Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure and Apply TCM Policers

A tricolor marking (TCM) policer polices traffic on the basis of metering rates, including the CIR, the PIR, their associated burst sizes, and any policing actions configured for the traffic.

This topic describes how to configure and apply TCM policers.

Define a Tricolor Marking Policer

To configure a TCM policer, first enable tricolor marking if not already enabled:

You can configure a tricolor policer to discard high loss priority traffic on a logical interface in the ingress or egress direction.

You can specify the values for bps and bytes either as complete decimal numbers or as decimal numbers followed by the abbreviation k (1000), (1,000,000), or g (1,000,000,000).

The color-blind policer implicitly marks packets into three loss priority categories:

  • Low

  • Medium-high

  • High

Note:

In a single firewall filter term, you cannot configure both the loss-priority action modifier and the three-color-policer action modifier. These statements are mutually exclusive.

Table 1 describes all the configurable TCM statements.

Table 1: TCM Policer Statements

Statement

Meaning

Configurable Values

single-rate

Marking is based on the CIR, CBS, and EBS.

two-rate

Marking is based on the CIR, PIR, and rated burst sizes.

color-aware

Metering depends on the packet’s preclassification. Metering can increase a packet’s assigned PLP, but cannot decrease it.

color-blind

All packets are evaluated by the CIR or CBS. If a packet exceeds the CIR or CBS, it is evaluated by the PIR or EBS.

committed-information-rate

Guaranteed bandwidth under normal line conditions and the average rate up to which packets are marked green.

1500 through 100,000,000,000 bps

committed-burst-size

Maximum number of bytes allowed for incoming packets to burst above the CIR, but still be marked green.

1500 through 100,000,000,000 bytes

excess-burst-size

Maximum number of bytes allowed for incoming packets to burst above the CIR, but still be marked yellow.

1500 through 100,000,000,000 bytes

peak-information-rate

Maximum achievable rate. Packets that exceed the CIR but are below the PIR are marked yellow. Packets that exceed the PIR are marked red.

1500 through 100,000,000,000 bps

peak-burst-size

Maximum number of bytes allowed for incoming packets to burst above the PIR, but still be marked yellow.

1500 through 100,000,000,000 bytes

Define the TCM policer at the [edit firewall] hierarchy level:

  1. Create the TCM policer by defining a name for the policer.
  2. Discard traffic on a logical interface using tricolor marking policing.
  3. Define the filter as a logical interface policer.
  4. Configure a single-rate three-color policer in which marking is based on the committed information rate (CIR), committed burst size (CBS), and excess burst size (EBS).
  5. Configure a two-rate three-color policer in which marking is based on the committed information rate (CIR), committed burst size (CBS), peak information rate (PIR), and peak burst size (PBS).
  6. Confirm the configuration.
  7. Save the configuration.

Apply TCM Policers to Firewall Filters

To rate-limit traffic by applying a TCM policer to a firewall filter:

  • Set the three-color-policer statement at the edit firewall hierarchy level:

You can include this statement at the following hierarchy levels:

  • [edit firewall family family filter filter-name term rule-name then]

  • [edit firewall filter filter-name term rule-name then]

In the family statement, the protocol family can be any, ccc, inet, inet6, mpls, or vpls.

You must identify the referenced policer as a single-rate or two-rate policer, and this statement must match the configured TCM policer. Otherwise, an error message appears in the configuration listing.

For example, if you configure srTCM as a single-rate TCM policer and try to apply it as a two-rate policer, the following message appears:

Apply Firewall Filter TCM Policers to Interfaces

To apply a TCM policer to an interface, you must reference the filter name in the interface configuration.

  • Set the filter statement:

    Note:

    The filter name that you reference must have an attached tricolor marking policer.

You can include these statements at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number family family]

  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

Example: Configure and Apply a Single-Rate TCM Policer

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

This example describes how to configure and apply a color-blind, single-rate, TCM policer.

  1. Configure the single-rate, color-blind, TCM policer.
  2. Apply the policer to the fil firewall filter.
  3. Apply the fil firewall filter to the logical interface:
  4. Verify the configuration.
  5. Save the configuration.

Related Documentation