Hierarchical Policers
Hierarchical Policer Overview
You can use a hierarchical policer to rate-limit ingress Layer 2 traffic at a physical or logical interface and apply different policing actions based on whether the packets are classified for expedited forwarding (EF) or for a lower priority.
Hierarchical policing is supported on M40e, M120, and M320 edge routers with incoming Flexible PIC Concentrators (FPCs) as SFPC and outgoing FPCs as FFPC, and on MX Series, T320, T640, and T1600 core routers with Enhanced Intelligent Queuing (IQE) PICs.
You can apply hierarchical policing to a logical interface.
A hierarchical policer configuration defines two policers—one for EF traffic only and another for non-EF traffic—that function in a hierarchical manner:
Premium policer—You configure the premium policer with traffic limits for high-priority EF traffic only: a guaranteed bandwidth and a corresponding burst-size limit. EF traffic is categorized as nonconforming when its average arrival rate exceeds the guaranteed bandwidth and its average packet size exceeds the premium burst-size limit. For a premium policer, the only configurable action for nonconforming traffic is to discard the packets.
Aggregate policer—You configure the aggregate policer with an aggregate bandwidth (to accommodate both high-priority EF traffic up to the guaranteed bandwidth and normal-priority non-EF traffic) and a burst-size limit for non-EF traffic only. Non-EF traffic is categorized as nonconforming when its average arrival rate exceeds the amount of aggregate bandwidth not currently consumed by EF traffic and its average packet size exceeds the burst-size limit defined in the aggregate policer. For an aggregate policer, the configurable actions for nonconforming traffic are to discard the packets, assign a forwarding class, or assign a packet loss priority (PLP) level.
You must configure the bandwidth limit of the premium policer at or below the bandwidth limit of the aggregate policer. If the two bandwidth limits are equal, then non-EF traffic passes through the interface unrestricted only while no EF traffic arrives at the interface.
EF traffic is guaranteed the bandwidth specified as the premium bandwidth limit, while non-EF traffic is rate-limited to the amount of aggregate bandwidth not currently consumed by the EF traffic. Non-EF traffic is rate-limited to the entire aggregate bandwidth only while no EF traffic is present.
For example, suppose that you configure a hierarchical policer with the following components:
Premium policer with bandwidth limit set to 2 Mbps, burst-size limit set to 3000 bytes, and nonconforming action set to discard packets.
Aggregate policer with bandwidth limit set to 10 Mbps, burst-size limit set to 3000 bytes, and nonconforming action set to discard packets.
EF traffic is guaranteed a bandwidth of 2 Mbps. Bursts of EF traffic—EF traffic that arrives at the interface at rates above 2 Mbps—can also pass through the interface provided sufficient tokens are available in the 3000-byte bucket. When no tokens are available for a burst of non-EF traffic, packets are rate-limited using policing actions for the premium policer.
Non-EF traffic is metered to a bandwidth limit that ranges between 8 Mbps and 10 Mbps, depending on the average arrival rate of the EF traffic. Bursts of non-EF traffic—non-EF traffic that arrives at the interface at rates above the current limit for non-EF traffic—also pass through the interface provided sufficient tokens are available in the 3000-byte bucket. When non-EF traffic exceeds the currently allowed bandwidth or when no tokens are available for a burst of non-EF traffic, packets are rate-limited using policing actions for the aggregate policer.
See Also
Example: Configuring a Hierarchical Policer
This example shows how to configure a hierarchical policer and apply the policer to ingress Layer 2 traffic at a logical interface on a supported platform.
Requirements
Before you begin, be sure that your environment meets the following requirements:
The interface on which you apply the hierarchical policer is a SONET interface hosted on one of the following routing platforms:
M40e, M120, or M320 edge router with incoming FPCs as SFPC and outgoing FPCs as FFPC.
MX Series, T320, T640, or T1600 core router with Enhanced Intelligent Queuing (IQE) PICs.
No other policer is applied to the input of the interface on which you apply the hierarchical policer.
You are aware that, if you apply the hierarchical policer to logical interface on which an input filter is also applied, the policer is executed first.
Overview
In this example, you configure a hierarchical policer and apply the policer to ingress Layer 2 traffic at a logical interface.
Topology
You apply the policer to the SONET logical interface so-1/0/0.0, which you configure for IPv4 and VPLS traffic. When you apply the
hierarchical policer to that logical interface, both IPv4 and VPLS
traffic is hierarchically rate-limited.
You also configure the logical interface so-1/0/0.1 for MPLS traffic. If you choose to apply the hierarchical policer
to physical interface so-1/0/0, hierarchical policing would
apply to IPv4 and VPLS traffic at so-1/0/0.0 and to MPLS
traffic at so-1/0/0.1.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Defining the Interfaces
- Defining the Forwarding Classes
- Configuring the Hierarchical Policer
- Applying the Hierarchical Policer to Layer 2 Ingress Traffic at a Physical or Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces so-1/0/0 unit 0 family inet address 192.168.1.1/24 set interfaces so-1/0/0 unit 0 family vpls set interfaces so-1/0/0 unit 1 family mpls set class-of-service forwarding-classes class fc0 queue-num 0 priority high policing-priority premium set class-of-service forwarding-classes class fc1 queue-num 1 priority low policing-priority normal set class-of-service forwarding-classes class fc2 queue-num 2 priority low policing-priority normal set class-of-service forwarding-classes class fc3 queue-num 3 priority low policing-priority normal set firewall hierarchical-policer policer1 aggregate if-exceeding bandwidth-limit 300m burst-size-limit 30k set firewall hierarchical-policer policer1 aggregate then forwarding-class fc1 set firewall hierarchical-policer policer1 premium if-exceeding bandwidth-limit 100m burst-size-limit 50k set firewall hierarchical-policer policer1 premium then discard set interfaces so-1/0/0 unit 0 layer2-policer input-hierarchical-policer policer1
Defining the Interfaces
Step-by-Step Procedure
To define the interfaces:
Enable configuration of the physical interface.
