Ingress Queuing Filter with Policing Functionality
On MPCs that support ingress queuing, you can implement policer actions, along with other filter actions, on traffic before the traffic is assigned to ingress queues. Ingress queuing policing filters allow you to rate limit traffic as well as count and set the forwarding class and packet loss priority for packets prior to ingress queue selection. You can then use CoS commands to select ingress queuing parameters.
Understanding the Ingress Queuing Policing Filter
The ingress queuing policing filter (iq-policing-filter) function
similarly and at the same point as the ingress policing filter (ingress-queuing-filter), but provides the added benefit of
accepting almost all filter actions, including policing and counting actions. The
ingress queuing policing filter is also more efficient, requiring fewer system
resources.
Ingress queuing filters are only available when the traffic manager mode is set
to ingress-and-egress at the [edit chassis fpc
fpc-id pic pic-id traffic-manager
mode] hierarchy level.
The iq-policing-filter configuration statement is used at the
[edit interfaces interface-name unit
unit-number family
family-name] hierarchy level to designate a
previously configured firewall filter to be used as an ingress queuing policing
filter. The following list shows which protocol families are compatible with the
iq-policing-filter statement:
-
bridge -
inet -
vpls
The named firewall filter is a normal firewall filter that must be configured with at
least one of the following actions: count accept, discard,
forwarding-class,loss-priority and policers.
See Also
Example: Configuring a Filter for Use as an Ingress Queuing Policing Filter
This example shows how to configure a firewall
filter for use as an ingress queuing policing filter. The ingress
queuing filter assists in ingress traffic policing operations by allowing
you to rate limit traffic prior to ingress queue selection. The firewall
filter must be configured within one of the following protocol families: bridge, inet, or vpls.
You can only use the ingress queuing policing filter on devices that support ingress queuing. An error is generated at commit if the ingress queuing filter is applied to an interface on any other type of port concentrator.
Requirements
This example uses the following hardware and software components:
An MX Series router with an MPC that supports ingress queuing
In order for ingress queuing filters to function, ingress-and-egress must be configured as the traffic-manager mode at the [edit chassis fpc slot pic slot traffic-manager mode] hierarchy level.
Overview
In this example, you create a firewall filter named vpls_iqp_filter in the vpls protocol family that counts and polices voice
and best effort traffic. You then apply the vpls_iqp_filter filter to the xe-0/0/0.0 logical interface as an ingress queuing
policing filter.
To configure a firewall filter and apply it for use as an ingress queuing filter involves:
Creating a firewall filter named
vpls_iqp_filterin thevplsprotocol family with the following actions:count,forwarding- classandpolicer.Applying the firewall filter to the xe-0/0/0.0 interface as an ingress queuing policing filter.
Configuration
- CLI Quick Configuration
- Configuring the Firewall Filter and Applying It to an Interface as an Input Queuing Policing Filter
- Results
CLI Quick Configuration
To quickly configure this example, copy the following
commands, paste them into a text file, remove any line breaks, change
any details necessary to match your network configuration, and then
copy and paste the commands into the CLI at the [edit] hierarchy
level.
