Hierarchical Policer Applied as Filter Action
After you define firewall filters and policers, you must apply them to take effect.
You can apply the same firewall filter to multiple interfaces at the same time. By default on MX Series routers, these filters aggregate their counters and policing actions when those interfaces share a Packet Forwarding Engine. To override this behavior and make each counter or policer function specific to each interface application, include the
interface-specific
statement in the firewall filter.[edit dynamic-profiles profile-name firewall family family filter filter-name user@host# set interface-specific
Interface-specific filters are particularly useful for IPTV services where television services are delivered using the IP suite over a packet-switched network instead of being delivered through traditional satellite signal and cable television formats.
Note:When you define an interface-specific filter, you must limit the filter name to no more than 52 bytes. Firewall filter names are restricted to 64 bytes in length and interface-specific filters have the specific-name appended to them to differentiate their counters and policing actions. If the automatically generated filter instance name exceeds this maximum length, the system may reject the filter’s instance name.
Alternatively, you can apply a policer to a logical interface either directly or indirectly through a filter that references the policer function. By default, policers are term-specific. Junos OS creates a separate policer instance when the same policer is referenced in multiple terms of a firewall filter.
Hierarchical policers provide cross-functionality between the configured physical interface and the Packet Forwarding Engine for provider edge applications. You can apply a hierarchical policer as a filter action for premium and aggregate (premium plus normal) traffic levels to a logical interface. Additionally, an interface-specific filter can have a hierarchical policer as a filter action whether or not the hierachical policer is a logical interface policer.
A logical interface policer (also known as an aggregate policer)
can police the traffic from multiple protocol families without requiring
a separate instantiation of a policer for each such family on the
logical interface. You define a logical interface policer by including
the logical-interface-policer
statement when defining the
policer.
[edit dynamic-profiles profile-name firewall policer policer-name user@host# set logical-interface-policer
To apply a logical interface policer on an MX Series router
as an action in a firewall filter term, you must specify both the interface-specific
statement in the firewall filter and the logical-interface-policer
statement in the related policer.
Using a filter to evoke a logical interface filter has the added benefits
of increased match flexibility as well as support for two-color policer
styles (a policer that classifies traffic into two groups using only
the bandwidth-limit
and burst-size-limit
parameters),
which can only be attached at the family level through a filter action.
A non-interface-specific filter can only have a hierarchical policer if no logical interface-specific filter action is specified.