Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Two-Color and Three-Color Policers to Control Traffic Rates

You can rate-limit traffic by configuring a policer and specifying it as an action modifier for a term in a firewall filter. By default, if you specify the same policer in multiple terms, Junos OS creates a separate policer instance for each term and applies rate limiting separately for each instance. For example, if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, each policer instance enforces a 1-Gbps limit. In this case, the total bandwidth allowed by the filter is 3 Gbps.

You can also configure a policer to be filter-specific, which means that Junos OS creates only one policer instance regardless of how many times the policer is referenced. When you do this, rate limiting is applied in aggregate, so if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, the total bandwidth allowed by the filter is 1 Gbps.

Note:

You can include two-color policer actions on ingress firewall filters only. You can include three-color policer actions on ingress and egress filters.

Configuring Two-Color Policers

To configure a two-color policer:

  1. Specify the name of the policer, the bandwidth limit to control the traffic rate on an interface, and the maximum allowed burst size to control the amount of traffic bursting:

    The policer name can contain letters, numbers, and hyphens (-) and can have as many as 64 characters.

    The range for the bandwidth limit is 32000 (32k) through 102,300,000,000 (102300m) bps.

    To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur and divide the result by 8:

    maximum burst size = (interface bandwidth) X (allowable time for burst) / (8 bits/byte)

    The range for the burst-size limit is 1 through 2,147,450,880 bytes.

  2. Specify the policer action to discard or assign a loss priority to packets that exceed the rate limits:

Configuring Three-Color Policers

To configure a three-color policer:

  1. Specify the name of the policer and (optionally) whether to automatically discard packets with high loss priority (PLP):
  2. Specify whether the three-color policer should be single-rate or two-rate and whether it should be color-aware or color-blind:
  3. For single-rate three-color policers, configure the CIR, CBS, and EBS:
  4. For two-rate three-color policers, configure the CIR, CBS, PIR, and PBS:

Specifying Policers in a Firewall Filter Configuration

To use a two-color policer, configure a filter term that includes the action policer:

For example, the following commands apply a two-color policer to all packets sent from 192.0.2.0/24.

To use a three-color policer, configure a filter term that includes the action three-color-policer:

For example, the following commands apply a single-rate three-color policer to all packets received or sent by interface ge-0/0/6 (depending on whether the filter is an ingress or egress filter).

You must specify whether the three-color policer is single-rate or two-rate, and this must match the policer itself. Otherwise, the configuration listing includes an error message indicating that the three-color policer you referenced in the filter does not exist.

Applying a Firewall Filter That Includes a Policer

A firewall filter that includes one or more policer action modifiers must be applied to a port, VLAN, or Layer 3 interface like any other filter. For information about applying firewall filters, see Configuring Firewall Filters.

Note:

You can include two-color policer actions on ingress firewall filters only. You can include three-color policer actions on ingress and egress filters.