Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Two-Color Policer Configuration Overview

Table 1 describes the hierarchy levels at which you can configure and apply single-rate two-color policers to Layer 3 traffic. For information about applying single-rate two-color policers to Layer 2 traffic, see Two-Color Policing at Layer 2 Overview.

Table 1: Two-Color Policer Configuration and Application Overview

Policer Configuration

Layer 3 Application

Key Points
Single-Rate Two-Color Policer

Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface. Can be applied as an interface policer or as a firewall filter policer.

Basic policer configuration:

[edit firewall]
policer policer-name {
    if-exceeding {
        bandwidth-limit bps;
        burst-size-limit bytes;
    }
    then {
        discard;
        forwarding-class class-name;
        loss-priority supported-value;
    }
}

Method A—Apply as an interface policer at the protocol family level:

[edit interfaces]
interface-name {
    unit unit-number {
        family family-name {
            policer {
                input policer-name;
                output policer-name;
            }
        }
    }
}

Method B—Apply as a firewall filter policer at the protocol family level:

[edit firewall]
family family-name {
    filter filter-name {
        interface-specific; # (*)
        from {
            ... match-conditions ...
        }
        then {
            policer policer-name;
        }
    }
}

[edit interfaces]
interface-name {
    unit unit-number {
        family family-name {
            filter {
                input filter-name;
                output filter-name;
            }
            ... protocol-configuration ...
        }
    }
}

Policer configuration:

  • Use bandwidth-limit bps to specify an absolute value.

Firewall filter configuration (*)

  • If applying to multiple interfaces, include the interface-specific statement to create unique policers and counters for each interface.

Interface policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show policer operational mode command.

Firewall filter policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show firewall filter filter-name operational mode command.
Bandwidth Policer

Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface, but the bandwidth limit is specified as a percentage value. Bandwidth can be based on physical interface line rate (the default) or the logical interface shaping rate. Can be applied as an interface policer or as a firewall filter policer where the filter is either interface-specific or a physical interface filter.

Bandwidth policer configuration:

[edit firewall]
policer policer-name {
    logical-bandwidth-policer;
    if-exceeding {
        bandwidth-percent (1..100);
        burst-size-limit bytes;
    }
    then {
        discard;
        forwarding-class class-name;
        loss-priority supported-value;
    }
}

Method A—Apply as an interface policer at the protocol family level:

[edit interfaces]
interface-name {
    unit unit-number {
        family family-name {
            policer {
                input policer-name;
                output policer-name;
            }
        }
    }
}

Method B—Apply as a firewall filter policer at the protocol family level:

[edit firewall]
family family-name {
    filter filter-name {
        interface-specific;
        from {
            ... match-conditions ...
        }
        then {
            policer policer-name;
        }
    }
}

[edit interfaces]
interface-name {
    unit unit-number {
        family family-name {
            filter {
                input filter-name;
                output filter-name;
            }
            ... protocol-configuration ...
        }
    }
}

Policer configuration:

  • Use the bandwidth-percent percentage statement instead of the bandwidth-limit bps statement.

    By default, bandwidth policing rate-limits traffic based on a percentage of the physical interface media rate.

  • To rate-limit traffic based on a percentage of the logical interface configured shaping rate, also include the logical-bandwidth-policer statement.

Firewall filter configuration:

  • Percentage bandwidth policers can only be referenced by filters configured with the interface-specific statement.

Interface policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show policer operational mode command.

Firewall filter policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show firewall filter filter-name operational mode command.
Logical Interface (Aggregate) Policer

Defines traffic rate limiting that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer. Can be applied directly to a logical interface configuration only.

Logical interface policer configuration:

[edit firewall]
policer policer-name {
    logical-interface-policer;
    if-exceeding {
        bandwidth-limit bps;
        burst-size-limit bytes;
    }
    then {
        discard;
        forwarding-class class-name;
        loss-priority supported-value;
    }
}

Apply as an interface policer only:

[edit interfaces]
interface-name {
    unit unit-number {
        policer { # All protocols
            input policer-name;
            output policer-name;
        }
        family family-name {
            policer { # One protocol
                input policer-name;
                output policer-name;
            }
        }
    }
}

Policer configuration:

  • Include the logical-interface-policer statement.

Two options for interface policer application:

  • To rate-limit all traffic types, regardless of the protocol family, apply the logical interface policer at the logical unit level.

  • To rate-limit traffic of a specific protocol family, apply the logical interface policer at the protocol family level.

Interface policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show policer operational mode command.
Physical Interface Policer

Defines traffic rate limiting that applies to all logical interfaces and protocol families configured on a physical interface, even if the interfaces belong to different routing instances. Can be applied as a firewall filter policer referenced from a physical interface filter only.

Physical interface policer configuration:

[edit firewall]
policer policer-name {
    physical-interface-policer;
    if-exceeding {
        bandwidth-limit bps;
        burst-size-limit bytes;
    }
    then {
        discard;
        forwarding-class class-name;
        loss-priority supported-value;
    }
}

Apply as a firewall filter policer referenced from a physical interface filter that you apply at the protocol family level:

[edit firewall]
family family-name {
    filter filter-name {
        physical-interface-filter;
        from {
            ... match-conditions ...
        }
        then {
            policer policer-name;
        }
    }
}

[edit interfaces]
interface-name {
    unit number {
        family family-name {
            filter {
                input filter-name;
                output filter-name;
            }
            ... protocol-configuration ...
        }
    }
}

Policer configuration:

  • Include the physical-interface-policer statement.

Firewall filter configuration:

  • Include the physical-interface-filter statement.

Application:

  • Apply the filter to the input or output of a logical interface at the protocol family level.

Firewall filter policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show firewall filter filter-name operational mode command.

Related Documentation