Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Configuring Hierarchical Policers to Limit Rates of Services in a Static Environment

This example shows how to configure a hierarchical policer and apply the policer to ingress Layer 2 traffic at a logical interface on an MX Series router.

Requirements

Before you begin, be sure that your environment meets the following requirements:

  • The interface on which you apply the hierarchical policer is an interface hosted on an MX Series router.

  • No other policer is applied to the input of the interface on which you apply the hierarchical policer.

  • You are aware that, if you apply the hierarchical policer to logical interface on which an input filter is also applied, the policer is executed first.

Overview

In this example, you configure a hierarchical policer and apply the policer to ingress Layer 2 traffic at a logical interface. Table 1 describes the hierarchy levels at which you can configure and apply hierarchical policers on logical and physical interfaces.

Table 1: Hierarchical Policer Configuration and Application Summary

Policer Configuration

Layer 2 Application

Key Points
Hierarchical Policer

Hierarchically rate-limits Layer 2 ingress traffic for all protocol families. Cannot be applied to egress traffic, Layer 3 traffic, or at a specific protocol level of the interface hierarchy. Supported on interfaces on Dense Port Concentrators (DPCs) in MX Series routers.

Aggregate and premium policing components of a hierarchical policer:

[edit dynamic-profiles profile-name firewall]
hierarchical-policer policer-name {
    aggregate {
        if-exceeding {
            bandwidth-limit bps;
            burst-size-limit bytes;
        }
        then {
            discard;
            forwarding-class class-name;
            loss-priority supported-value;
        }
    }
    premium {
        if-exceeding {
            bandwidth-limit bps;
            burst-size-limit bytes;
        }
        then {
            discard;
        }
    }
}

Option A (physical interface)—Apply directly to Layer 2 input traffic on a physical interface:

[edit dynamic-profiles  profile-name interfaces]
interface-name {
    layer2-policer {
        input-hierarchical-policer policer-name;
    }
}

Hierarchically rate-limit Layer 2 ingress traffic for all protocol families and logical interfaces configured on a physical interface.

Include the layer2-policer configuration statement at the [edit dynamic-profiles profile-name interfaces interface-name] hierarchy level.

Note:

If you apply a hierarchical policer at a physical interface, you cannot also apply a hierarchical policer to any of the member logical interfaces.

Option B (logical interface)—Apply directly to Layer 2 input traffic on a logical interface:

[edit dynamic-profiles  profile-name interfaces]
interface-name {
    unit unit-number {
        layer2-policer {
            input-hierarchical-policer policer-name;
        }
    }
}

Hierarchically rate-limit Layer 2 ingress traffic for all protocol families configured on a specific logical interface.

Include the layer2-policer configuration statement at the [edit dynamic-profiles profile-name interfaces interface-name unit unit-number] hierarchy level.

Note:

You must configure at least one protocol family for the logical interface.

You apply the policer to the Gigabit Ethernet logical interface ge-1/2/0.0, which you configure for IPv4 traffic. When you apply the hierarchical policer to the logical interface, IPv4 traffic is hierarchically rate-limited. If you choose to apply the hierarchical policer to physical interface ge-1/2/0, hierarchical policing applies to IPv4 traffic across the logical interface as well.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring a Basic Dynamic Profile for Subscriber Management

Step-by-Step Procedure

A dynamic profile is a set of characteristics, defined in a type of template, that you can use to provide dynamic subscriber access and services for broadband applications. These services are assigned dynamically to interfaces. A basic profile must contain a profile name and have both an interface variable name (such as $junos-interface-ifd-name) included at the [edit dynamic-profiles profile-name interfaces hierarchy level and logical interface variable name (such as $junos-underlying-interface-unit or $junos-interface-unit) at the [edit dynamic-profiles profile-name interfaces variable-interface-name unit] hierarchy level.

  1. Create the new dynamic profile.

  2. Define the interface-name variable statement with the internal $junos-interface-ifd-name variable used by the router to match the interface name of the receiving interface.

  3. Define the variable-interface-name unit statement with the internal variable.

    • When referencing an existing interface, specify the $junos-underlying-interface-unit variable used by the router to match the unit value of the receiving interface.

    • When creating dynamic interfaces, specify the $junos-interface-unit variable used by the router to generate a unit value for the interface.

    or

  4. Define the family address type (inet for IPv4) for the $junos-interface-unit variable.

Results

Confirm the configuration of the dynamic profile by entering the show dynamic-profiles configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring the Interfaces

Step-by-Step Procedure

Define the physical and logical interfaces for this hierarchical policer example.

  1. Configure the physical interface.

  2. Configure the logical interface as unit 0 with its IPv4 (inet) protocol family interface.

    Note:

    If you apply a Layer 2 policer to this logical interface, you must configure at least one protocol family.

