Ingress Queuing Filter with Policing Functionality
Starting with Junos OS Release 18.1R1, on MPCs that support ingress queuing, you can implement policer actions, along with other filter actions, on traffic before the traffic is assigned to ingress queues. Ingress queuing policing filters allow you to rate limit traffic as well as count and set the forwarding class and packet loss priority for packets prior to ingress queue selection. Class-of-service (CoS) commands can then be used to select ingress queuing parameters.
Understanding the Ingress Queuing Policing Filter
The ingress queuing policing filter (iq-policing-filter) function similarly and at the same point as the ingress policing
filter (ingress-queuing-filter), which was introduced in Junos OS Release 16.1, but provides
the added benefit of accepting almost all filter actions, including
policing and counting actions. The ingress queuing policing filter
is also more efficient, requiring fewer system resources.
Ingress queuing filters are only available when the traffic
manager mode is set to ingress-and-egress at the [edit
chassis fpc fpc-id pic pic-id traffic-manager mode] hierarchy level.
The iq-policing-filter configuration statement is
used at the [edit interfaces interface-name unit unit-number family family-name] hierarchy level to designate a previously configured firewall
filter to be used as an ingress queuing policing filter. The following
list shows which protocol families are compatible with the iq-policing-filter statement:
bridgeinetvpls
See Also
Example: Configuring a Filter for Use as an Ingress Queuing Policing Filter
This example shows how to configure a firewall
filter for use as an ingress queuing policing filter. The ingress
queuing filter assists in ingress traffic policing operations by allowing
you to rate limit traffic prior to ingress queue selection. The firewall
filter must be configured within one of the following protocol families: bridge, inet, or vpls.
The ingress queuing policing filter can only be used on MX Series routers with MPCs that support ingress queuing. An error is generated at commit if the ingress queuing filter is applied to an interface on any other type of port concentrator.
Requirements
This example uses the following hardware and software components:
An MX Series router with an MPC that supports ingress queuing
In order for ingress queuing filters to function, ingress-and-egress must be configured as the traffic-manager mode at the [edit chassis fpc slot pic slot traffic-manager mode] hierarchy level.
Overview
In this example, you create a firewall filter named vpls_iqp_filter in the vpls protocol family that counts and polices voice
and best effort traffic. You then apply the vpls_iqp_filter filter to the xe-0/0/0.0 logical interface as an ingress queuing
policing filter.
To configure a firewall filter and apply it for use as an ingress queuing filter involves:
Creating a firewall filter named
vpls_iqp_filterin thevplsprotocol family with the following actions:count,forwarding- classandpolicer.Applying the firewall filter to the xe-0/0/0.0 interface as an ingress queuing policing filter.
Configuration
- CLI Quick Configuration
- Configuring the Firewall Filter and Applying It to an Interface as an Input Queuing Policing Filter
- Results
CLI Quick Configuration
To quickly configure this example, copy the following
commands, paste them into a text file, remove any line breaks, change
any details necessary to match your network configuration, and then
copy and paste the commands into the CLI at the [edit] hierarchy
level.
