3320 8
Meaning
In Steps 1 and 2 the output from both devices shows that 8 packets were discarded. This means that there was at least 8 Kbps of green (in-contract HTTP port 80) traffic and that the 1500 KBps burst option for red out-of-contract HTTP port 80 traffic was exceeded.