Configuring Tricolor Marking Policers
You can rate-limit traffic on EX Series switches by configuring a policer and specifying it as an action modifier for a term in a firewall filter. By default, if you specify the same policer in multiple terms, Junos OS creates a separate policer instance for each term and applies rate limiting separately for each instance. For example, if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, each policer instance enforces a 1-Gbps limit. In this case, the total bandwidth allowed by the filter is 3 Gbps.
You can also configure a policer to be filter-specific, which means that Junos OS creates only one policer instance regardless of how many times the policer is referenced. When you do this, rate limiting is applied in aggregate, so if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, the total bandwidth allowed by the filter is 1 Gbps.
This topic describes how to configure single-rate and two-rate tricolor marking (TCM) policers, also known as single-rate and two-rate three-color policers. If you want to configure a single-rate two-color policer (also known just as a "policer"), see Configuring Policers to Control Traffic Rates (CLI Procedure).
Configuring a Tricolor Marking Policer
A tricolor marking policer polices traffic on the basis of metering rates, including the configured information rate (CIR), the peak information rate (PIR), their associated burst sizes, and any policing actions configured for the traffic. With tri-color marking, you can configure traffic policing according to two separate modes—color-blind and color-aware. In color-blind mode, the current packet loss priority (PLP) value is ignored. In color-aware mode, the current PLP values are considered by the policer, and the policer can increase those values but cannot decrease them.
To configure a tricolor marking (TCM) policer:
Applying Tricolor Marking Policers to Firewall Filters
To rate-limit traffic by applying a tricolor marking (TCM) policer to a firewall filter:
[edit firewall family family filter filter-name term term-name then] user@switch# set three-color-policer rate stTCM1-ca
For example:
[edit firewall family inet filter test1 term term1 then] user@switch# set three-color-policer single-rate policer1
You must include either the single-rate
statement or the two-rate
statement in the reference to the policer in the firewall filter configuration, and this statement must match the configured TCM policer. Otherwise, an error message appears in the configuration listing.
For example, if you configure srTCM1-ca as a single-rate TCM policer and try to apply it as a two-rate policer, the following message appears:
[edit firewall] user@switch# show three-color-policer srTCM1-ca single-rate { color-aware; . . . } user@switch# show filter TESTER term A { then { three-color-policer { ## ## Warning: Referenced two-rate policer does not exist ## two-rate srTCM; } } }