ingress-policer-overhead
Syntax
ingress-policer-overhead bytes;
Hierarchy Level
[edit chassis fpc slot-number pic pic-number]
Description
Add the configured number of bytes to the length of a packet entering the interface.
Configure a policer overhead to control the rate of traffic received on an interface. Use this feature to help prevent denial-of-service (DoS) attacks or to enforce traffic rates to conform to the service-level agreement (SLA). When you configure a policer overhead, the configured policer overhead value (bytes) is added to the length of the final Ethernet frame. This calculated length of frame is used to determine the policer or the rate-limiting action.
Traffic policing combines the configured policy bandwidth limits and the burst size to determine how to meter the incoming traffic. If you configure a policer overhead on an interface, Junos OS adds those bytes to the length of incoming Ethernet frames. This added overhead fills each frame closer to the burst size, allowing you to control the rate of traffic received on an interface.
You can configure the policer overhead to rate-limit queues and Layer 2 and Layer 3 policers, for standalone (SA) and high-avalability (HA) deployments. The policer overhead and the shaping overhead can be configured simultaneously on an interface.
vSRX Virtual Firewall supports policer overhead on Layer 3 policers only.
The policer overhead applies to all interfaces on the PIC. In the following example, Junos OS adds 10 bytes of overhead to all incoming Ethernet frames on ports ge-0/0/0 through ge-0/0/4.
set chassis fpc 0 pic 0 ingress-policer-overhead 10
vSRX Virtual Firewall only supports fpc 0 pic 0. When you commit
the ingress-policer-overhead statement, the vSRX Virtual Firewall takes
the PIC offline and then back online.
You need to craft the policer overhead size to match your network traffic. A value that is too low will have minimal impact on traffic bursts. A value that is too high will rate-limit too much of your incoming traffic.
In this example, the policer overhead of 255 bytes is configured for ge-0/0/0 through ge-0/0/4. The firewall policer is configured to discard traffic when the burst size is over 1500 bytes. This policer is applied to ge-0/0/0 and ge 0/0/1. Junos OS adds 255 bytes to every Ethernet frame that comes into the configured ports. If, during a burst of traffic, the combined length of incoming frames and the overhead bytes exceeds 1500 bytes, the policer starts to discard further incoming traffic.
set chassis fpc 0 pic 0 ingress-policer-overhead 255 set interfaces ge-0/0/0 unit 0 family inet policer input overhead_policer set interfaces ge-0/0/0 unit 0 family inet address 10.9.1.2/24 set interfaces ge-0/0/1 unit 0 family inet policer input overhead_policer set interfaces ge-0/0/1 unit 0 family inet address 10.9.2.2/24 set firewall policer overhead_policer if-exceeding bandwidth-limit 32k set firewall policer overhead_policer if-exceeding burst-size-limit 1500 set firewall policer overhead_policer then discard
Options
bytes—Number
of bytes added to a frame entering an interface.
Range: 0–255 bytes
Default: 0
[edit chassis fpc 0 pic 0] user@host# set ingress-policer-overhead 10;
Required Privilege Level
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Release Information
Statement introduced before Junos OS Release 11.1.