On ACX Series routers, two-level ingress hierarchical
policing is supported. Single-level policers define a single bandwidth
profile. You must first define the child or subordinate policers and
associate or link them with the aggregate parent policer, which is
globally applicable for the entire system. You can configure the mode
of hierarchical or aggregate policing for the child policers, such
as peak mode, guarantee mode, or hybrid mode of policing.
Note: Hierarchical policer is not applicable on ACX5048,
ACX5096,
ACX7332, ACX7348, ACX7059, ACX7024, ACX7024X, and ACX7100 routers.
Note: The hierarchical policing mechanism on ACX routers is
different from the hierarching policing capability supported on MX
Series routers. On MX Series routers, with a hierarchical policer,
only one child or subordinate policer can be configured under a parent,
top-level policer, whereas on ACX Series routers, you can aggregate
and specify multiple child policers under a single parent policer
under the [edit firewall]
hierarchy level. The hierarchical
policing methodology on ACX routers is also called aggregate policing.
The hierarchical-policer
statement and its substatements
at the [edit firewall]
hierarchy level that are supported
on MX Series routers are not available for ACX Series routers.
To configure child or micro policers for an aggregate
parent policer and associate the parent policer with the child policers:
- Configure one normal policer as a child policer and specify
the aggregate policing mode.
user@host# set policer mi_pol_1 if-exceeding bandwidth-limit 25m
user@host# set policer mi_pol_1 if-exceeding burst-size-limit 3k
user@host# set policer mi_pol_1 if-exceeding aggregate-policing policer mi_pol_x aggregate-sharing-mode peak;
user@host# set policer mi_pol_1 then discard
- Configure another normal policer as a child policer and
specify the aggregate policing mode. The
aggregate-sharing-mode
option is a Packet Forwarding Engine statement.user@host# set policer mi_pol_2 if-exceeding bandwidth-limit 30m
user@host# set policer mi_pol_2 if-exceeding burst-size-limit 30k
user@host# set policer mi_pol_2 if-exceeding aggregate-policing policer mi_pol_x aggregate-sharing-mode peak;
user@host# set policer mi_pol_2 then discard
- Define the aggregate parent policer as the global policer
for the system. The
aggregate-sharing-mode
option is a
Packet Forwarding Engine statement.user@host# set policer mi_pol_x if-exceeding bandwidth-limit 55m
user@host# set policer mi_pol_x if-exceeding burst-size-limit 35k
user@host# set policer mi_pol_x aggregate global
- Verify the settings of all policer templates configured
by using the
show filter policer template
command.user@host# show filter policer template
AppType Template name Bw limit-bits/sec Burst-bytes Action Options
------- ------------- ----------------- ----------- --------------
0 mi_pol_1
25000000 3000 DROP
Aggregate Child of mi_pol_x mode=2
0 mi_pol_2
30000000 30000 DROP
Aggregate Child of mi_pol_x mode=2
0 mi_pol_x
55000000 35000 DROP
Aggregate Parent
- View the configured policer instances that are linked
to the aggregate parent policer by using the
show filter aggregate-policer
command.user@host# show filter aggregate-policer p1
CHILDREN
-------
#1) [UNI1_filtermi_pol_trtcm1-t2] CBS[1000]kB; CIR[10000]kbps; CBS[2000]kB; PIR[30000]kbps; Agg mode = 3;
#2) [UNI2_filtermi_pol_trtcm2-t2] CBS[1000]kB; CIR[15000]kbps; CBS[2000]kB; PIR[35000]kbps; Agg mode = 3;
PARENT
------
[p1] PBS[3000]kB; PIR[38000]kbps;
Sum child CIR[25000]kbps;CBS[2000]kB;
Sum child PIR[65000]kbps;PBS[4000]kB;
Max child CIR[15000]kbps;CBS[1000]kB;
Max child PIR[35000]kbps;PBS[2000]kB;
RESULTS
-------
STATUS = OK
The show filter policer template
and show filter
aggregate-policer
CLI commands need to be run at the PFE level.
To go to the PFE level, you need to:
Enter the start shell
CLI command.
user@host> start shell
Establish a vty session by entering the vty
shell command followed by the executable name for the component.
For example, vty feb0
.
user@host% vty feb0
Type the show filter policer ...
CLI command.