Configure Enhanced Hierarchical Policer (Junos OS Evolved)
This example shows how to configure enhanced-hierarchical-policer under the dynamic profile using four levels of traffic priority hierarchies– high, medium-high, medium-low, and low. To know more about enhanced hierarchical policer functionality, see Enhanced Hierarchical Policer Overview (Junos OS Evolved).
The following steps require you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
-
Configure prefix list to enable the dynamic profile to classify traffic based
on IP prefixes. This allows the enhanced hierarchical policer to selectively
apply rate-limiting policies to those matched prefixes.
[edit] set policy-options prefix-list v4-16-17 172.16.100.100/32 set policy-options prefix-list v4-16-17 172.17.100.100/32 set policy-options prefix-list v4-18-19 172.18.100.100/32 set policy-options prefix-list v4-18-19 172.19.100.100/32 set policy-options prefix-list v4-20-21 172.20.100.100/32 set policy-options prefix-list v4-20-21 172.21.100.100/32 set policy-options prefix-list v4-22-23 172.22.100.100/32 set policy-options prefix-list v4-22-23 172.23.100.100/32 set policy-options prefix-list v6-16-17 172:16:100:100::0/64 set policy-options prefix-list v6-16-17 172:17:100:100::0/64 set policy-options prefix-list v6-18-19 172:18:100:100::0/64 set policy-options prefix-list v6-18-19 172:19:100:100::0/64 set policy-options prefix-list v6-20-21 172:20:100:100::0/64 set policy-options prefix-list v6-20-21 172:21:100:100::0/64 set policy-options prefix-list v6-22-23 172:22:100:100::0/64 set policy-options prefix-list v6-22-23 172:23:100:100::0/64
-
Create a dynamic profile.
[edit] set dynamic-profiles pppoe-client-enh-hpol-profile-scaling
-
Configure variables within the dynamic profile. They act as placeholders or
keys with dynamically assigned values sourced from a RADIUS server during
subscriber authentication.
[edit dynamic-profiles pppoe-client-enh-hpol-profile-scaling] set variables upstream-inet uid set variables mef_prof uid set variables upstream-inet6 uid
-
Configure
the default values for the predefined variables. These default values are used
when RADIUS server does not supply a value.
[edit dynamic-profiles pppoe-client-enh-hpol-profile-scaling] set predefined-variable-defaults hpolicer-high-cir 50k set predefined-variable-defaults hpolicer-high-max-cir 50k set predefined-variable-defaults hpolicer-high-committed-burst 1k set predefined-variable-defaults hpolicer-med-high-cir 50k set predefined-variable-defaults hpolicer-med-high-max-cir 65k set predefined-variable-defaults hpolicer-med-high-committed-burst 1k set predefined-variable-defaults hpolicer-med-low-cir 50k set predefined-variable-defaults hpolicer-med-low-max-cir 80k set predefined-variable-defaults hpolicer-med-low-committed-burst 1k set predefined-variable-defaults hpolicer-low-cir 50k set predefined-variable-defaults hpolicer-low-max-cir 100k set predefined-variable-defaults hpolicer-low-committed-burst 1k
-
Create enhanced hierarchical policer under the dynamic profile hierarchy. Also,
include
logical-interface-policerstatement to define traffic rate limiting of input traffic for both inet and inet6 families on the same logical interface without needing to create multiple instances of the policer.[edit dynamic-profiles pppoe-client-enh-hpol-profile-scaling] set firewall enhanced-hierarchical-policer "$mef_prof" logical-interface-policer
-
Define committed information rate (CIR), maximum committed information rate
(MAX CIR), and committed burst size (CBS) for the four traffic priorities- high,
medium-high, medium-low, and low.