Results

Confirm the configuration by entering the show dynamic-profiles basic-profile interfaces configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Firewall Filter

Step-by-Step Procedure

To configure a hierarchical policer as a filter action, you must first configure a firewall filter.

  1. Configure the family address type (inet for IPv4) for the firewall filter and specify the filter name.

    We recommend that you name the filter something that indicates the filter’s purpose.

  2. To override the aggregation of the counters and policing actions and make each counter or policy function specific to each interface application, include the interface-specific statement in the filter.

  3. Specify the term names for the filter.

    Make each term name unique and represent what its function is.

  4. In each firewall filter term, specify the conditions used to match components of a packet.

    Configure the first term to match IPv4 packets received through TCP with the IP precedence field critical-ecp (0xa0) protocol, and apply the hierarchical policer as a filter action.

  5. Specify the actions to take when the packet matches all of the conditions in the first term. Enable all hierarchical policers in one filter to share the same policer instance in the Packet Forward Engine.

  6. Configure the second term to match IPv4 packets received through TCP with the IP precedence field internet-control (0xc0), and apply the hierarchical policer as a filter action.

  7. Specify the actions to take when the packet matches all of the conditions in the second term.

Results

Confirm the configuration by entering the show dynamic-profiles basic-profile firewall configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Forwarding Classes

Step-by-Step Procedure

Define forwarding classes referenced as aggregate policer actions. For hierarchical policers to work, ingress traffic must be correctly classified into premium and non-premium buckets. Some class-of-service (CoS) configuration is required because the hierarchical policer must be able to separate premium/expedited forwarding (EF) traffic from non-premium/non-EF traffic.

  1. Enable configuration of the forwarding classes.

  2. Define CoS forwarding classes to include the designation of which forwarding class is premium. This defaults to the forwarding class associated with EF traffic.

Results

Confirm the configuration of the forwarding classes referenced as aggregate policer actions by entering the show class-of-service configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Hierarchical Policer

Step-by-Step Procedure

Configure the aggregate and premium policing components of a hierarchical policer.

  1. Enable configuration of the hierarchical policer.

  2. Configure the aggregate policer to have a bandwidth limit set to 10 Mbps, burst-size limit set to 100 KB, and nonconforming action set to change the forwarding class to fc1.

    Note:

    For aggregate policers, the configurable actions for a packet in a nonconforming flow are to discard the packet, change the loss priority, or change the forwarding class.

  3. Configure the premium policer to have a bandwidth limit set to 2 Mbps, burst-size limit set to 50 KB, and nonconforming action set to discard packets.

    Note:

    The bandwidth limit for the premium policer must not be greater than that of the aggregate policer. For the premium policers, the only configurable action for a packet in a nonconforming traffic flow is to discard the packet.

Results

Confirm the configuration of the hierarchical policer by entering the show dynamic-profiles basic-profile firewall configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the Hierarchical Policer to Layer 2 Ingress Traffic at a Physical or Logical Interface

Step-by-Step Procedure

You can apply policers directly to an interface or applied through a filter to affect only matching traffic. In most cases, you can invoke a policing function at ingress, egress, or in both directions.

  • For physical interfaces, a hierarchical policer uses a single policer instance to rate-limit all logical interfaces and protocol families configured on a physical interface, even if the logical interfaces have mutually exclusive families such as inet or bridge.

  • For logical interfaces, a hierarchical policer can police the traffic from multiple protocol families without requiring a separate instantiation of a policer for each such family on the logical interface.

To hierarchically rate-limit Layer 2 ingress traffic for IPv4 traffic on logical interface ge-1/2/0.0, reference the policer from the logical interface configuration.

  1. Configure the logical interface.

    When you apply a policer to Layer 2 traffic at a logical interface, you must define at least one protocol family for the logical interface.

  2. Apply the policer to the logical interface.

    Alternatively, to hierarchically rate-limit Layer 2 ingress traffic for all protocol families and for all logical interfaces configured on physical interface ge-1/2/0, reference the policer from the physical interface configuration.

Results

Confirm the configuration of the hierarchical policer by entering the show dynamic-profiles basic-profile interfaces configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Verification

Confirm that the configuration is working properly.

Displaying Traffic Statistics for the Interface

Purpose

Verify the traffic flow through the physical interface.

Action

Use the show interfaces operational mode command for physical interface ge-1/2/0, and include the detail or extensive option.

Meaning

The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the interface.

Displaying Number of Packets Policed by the Specified Policer

Purpose

Verify the number of packets evaluated by the policer. Premium policer counters are not supported.

Action

Use the show policer operational mode command and optionally specify the name of the policer policer-agg-prem. The command output displays the number of packets evaluated by the specified policer in each direction.

The -inet-i suffix denotes a policer applied to IPv4 input traffic. In this example, the policer is applied to input traffic only.

Meaning

The command output displays the number of packets evaluated by the specified policer in each direction.

Related Documentation