set firewall family vpls filter vpls_iqp_filter interface-specific set firewall family vpls filter vpls_iqp_filter term VoiceSum from learn-vlan-1p-priority 5 set firewall family vpls filter vpls_iqp_filter term VoiceSum then count VoiceSum set firewall family vpls filter vpls_iqp_filter term VoiceSum then forwarding-class Voice set firewall family vpls filter vpls_iqp_filter term VoiceSum then next term set firewall family vpls filter vpls_iqp_filter term Voice from learn-vlan-1p-priority 5 set firewall family vpls filter vpls_iqp_filter term Voice then policer Voice-IN set firewall family vpls filter vpls_iqp_filter term Voice then count Voice set firewall family vpls filter vpls_iqp_filter term Voice then accept set firewall family vpls filter vpls_iqp_filter term BestEffortSum then count BestEffortSum set firewall family vpls filter vpls_iqp_filter term BestEffortSum then next term set firewall family vpls filter vpls_iqp_filter term BestEffort then policer BestEffort-IN set firewall family vpls filter vpls_iqp_filter term BestEffort then count BestEffort set firewall family vpls filter vpls_iqp_filter term BestEffort then accept set firewall family vpls filter vpls_iqp_filter policer pol-vpls if-exceeding bandwidth-limit 400m set firewall family vpls filter vpls_iqp_filter policer pol-vpls if-exceeding burst-size-limit 40m set firewall family vpls filter vpls_iqp_filter policer pol-vpls then discard set firewall family vpls filter vpls_iqp_filter policer Voice-IN if-exceeding bandwidth-limit 100m set firewall family vpls filter vpls_iqp_filter policer Voice-IN if-exceeding burst-size-limit 10m set firewall family vpls filter vpls_iqp_filter policer Voice-IN then loss-priority high set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN if-exceeding bandwidth-limit 350m set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN if-exceeding burst-size-limit 30m set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN then loss-priority high set interfaces xe-0/0/0 unit 0 family vpls iq-policing-filter vpls_iqp_filter
Configuring the Firewall Filter and Applying It to an Interface as an Input Queuing Policing Filter
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure the firewall filter, vpls_iqp_filter, and apply it to logical interface xe-0/0/0 unit 0:
Create a firewall filter named
vpls_iqp_filter.[edit firewall family vpls filter vpls_iqp_filter]user@router# set interface-specific user@router# set term VoiceSum from learn-vlan-1p-priority 5 user@router# set term VoiceSum then count VoiceSum user@router# set term VoiceSum then forwarding-class Voice user@router# set term VoiceSum then next term user@router# set term Voice from learn-vlan-1p-priority 5 user@router# set term Voice then policer Voice-IN user@router# set term Voice then count Voice user@router# set term Voice then accept user@router# set term BestEffortSum then count BestEffortSum user@router# set term BestEffortSum then next term user@router# set term BestEffort then policer BestEffort-IN user@router# set term BestEffort then count BestEffort user@router# set term BestEffort then accept user@router# set policer pol-vpls if-exceeding bandwidth-limit 400m user@router# set policer pol-vpls if-exceeding burst-size-limit 40m user@router# set policer pol-vpls then discard user@router# set policer Voice-IN if-exceeding bandwidth-limit 100m user@router# set policer Voice-IN if-exceeding burst-size-limit 10m user@router# set policer Voice-IN then loss-priority high user@router# set policer BestEffort-IN if-exceeding bandwidth-limit 350m user@router# set policer BestEffort-IN if-exceeding burst-size-limit 30m user@router# set policer BestEffort-IN then loss-priority highApply the firewall filter to the logical interface.
[edit interfaces xe-0/0/0]user@router# set unit 0 family vpls iq-policing-filter vpls_iqp_filter
Results
From configuration mode, confirm your configuration
by entering the show firewall and the show interfaces
xe-0/0/0.0 commands. If the output does not display the intended
configuration, repeat the instructions in this example to correct
the configuration.
user@router# show firewall family vpls filter vpls_iqp_filter
interface-specific;
term VoiceSum {
from {
learn-vlan-1p-priority 5;
}
then {
count VoiceSum;
forwarding-class Voice;
next term;
}
}
term Voice {
from {
learn-vlan-1p-priority 5;
}
then {
policer Voice-IN;
count Voice;
accept;
}
}
term BestEffortSum {
then {
count BestEffortSum;
next term;
}
}
term BestEffort {
then {
policer BestEffort-IN;
count BestEffort;
accept;
}
}
policer pol_vpls {
if-exceeding {
bandwidth-limit 400m;
burst-size-limit 40m;
}
then discard;
}
policer Voice-IN {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 10m;
}
then loss-priority high;
}
policer BestEffort-IN {
if-exceeding {
bandwidth-limit 350m;
burst-size-limit 30m;
}
then loss-priority high;
}
user@router# show interfaces xe-0/0/0 unit 0
family vpls {
iq-policing-filter vpls_iqp_filter;
}
If you are done configuring the device, enter commit from configuration mode.
user@router# commit