[edit dynamic-profiles pppoe-client-enh-hpol-profile-scaling] set firewall enhanced-hierarchical-policer "$mef_prof" high committed-burst-size "$junos-hpolicer-high-committed-burst" set firewall enhanced-hierarchical-policer "$mef_prof" high committed-information-rate "$junos-hpolicer-high-cir" set firewall enhanced-hierarchical-policer "$mef_prof" high max-committed-information-rate "$junos-hpolicer-high-max-cir" set firewall enhanced-hierarchical-policer "$mef_prof" high then discard set firewall enhanced-hierarchical-policer "$mef_prof" medium-high committed-burst-size "$junos-hpolicer-med-high-committed-burst" set firewall enhanced-hierarchical-policer "$mef_prof" medium-high committed-information-rate "$junos-hpolicer-med-high-cir" set firewall enhanced-hierarchical-policer "$mef_prof" medium-high max-committed-information-rate "$junos-hpolicer-med-high-max-cir" set firewall enhanced-hierarchical-policer "$mef_prof" medium-high then discard set firewall enhanced-hierarchical-policer "$mef_prof" medium-low committed-burst-size "$junos-hpolicer-med-low-committed-burst" set firewall enhanced-hierarchical-policer "$mef_prof" medium-low committed-information-rate "$junos-hpolicer-med-low-cir" set firewall enhanced-hierarchical-policer "$mef_prof" medium-low max-committed-information-rate "$junos-hpolicer-med-low-max-cir" set firewall enhanced-hierarchical-policer "$mef_prof" medium-low then discard set firewall enhanced-hierarchical-policer "$mef_prof" low committed-burst-size "$junos-hpolicer-low-committed-burst" set firewall enhanced-hierarchical-policer "$mef_prof" low committed-information-rate "$junos-hpolicer-low-cir" set firewall enhanced-hierarchical-policer "$mef_prof" low max-committed-information-rate "$junos-hpolicer-low-max-cir" set firewall enhanced-hierarchical-policer "$mef_prof" low then discard
-
Configure firewall filter under dynamic profiles with enhanced hierarchical
policer and other required filter actions.
-
Specify the family address type (inet for IPv4 and/or inet6 for IPV6)
for the firewall filter, specify the filter name using a defined
variable, and include the
interface-specificstatement to apply the policer function specific to an interface.[edit dynamic-profiles pppoe-client-enh-hpol-profile-scaling] set firewall family inet filter "$upstream-inet" interface-specific set firewall family inet6 filter "$upstream-inet6" interface-specific
-
(Optional) To enable the Packet Forwarding Engine (PFE) to report
policer statistics to the RADIUS server, include the
service-accountingstatement. The statistics include the timestamp when the data was collected, along with the total bytes and packets allowed by the policer at each level. The system provides statistics to the RADIUS server for all four policer levels.[edit dynamic-profiles pppoe-client-enh-hpol-profile-scaling] set firewall family inet filter "$upstream-inet" service-accounting set firewall family inet6 filter "$upstream-inet6" service-accounting
-
Specify firewall filter terms based on destination prefixes and
enhanced hierarchical policer filter actions.
[edit dynamic-profiles pppoe-client-enh-hpol-profile-scaling] set firewall family inet filter "$upstream-inet" term platinum from destination-prefix-list v4-16-17 set firewall family inet filter "$upstream-inet" term platinum then enhanced-hierarchical-policer "$mef_prof" traffic-priority high set firewall family inet filter "$upstream-inet" term gold from destination-prefix-list v4-18-19 set firewall family inet filter "$upstream-inet" term gold then enhanced-hierarchical-policer "$mef_prof" traffic-priority medium-high set firewall family inet filter "$upstream-inet" term silver from destination-prefix-list v4-20-21 set firewall family inet filter "$upstream-inet" term silver then enhanced-hierarchical-policer "$mef_prof" traffic-priority medium-low set firewall family inet filter "$upstream-inet" term dflt then enhanced-hierarchical-policer "$mef_prof" traffic-priority low set firewall family inet6 filter "$upstream-inet6" term platinum from destination-prefix-list v6-16-17 set firewall family inet6 filter "$upstream-inet6" term platinum then enhanced-hierarchical-policer "$mef_prof" traffic-priority high set firewall family inet6 filter "$upstream-inet6" term gold from destination-prefix-list v6-18-19 set firewall family inet6 filter "$upstream-inet6" term gold then enhanced-hierarchical-policer "$mef_prof" traffic-priority medium-high set firewall family inet6 filter "$upstream-inet6" term silver from destination-prefix-list v6-20-21 set firewall family inet6 filter "$upstream-inet6" term silver then enhanced-hierarchical-policer "$mef_prof" traffic-priority medium-low set firewall family inet6 filter "$upstream-inet6" term dflt then enhanced-hierarchical-policer "$mef_prof" traffic-priority low
-
Specify the family address type (inet for IPv4 and/or inet6 for IPV6)
for the firewall filter, specify the filter name using a defined
variable, and include the
-
Configure the logical interface to apply firewall filters.
