Understanding Enhanced Hierarchical Policers
Use the enhanced hierarchical policer configuration to rate limit traffic based on packets classified on the traffic priority. Configure traffic policing at four levels of hierarchies with respect to the traffic priority.
This feature is available only on ACX7100-32C, ACX7100-48L, ACX7509, and ACX7024 devices.
In an enhanced hierarchical policer configuration, up to four policers are defined. Each policer maps to a traffic priority. The four traffic priorities, arranged as per their order of precedence are High, Medium-High, Medium-Low, and Low. The traffic priorities are hierarchical – High is the traffic priority with the highest precedence and Low is the traffic priority with the lowest precedence. It implies that a policer defined for the High traffic priority has a higher precedence than the rest of the policers or a policer defined for the Low traffic priority has a lower precedence than the rest of the policers.
All policers (one or up to four) in an enhanced hierarchical policer configuration, consume bandwidth from a maximum allotted bandwidth – in Table 1 this maximum allotted bandwidth is 65 mbps. Each policer is allotted a Confirmed Information Rate (CIR) and Maximum Confirmed Information Rate from this maximum allotted bandwidth. As a guideline, the CIR and Max CIR values are always the same for the policer with the highest precedence.
Residue bandwidth or unused bandwidth is carried over to lower precedence policers. As can be noted in Table 1, medium-high policer inherits unused bandwidth from high policer. Medium-low policer inherits from high and medium-high policers. Low policer inherits from the other three higher precedence policers. It is recommended that MAX CIR of a particular level is equal to the CIR of current level + combined CIR of previous/top levels.
Policer Configurations |
||
---|---|---|
Policer-level/traffic-priority |
CIR |
MAX CIR |
high |
5mbps |
5mbps |
medium-high |
10mbps |
15mbps |
medium-low |
20mbps |
35mbps |
low |
30mbps |
65mbps |
Guidelines for configuring enhanced hierarchical policer
-
An enhanced hierarchical policer is filter-specific. Filter-specific policer semantics is to be used for hierarchical policer as multiple terms will point to same policer.
-
Counter name must be same for all the terms mapped to enhanced-hierarchical-policer action under same hierarchy level.
-
It is mandatory to configure all the levels of an enhanced hierarchical policer with respective policer bandwidth rates and burst size configurations. If there is no requirement to configure all four levels, the unwanted levels must specify least supported CIR, MAX CIR and CBS rates. It is recommended that firewall filter terms not be mapped to these unwanted levels.
-
Each enhanced hierarchical policer level must be configured with the action to discard the packets exceeding the configured bandwidth.
Example: Configuring an enhanced hierarchical policer
In this example:
-
An enhanced hierarchical policer is defined.
-
A firewall filter is defined and policer is applied in the firewall filter. The firewall filter is applied to an interface.
-
Policer statistics is displayed.
Requirements:
-
Junos OS Release 23.3 R1 or later.
-
An ACX7100-32C, ACX7100-48L, ACX7509, or ACX7024 device.
Step-by-Step Procedure
-
Define the policer name.
[edit] user@host# set firewall enhanced-hierarchical-policer hpol
-
Define committed information rate (CIR), maximum committed information rate (MIR), and committed burst size (CBS) for the four traffic priorities, namely high, medium-high, medium-low, and low.
user@host# set firewall enhanced-hierarchical-policer hpol filter-specific user@host# set firewall enhanced-hierarchical-policer hpol high committed-information-rate 5m user@host# set firewall enhanced-hierarchical-policer hpol high max-committed-information-rate 5m user@host# set firewall enhanced-hierarchical-policer hpol high committed-burst-size 5k user@host# set firewall enhanced-hierarchical-policer hpol high then discard user@host# set firewall enhanced-hierarchical-policer hpol medium-high committed-information-rate 10m user@host# set firewall enhanced-hierarchical-policer hpol medium-high max-committed-information-rate 15m user@host# set firewall enhanced-hierarchical-policer hpol medium-high committed-burst-size 15k user@host# set firewall enhanced-hierarchical-policer hpol medium-high then discard user@host# set firewall enhanced-hierarchical-policer hpol medium-low committed-information-rate 20m user@host# set firewall enhanced-hierarchical-policer hpol medium-low max-committed-information-rate 35m user@host# set firewall enhanced-hierarchical-policer hpol medium-low committed-burst-size 35k user@host# set firewall enhanced-hierarchical-policer hpol medium-low then discard user@host# set firewall enhanced-hierarchical-policer hpol low committed-information-rate 30m user@host# set firewall enhanced-hierarchical-policer hpol low max-committed-information-rate 65m user@host# set firewall enhanced-hierarchical-policer hpol low committed-burst-size 65k user@host# set firewall enhanced-hierarchical-policer hpol low then discard
-
Define a firewall filter. Apply the enhanced hierarchical policer by specifying the traffic priority in the action of the firewall filter term.
user@host# set firewall family inet filter hpol-inet interface-specific user@host# set firewall family inet filter hpol-inet term platinum from dscp af11 user@host# set firewall family inet filter hpol-inet term platinum then enhanced-hierarchical-policer hpol traffic-priority high user@host# set firewall family inet filter hpol-inet term gold from dscp af12 user@host# set firewall family inet filter hpol-inet term gold then enhanced-hierarchical-policer hpol traffic-priority medium-high user@host# set firewall family inet filter hpol-inet term silver from dscp af13 user@host# set firewall family inet filter hpol-inet term silver then enhanced-hierarchical-policer hpol traffic-priority medium-low user@host# set firewall family inet filter hpol-inet term dflt then enhanced-hierarchical-policer hpol traffic-priority low
-
Apply the firewall filter to an interface.
user@host# set interfaces et-0/0/1 unit 0 family inet address 100.1.1.6/32 user@host# set interfaces et-0/0/1 unit 0 family inet filter input hpol-inet
-
Display enhanced hierarchical policer statistics. The dropped/red bytes and packets are displayed per level.
user@host# show firewall Filter: hpol-inet-et-0/0/1.0-i Enchanced Hierarchical Policers: Name Bytes Packets hpol High 0 0 Medium-High 0 0 Medium-Low 0 0 Low 0 0