[edit] user@host# edit interfaces so-1/0/0
Configure logical unit 0.
[edit interfaces so-1/0/0] user@host# set unit 0 family inet address 192.168.1.1/24 user@host# set unit 0 family vpls
If you apply a Layer 2 policer to this logical interface, you must configure at least one protocol family.
Configure logical unit 1.
[edit interfaces so-1/0/0] user@host# set unit 1 family mpls
Results
Confirm the configuration of the interfaces by entering
the show interfaces configuration command. If the command
output does not display the intended configuration, repeat the instructions
in this procedure to correct the configuration.
[edit]
user@host# show interfaces
so-1/0/0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
family vpls;
}
unit 1 {
family mpls;
}
}
Defining the Forwarding Classes
Step-by-Step Procedure
To define the forwarding classes referenced as aggregate policer actions:
Enable configuration of the forwarding classes.
[edit] user@host# edit class-of-service forwarding-classes
Define the forwarding classes.
[edit class-of-service forwarding-classes] user@host# set class fc0 queue-num 0 priority high policing-priority premium user@host# set class fc1 queue-num 1 priority low policing-priority normal user@host# set class fc2 queue-num 2 priority low policing-priority normal user@host# set class fc3 queue-num 3 priority low policing-priority normal
Results
Confirm the configuration of the forwarding classes referenced
as aggregate policer actions by entering the show class-of-service configuration command. If the command output does not display the
intended configuration, repeat the instructions in this procedure
to correct the configuration.
[edit]
user@host# show class-of-service
forwarding-classes {
class fc0 queue-num 0 priority high policing-priority premium;
class fc1 queue-num 1 priority low policing-priority normal;
class fc2 queue-num 2 priority low policing-priority normal;
class fc3 queue-num 3 priority low policing-priority normal;
}
Configuring the Hierarchical Policer
Step-by-Step Procedure
To configure a hierarchical policer:
Enable configuration of the hierarchical policer.
[edit] user@host# edit firewall hierarchical-policer policer1
Configure the aggregate policer.
[edit firewall hierarchical-policer policer1] user@host# set aggregate if-exceeding bandwidth-limit 300m burst-size-limit 30k user@host# set aggregate then forwarding-class fc1
For the aggregate policer, the configurable actions for a packet in a nonconforming flow are to discard the packet, change the loss priority, or change the forwarding class.
Configure the premium policer.
[edit firewall hierarchical-policer policer1] user@host# set premium if-exceeding bandwidth-limit 100m burst-size-limit 50k user@host# set premium then discard
The bandwidth limit for the premium policer must not be greater than that of the aggregate policer.
For the premium policer, the only configurable action for a packet in a nonconforming traffic flow is to discard the packet.
Results
Confirm the configuration of the hierarchical policer
by entering the show firewall configuration command. If
the command output does not display the intended configuration, repeat
the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
hierarchical-policer policer1 {
aggregate {
if-exceeding {
bandwidth-limit 300m;
burst-size-limit 30k;
}
then {
forwarding-class fc1;
}
}
premium {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 50k;
}
then {
discard;
}
}
}
Applying the Hierarchical Policer to Layer 2 Ingress Traffic at a Physical or Logical Interface
Step-by-Step Procedure
To hierarchically rate-limit Layer 2 ingress traffic for IPv4 and VPLS traffic only on logical interface so-1/0/0.0, reference the policer from the logical interface configuration:
Enable configuration of the logical interface.
[edit] user@host# edit interfaces so-1/0/0 unit 0
When you apply a policer to Layer 2 traffic at a logical interface, you must define at least one protocol family for the logical interface.
Apply the policer to the logical interface.
[edit] user@host# set layer2-policer input-hierarchical-policer policer1
Alternatively, to hierarchically rate-limit Layer 2 ingress traffic for all protocol families and for all logical interfaces configured on physical interface
so-1/0/0, you could reference the policer from the physical interface configuration.
Results
Confirm the configuration of the hierarchical policer
by entering the show interfaces configuration command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
so-1/0/0 {
unit 0 {
layer2-policer {
input-hierarchical-policer policer1;
}
family inet {
address 192.168.1.1/24;
}
family vpls;
}
unit 1 {
family mpls;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying Traffic Statistics and Policers for the Logical Interface
- Displaying Statistics for the Policer
Displaying Traffic Statistics and Policers for the Logical Interface
Purpose
Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.
Action
Use the show interfaces operational mode command
for logical interface so-1/0/0.0, and include the detail or extensive option. The command output section
for Traffic statistics lists the number
of bytes and packets received and transmitted on the logical interface,
and the Protocol inet section contains
a Policer field that would list the policer policer1 as an input or output policer as follows:
Input: policer1-so-1/0/0.0-inet-i
Output: policer1-so-1/0/0.0-inet-o
In this example, the policer is applied to logical interface traffic in the input direction only.
Displaying Statistics for the Policer
Purpose
Verify the number of packets evaluated by the policer.
Action
Use the show policer operational mode command and optionally specify the name of
the policer. The command output displays the number of packets evaluated
by each configured policer (or the specified policer), in each direction.
For the policer policer1, the input and output policer
names are displayed as follows:
policer1-so-1/0/0.0-inet-i
policer1-so-1/0/0.0-inet-o
The -inet-i suffix denotes a policer applied to IPv4 input traffic, while the -inet-o suffix denotes a policer applied to IPv4 output traffic. In this example, the policer is applied to input traffic only.