[edit dynamic-profiles pppoe-client-enh-hpol-profile-scaling] set interfaces pp0 unit "$junos-interface-unit" actual-transit-statistics set interfaces pp0 unit "$junos-interface-unit" no-traps set interfaces pp0 unit "$junos-interface-unit" ppp-options chap set interfaces pp0 unit "$junos-interface-unit" ppp-options pap set interfaces pp0 unit "$junos-interface-unit" pppoe-options underlying-interface "$junos-underlying-interface" set interfaces pp0 unit "$junos-interface-unit" pppoe-options server set interfaces pp0 unit "$junos-interface-unit" keepalives interval 30 set interfaces pp0 unit "$junos-interface-unit" family inet filter input "$upstream-inet" set interfaces pp0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0 set interfaces pp0 unit "$junos-interface-unit" family inet6 filter input "$upstream-inet6" set interfaces pp0 unit "$junos-interface-unit" family inet6 unnumbered-address lo0.0
-
(Optional) Confirm the configuration by entering the
show dynamic-profiles pppoe-client-enh-hpol-profile-scalingcommand. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.show dynamic-profiles pppoe-client-enh-hpol-profile-scaling | no-more variables { upstream-inet uid; mef_prof uid; upstream-inet6 uid; } predefined-variable-defaults { hpolicer-high-cir 50k; hpolicer-high-max-cir 50k; hpolicer-high-committed-burst 1k; hpolicer-med-high-cir 50k; hpolicer-med-high-max-cir 65k; hpolicer-med-high-committed-burst 1k; hpolicer-med-low-cir 50k; hpolicer-med-low-max-cir 80k; hpolicer-med-low-committed-burst 1k; hpolicer-low-cir 50k; hpolicer-low-max-cir 100k; hpolicer-low-committed-burst 1k; } interfaces { pp0 { unit "$junos-interface-unit" { actual-transit-statistics; no-traps; ppp-options { chap; pap; } pppoe-options { underlying-interface "$junos-underlying-interface"; server; } keepalives interval 30; family inet { filter { input "$upstream-inet"; } unnumbered-address lo0.0; } family inet6 { filter { input "$upstream-inet6"; } unnumbered-address lo0.0; } } } } firewall { family inet { filter "$upstream-inet" { interface-specific; service-accounting; term platinum { from { destination-prefix-list { v4-16-17; } } then { enhanced-hierarchical-policer { "$mef_prof"; traffic-priority high; } } } term gold { from { destination-prefix-list { v4-18-19; } } then { enhanced-hierarchical-policer { "$mef_prof"; traffic-priority medium-high; } } } term silver { from { destination-prefix-list { v4-20-21; } } then { enhanced-hierarchical-policer { "$mef_prof"; traffic-priority medium-low; } } } term dflt { then { enhanced-hierarchical-policer { "$mef_prof"; traffic-priority low; } } } } } family inet6 { filter "$upstream-inet6" { interface-specific; service-accounting; term platinum { from { destination-prefix-list { v6-16-17; } } then { enhanced-hierarchical-policer { "$mef_prof"; traffic-priority high; } } } term gold { from { destination-prefix-list { v6-18-19; } } then { enhanced-hierarchical-policer { "$mef_prof"; traffic-priority medium-high; } } } term silver { from { destination-prefix-list { v6-20-21; } } then { enhanced-hierarchical-policer { "$mef_prof"; traffic-priority medium-low; } } } term dflt { then { enhanced-hierarchical-policer { "$mef_prof"; traffic-priority low; } } } } } enhanced-hierarchical-policer "$mef_prof" { logical-interface-policer; high { committed-burst-size "$junos-hpolicer-high-committed-burst"; committed-information-rate "$junos-hpolicer-high-cir"; max-committed-information-rate "$junos-hpolicer-high-max-cir"; then discard; } medium-high { committed-burst-size "$junos-hpolicer-med-high-committed-burst"; committed-information-rate "$junos-hpolicer-med-high-cir"; max-committed-information-rate "$junos-hpolicer-med-high-max-cir"; then discard; } medium-low { committed-burst-size "$junos-hpolicer-med-low-committed-burst"; committed-information-rate "$junos-hpolicer-med-low-cir"; max-committed-information-rate "$junos-hpolicer-med-low-max-cir"; then discard; } low { committed-burst-size "$junos-hpolicer-low-committed-burst"; committed-information-rate "$junos-hpolicer-low-cir"; max-committed-information-rate "$junos-hpolicer-low-max-cir"; then discard; } } }