Configuring Two-Color and Three-Color Policers to Control Traffic Rates
You can rate-limit traffic by configuring a policer and specifying it as an action modifier for a term in a firewall filter. By default, if you specify the same policer in multiple terms, Junos OS creates a separate policer instance for each term and applies rate limiting separately for each instance. For example, if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, each policer instance enforces a 1-Gbps limit. In this case, the total bandwidth allowed by the filter is 3 Gbps.
You can also configure a policer to be filter-specific, which means that Junos OS creates only one policer instance regardless of how many times the policer is referenced. When you do this, rate limiting is applied in aggregate, so if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, the total bandwidth allowed by the filter is 1 Gbps.
You can include two-color policer actions on ingress firewall filters only. You can include three-color policer actions on ingress and egress filters.
Configuring Two-Color Policers
To configure a two-color policer:
Configuring Three-Color Policers
To configure a three-color policer:
Specifying Policers in a Firewall Filter Configuration
To use a two-color policer, configure a filter term that includes the action policer:
[edit firewall family family-name] user@switch# set filter filter-name term name then name
For example, the following commands apply a two-color policer to all packets sent from 192.0.2.0/24.
[edit firewall family family-name] user@switch# set filter limit—hosts term term1 from source-address 192.0.2.0/24 user@switch# set filter limit—hosts term term1 then policer policer1
To use a three-color policer, configure a filter term that includes the action three-color-policer:
[edit firewall family name] user@switch# set filter name term name from match-condition user@switch# set filter name term name then three-color-policer (single-rate | two-rate) name
For example, the following commands apply a single-rate three-color policer to all packets received or sent by interface ge-0/0/6 (depending on whether the filter is an ingress or egress filter).
[edit firewall family name] user@switch# set filter srTCM term term-one from interface ge-0/0/6 user@switch# set filter srTCM term term-one then three-color-policer single-rate srTCM1-ca
You must specify whether the three-color policer is single-rate or two-rate, and this must match the policer itself. Otherwise, the configuration listing includes an error message indicating that the three-color policer you referenced in the filter does not exist.
Applying a Firewall Filter That Includes a Policer
A firewall filter that includes one or more policer action modifiers must be applied to a port, VLAN, or Layer 3 interface like any other filter. For information about applying firewall filters, see Configuring Firewall Filters.
You can include two-color policer actions on ingress firewall filters only. You can include three-color policer actions on ingress and egress filters.