Configuring Simple Filters and Policers

To handle oversubscribed traffic in the SRX3400, SRX3600, SRX5600, and SRX5800 devices, you can configure simple filters and policing.

Note: For SRX5600 and SRX5800 devices, the simple filter or policing actions can be applied only to logical interfaces residing in an SRX5000 line Flex IOC (FIOC), because only an SRX5000 line FIOC supports the simple filter and policing features on the SRX5600 and SRX5800 devices.

The simple filter functionality comprises of the following:

Classifying packets according to configured policies
Taking appropriate actions based on the results of classification

In JUNOS Software, ingress traffic policers can limit the rate of incoming traffic. There are two main reasons to use traffic policing:

To enforce traffic rates to conform to the service-level agreement (SLA)
To protect next hops, for example, protecting the central point and the SPU from being overwhelmed by excess traffic (example, DOS attacks)

Using the results of packet classification and traffic metering, a policer can take one of the following actions for a packet: forward a conforming (green) packet or drop a nonconforming (yellow) packet. Policers always discard a non conforming red packet. The traffic metering supports the algorithm of the two-rate tricolor marker (TCM) (RFC 2698). For more information on packet classification and traffic metering, see Configuring CoS Components with a Configuration Editor

Configuring a Simple Filter

Simple filters, in contrast to other firewall filters, support only a subset of the full firewall filter syntax. Unlike normal filters, simple filters are for IPv4 traffic only and have the following restrictions:

The next term action is not supported.
Qualifiers, such as the except and protocol-except statements, are not supported.
Noncontiguous masks are not supported.
Multiple source addresses and destination addresses in a single term are not supported. If you configure multiple addresses, only the last one is used.
Ranges are not supported.
Output filters are not supported. You can apply a simple filter to inbound (ingress) traffic only.

To configure a simple filter, include the following statement at the [edit firewall] hierarchy level of the configuration:

Simple Filter

firewall {family inet {simple-filter sf-1 {term 1 {source-address 172.16.0.0/16;destination-address 20.16.0.0/16;source-port 1024;}then { # Action with term-1forwarding-class fc-be1;loss-priority high;}term 2 {source-address 173.16.0.0/16;destination-address 21.16.0.0/16;}then { # Action with term-2forwarding-class fc-ef1;loss-priority low;}}interfaces { # Apply the simple filter.ge-1/2/3 {unit 0 {family inet {simple-filter {input sf-1;}}}}

Applying a Simple Filter

A simple filter can be applied to logical interfaces. Use the following CLI commands to apply a simple filter:

edit interfaces interface-name unit logical-unit-number family family-name simple-filter {input filter-name;}

Note: You can apply simple filters to the family inet only, and only in the input direction. Because of hardware limitations on the SRX3400, SRX3600, SRX5600, and SRX5800 devices, a maximum of 400 logical input interfaces (in one broadcom packet processor) can be applied with simple filters. For more information on limitations, see SRX3400 and SRX3600 Device Hardware Capabilities and Limitations.

Configuring Policers

In JUNOS Software, policers can be configured as part of the firewall filter hierarchy. For more information on configuring firewall policies, see the JUNOS Software Security Configuration Guide.

You can configure a policer and then apply it as one of the actions of a term in a simple filter. The policer can limit the rate of traffic that enters the logical interface to which the simple filter is applied. Figure 96 illustrates the application of a policer.

Figure 96: Application of a Policer Through a Simple Filter

Image g030278.gif

Use the following CLI commands to configure a policer:

policer policer-name {filter-specific;if-exceeding {bandwidth-limit bps;burst-size-limit bytes;}then {policer-action;}}

Example: Applying a Two-Rate Tricolor Marking Policer to a Firewall Filter

To configure a trTCM policer to a firewall filter, use the following JUNOS CLI commands:

firewall {three-color-policer three-color-policer name{two-rate {color-blind;committed-information-rate bps;committed-burst-size bytes;peak-information-rate bps;peak-burst-size bytes;}}

Note: The two-rate TCM policer supports only the color blind mode; color aware mode is not supported.