Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Using Two-Color Policers and Prefix Lists

If you provide specific amounts of bandwidth to internal or external customers, you can use policing to make sure that customers do not consume more bandwidth than they should receive. For example, you might connect many customers to one 10-Gbps interface and want to ensure that none of them congest the interface by using more bandwidth than they have been allotted.

You could accomplish this by creating a two-color policer similar to the following for each customer:

Creating a policer for each customer is clearly not a scalable solution, however. As an alternative, you can create prefix lists that group classes of customers and then create policers for each prefix list. For example, you could create prefix lists such as Class-A-Customer-Prefixes, Class-B-Customer-Prefixes, and Class-C-Customer-Prefixes (at the [edit policy-options] hierarchy level) and create the following corresponding policers:

You must create filter terms that specify the prefix lists in their from statements and the corresponding policers in their then statements similar to the following:

Here are the steps to create this firewall configuration:

  1. Create the first policer:

  2. Create the second policer:

  3. Create the third policer:

  4. Create a filter for class A customers:

  5. Configure the filter to send packets matching the Class-A-Customer-Prefixes prefix list to the Class-A policer:

  6. Create a filter for class B customers:

  7. Configure the filter to send packets matching the Class-B-Customer-Prefixes prefix list to the Class-B policer:

  8. Create a filter for class C customers:

  9. Configure the filter to send packets matching the Class-C-Customer-Prefixes prefix list to the Class-C policer:

  10. Apply the filters you created to the appropriate interfaces in the output direction.


Note that the implicit deny statement in this filter will block traffic from any source that does not match one of the prefix lists. If you want the filter to allow this traffic, you must include an explicit term for this purpose.