Example: Using Two-Color Policers and Prefix Lists
If you provide specific amounts of bandwidth to internal or external customers, you can use policing to make sure that customers do not consume more bandwidth than they should receive. For example, you might connect many customers to one 10-Gbps interface and want to ensure that none of them congest the interface by using more bandwidth than they have been allotted.
You could accomplish this by creating a two-color policer similar to the following for each customer:
firewall { policer Limit-Customer-1 { if-exceeding { bandwidth-limit 100m; burst-size-limit 150m; } then discard; }
Creating a policer for each customer is clearly not a scalable solution, however. As
an alternative, you can create prefix lists that group classes of customers and then create
policers for each prefix list. For example, you could create prefix lists such as Class-A-Customer-Prefixes, Class-B-Customer-Prefixes, and Class-C-Customer-Prefixes (at the [edit policy-options]
hierarchy level) and create the following corresponding policers:
firewall { policer Class-A { if-exceeding { bandwidth-limit 100m; burst-size-limit 150m; } then discard; } policer Class-B { if-exceeding { bandwidth-limit 75m; burst-size-limit 100m; } then discard; } policer Class-C { if-exceeding { bandwidth-limit 50m; burst-size-limit 75m; } then discard; } }
You must create filter terms that specify the prefix lists in their from
statements
and the corresponding policers in their then
statements similar to the following:
firewall family inet { filter Class-A-Customers { term term-1 { from { destination-prefix-list { Class-A-Customer-Prefixes; } } then policer Class-A; } } filter Class-B-Customers { term term-1 { from { destination-prefix-list { Class-B-Customer-Prefixes; } } then policer Class-B; } } filter Class-C-Customers { term term-1 { from { destination-prefix-list { Class-C-Customer-Prefixes; } } then policer Class-C; } } }
Here are the steps to create this firewall configuration:
Create the first policer:
[edit firewall] user@switch# set policer Class-A if-exceeding bandwidth-limit 100m burst-size-limit 150m user@switch# set policer Class-A then discard
Create the second policer:
[edit firewall] user@switch# set policer Class-B if-exceeding bandwidth-limit 75m burst-size-limit 100m user@switch# set policer Class-B then discard
Create the third policer:
[edit firewall] user@switch# set policer Class-C if-exceeding bandwidth-limit 50m burst-size-limit 75m user@switch# set policer Class-C then discard
Create a filter for class A customers:
[edit firewall] user@switch# edit family inet filter Class-A-Customers
Configure the filter to send packets matching the Class-A-Customer-Prefixes prefix list to the Class-A policer:
[edit firewall family inet filter Class-A-Customers] user@switch# set term term-1 from source-prefix-list Class-A-Customers user@switch# set term term-1 then policer Class-A
Create a filter for class B customers:
[edit firewall] user@switch# edit family inet filter Class-B-Customers
Configure the filter to send packets matching the Class-B-Customer-Prefixes prefix list to the Class-B policer:
[edit firewall family inet filter Class-B-Customers] user@switch# set term term-1 from source-prefix-list Class-B-Customers user@switch# set term term-1 then policer Class-B
Create a filter for class C customers:
[edit firewall] user@switch# edit family inet filter Class-C-Customers
Configure the filter to send packets matching the Class-C-Customer-Prefixes prefix list to the Class-C policer:
[edit firewall family inet filter Class-C-Customers] user@switch# set term term-1 from source-prefix-list Class-C-Customers user@switch# set term term-1 then policer Class-C
Apply the filters you created to the appropriate interfaces in the output direction.
Note that the implicit deny statement in this filter will block traffic from any source that does not match one of the prefix lists. If you want the filter to allow this traffic, you must include an explicit term for this purpose.