set firewall family vpls filter vpls_iqp_filter interface-specific set firewall family vpls filter vpls_iqp_filter term VoiceSum from learn-vlan-1p-priority 5 set firewall family vpls filter vpls_iqp_filter term VoiceSum then count VoiceSum set firewall family vpls filter vpls_iqp_filter term VoiceSum then forwarding-class Voice set firewall family vpls filter vpls_iqp_filter term VoiceSum then next term set firewall family vpls filter vpls_iqp_filter term Voice from learn-vlan-1p-priority 5 set firewall family vpls filter vpls_iqp_filter term Voice then policer Voice-IN set firewall family vpls filter vpls_iqp_filter term Voice then count Voice set firewall family vpls filter vpls_iqp_filter term Voice then accept set firewall family vpls filter vpls_iqp_filter term BestEffortSum then count BestEffortSum set firewall family vpls filter vpls_iqp_filter term BestEffortSum then next term set firewall family vpls filter vpls_iqp_filter term BestEffort then policer BestEffort-IN set firewall family vpls filter vpls_iqp_filter term BestEffort then count BestEffort set firewall family vpls filter vpls_iqp_filter term BestEffort then accept set firewall family vpls filter vpls_iqp_filter policer pol-vpls if-exceeding bandwidth-limit 400m set firewall family vpls filter vpls_iqp_filter policer pol-vpls if-exceeding burst-size-limit 40m set firewall family vpls filter vpls_iqp_filter policer pol-vpls then discard set firewall family vpls filter vpls_iqp_filter policer Voice-IN if-exceeding bandwidth-limit 100m set firewall family vpls filter vpls_iqp_filter policer Voice-IN if-exceeding burst-size-limit 10m set firewall family vpls filter vpls_iqp_filter policer Voice-IN then loss-priority high set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN if-exceeding bandwidth-limit 350m set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN if-exceeding burst-size-limit 30m set firewall family vpls filter vpls_iqp_filter policer BestEffort-IN then loss-priority high set interfaces xe-0/0/0 unit 0 family vpls iq-policing-filter vpls_iqp_filter
Configuring the Firewall Filter and Applying It to an Interface as an Input Queuing Policing Filter
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure the firewall filter, vpls_iqp_filter, and apply it to logical interface xe-0/0/0 unit 0:
Create a firewall filter named
vpls_iqp_filter.[edit firewall family vpls filter vpls_iqp_filter]user@router# set interface-specific user@router# set term VoiceSum from learn-vlan-1p-priority 5 user@router# set term VoiceSum then count VoiceSum user@router# set term VoiceSum then forwarding-class Voice user@router# set term VoiceSum then next term user@router# set term Voice from learn-vlan-1p-priority 5 user@router# set term Voice then policer Voice-IN user@router# set term Voice then count Voice user@router# set term Voice then accept user@router# set term BestEffortSum then count BestEffortSum user@router# set term BestEffortSum then next term user@router# set term BestEffort then policer BestEffort-IN user@router# set term BestEffort then count BestEffort user@router# set term BestEffort then accept user@router# set policer pol-vpls if-exceeding bandwidth-limit 400m user@router# set policer pol-vpls if-exceeding burst-size-limit 40m user@router# set policer pol-vpls then discard user@router# set policer Voice-IN if-exceeding bandwidth-limit 100m user@router# set policer Voice-IN if-exceeding burst-size-limit 10m user@router# set policer Voice-IN then loss-priority high user@router# set policer BestEffort-IN if-exceeding bandwidth-limit 350m user@router# set policer BestEffort-IN if-exceeding burst-size-limit 30m user@router# set policer BestEffort-IN then loss-priority highApply the firewall filter to the logical interface.
[edit interfaces xe-0/0/0]user@router# set unit 0 family vpls iq-policing-filter vpls_iqp_filter
Results
From configuration mode, confirm your configuration
by entering the show firewall and the show interfaces
xe-0/0/0.0 commands. If the output does not display the intended
configuration, repeat the instructions in this example to correct
the configuration.
user@router# show firewall family vpls filter vpls_iqp_filter
interface-specific;
term VoiceSum {
from {
learn-vlan-1p-priority 5;
}
then {
count VoiceSum;
forwarding-class Voice;
next term;
}
}
term Voice {
from {
learn-vlan-1p-priority 5;
}
then {
policer Voice-IN;
count Voice;
accept;
}
}
term BestEffortSum {
then {
count BestEffortSum;
next term;
}
}
term BestEffort {
then {
policer BestEffort-IN;
count BestEffort;
accept;
}
}
policer pol_vpls {
if-exceeding {
bandwidth-limit 400m;
burst-size-limit 40m;
}
then discard;
}
policer Voice-IN {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 10m;
}
then loss-priority high;
}
policer BestEffort-IN {
if-exceeding {
bandwidth-limit 350m;
burst-size-limit 30m;
}
then loss-priority high;
}
user@router# show interfaces xe-0/0/0 unit 0
family vpls {
iq-policing-filter vpls_iqp_filter;
}
If you are done configuring the device, enter commit from configuration mode.
user@router# commit