Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring a Two-Rate Three-Color Policer

This example shows how to configure a two-rate three-color policer.

Requirements

Support for two-rate three-color policers varies according to the device. It includes SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 Firewall devices running a compatible version of Junos OS.

No special configuration beyond device initialization is required before configuring this example.

Overview

A two-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic, plus a bandwidth limit and burst-size limit for peak traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green, and nonconforming traffic falls into one of two categories:

  • Nonconforming traffic that does not exceed peak traffic limits is categorized as yellow.

  • Nonconforming traffic that exceeds peak traffic limits is categorized as red.

Each category is associated with an action. For green traffic, packets are implicitly set with a loss-priority value of low and then transmitted. For yellow traffic, packets are implicitly set with a loss-priority value of medium-high and then transmitted. For red traffic, packets are implicitly set with a loss-priority value of high and then transmitted. If the policer configuration includes the optional action statement (action loss-priority high then discard), then packets in a red flow are discarded instead.

You can apply a three-color policer to Layer 3 traffic as a firewall filter policer only. You reference the policer from a stateless firewall filter term, and then you apply the filter to the input or output of a logical interface at the protocol level.

Topology

In this example, you apply a color-aware, two-rate three-color policer to the input IPv4 traffic at logical interface fe-0/1/1.0. The IPv4 firewall filter term that references the policer does not apply any packet-filtering. The filter is used only to apply the three-color policer to the interface.

You configure the policer to rate-limit traffic to a bandwidth limit of 40 Mbps and a burst-size limit of 100 KB for green traffic, and you configure the policer to also allow a peak bandwidth limit of 60 Mbps and a peak burst-size limit of 200 KB for yellow traffic. Only nonconforming traffic that exceeds the peak traffic limits is categorized as red. In this example, you configure the three-color policer action loss-priority high then discard, which overrides the implicit marking of red traffic to a high loss priority.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and then paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring a Two-Rate Three-Color Policer

Step-by-Step Procedure

To configure a two-rate three-color policer:

  1. Enable configuration of a three-color policer.

  2. Configure the color mode of the two-rate three-color policer.

  3. Configure the two-rate guaranteed traffic limits.

    Traffic that does not exceed both of these limits is categorized as green. Packets in a green flow are implicitly set to low loss priority and then transmitted.

  4. Configure the two-rate peak traffic limits.

    Nonconforming traffic that does not exceed both of these limits is categorized as yellow. Packets in a yellow flow are implicitly set to medium-high loss priority and then transmitted. Nonconforming traffic that exceeds both of these limits is categorized as red. Packets in a red flow are implicitly set to high loss priority.

  5. (Optional) Configure the policer action for red traffic.

    For three-color policers, the only configurable action is to discard red packets. Red packets are packets that have been assigned high loss priority because they exceeded the peak information rate (PIR) and the peak burst size (PBS).

Results

Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring an IPv4 Stateless Firewall Filter That References the Policer

Step-by-Step Procedure

To configure an IPv4 stateless firewall filter that references the policer:

  1. Enable configuration of an IPv4 standard stateless firewall filter.

  2. Specify the filter term that references the policer.

    Note that the term does not specify any match conditions. The firewall filter passes all packets to the policer.

Results

Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the Filter to a Logical Interface at the Protocol Family Level

Step-by-Step Procedure

To apply the filter to the logical interface at the protocol family level:

  1. Enable configuration of an IPv4 firewall filter.

  2. Apply the policer to the logical interface at the protocol family level.

  3. (MX Series routers and EX Series switches only) (Optional) For input policers, you can configure a fixed classifier. A fixed classifier reclassifies all incoming packets, regardless of any preexisting classification.

    Note:

    Platform support depends on the Junos OS release in your implementation.

    The classifier name can be a configured classifier or one of the default classifiers.

Results

Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying the Firewall Filters Applied to the Logical Interface

Purpose

Verify that the firewall filter is applied to IPv4 input traffic at the logical interface.

Action

Use the show interfaces operational mode command for the logical interface ge-2/0/5.0, and specify detail mode. The Protocol inet section of the command output displays IPv4 information for the logical interface. Within that section, the Input Filters field displays the name of IPv4 firewall filters associated with the logical interface.