Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close
keyboard_arrow_left
list Table of Contents
file_download PDF
keyboard_arrow_right

Example: Applying a Policer to OVSDB-Managed Interfaces

date_range 24-Nov-23

Starting with Junos OS Release 14.1X53-D30, you can create family ethernet-switching logical units (subinterfaces) on VXLAN interfaces managed by a Contrail controller. (The controller and switch communicate through the Open vSwitch Database—OVSDB—management protocol). This support enables you to apply firewall filters with the action three-color-policer to these subinterfaces, which means that you can apply two-rate three-color markers (policers) to OVSDB-managed interfaces.

Because a Contrail controller can create subinterfaces dynamically, you need to apply firewall filters in such a way that the filters will apply to subinterfaces whenever the controller creates them. You accomplish this by using configuration groups to configure and apply the firewall filters. (You must use configuration groups for this purpose—that is, you cannot apply a firewall filter directly to these subinterfaces.)

Note:

Firewall filters are the only supported configuration items on family ethernet-switching subinterfaces of OVSDB-managed interfaces. Two-rate three-color markers are the only supported policers.

Requirements

This example uses the following hardware and software components:

  • A QFX5100 switch

  • Junos OS Release 14.1X53-D30 or later

Overview

This example assumes that interfaces xe-0/0/0 and xe-0/0/1 on the switch are VXLAN interfaces managed by a Contrail controller, which means that the controller has applied the flexible-vlan-tagging and encapsulation extended-vlan-bridge statements to these interfaces. To apply a firewall filter Layer 2 (port) firewall filter with a policer action to any subinterfaces that the controller creates dynamically, you must create and apply the filter as shown in this example.

Note:

As shown in the example, all of the statements must be part of a configuration group when you want to apply a firewall filter (and policer) to an OVSDB-managed subinterface.

Configuration

To configure a firewall filter with a policer action to be automatically applied to subinterfaces created dynamically by a Contrail controller, perform these tasks:

CLI Quick Configuration

content_copy zoom_out_map
[edit]
set groups vxlan-policer-group interfaces xe-0/0/0 unit <*> family ethernet-switching filter input vxlan-filter
set groups vxlan-policer-group interfaces xe-0/0/1 unit <*> family ethernet-switching filter input vxlan-filter
set groups vxlan-policer-group firewall three-color-policer vxlan-policer action loss-priority high then discard
set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate color-blind
set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate committed-burst-size 2m
set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate committed-information-rate 100m
set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate peak-burst-size 4m
set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate peak-information-rate 100m
set groups vxlan-policer-group firewall family ethernet-switching filter vxlan-filter term t1 then three-color-policer two-rate vxlan-policer
set apply-groups vxlan-policer-group

Procedure

Step-by-Step Procedure

  1. Create configuration group vxlan-policer-group to apply firewall filter vxlan-filter to any subinterface of interface xe-0/0/0. The filter applies to any subinterface because you specify unit <*>:

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group interfaces xe-0/0/0 unit <*> family ethernet-switching filter input vxlan-filter
  2. Create the same configuration for interface xe-0/0/1:

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group interfaces xe-0/0/1 unit <*> family ethernet-switching filter input vxlan-filter
  3. Configure the policer to discard packets with high loss priority. (Junos OS assigns high loss priority to packets that exceed the peak information rate and the peak burst size.) As with the interface configuration, you must also configure the policer to be part of a configuration group.

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group firewall three-color-policer vxlan-policer action loss-priority high then discard
  4. Configure the policer to be color blind, which means that it ignores any preclassification of packets and can assign a higher or lower packet loss priority.

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate color-blind
  5. Configure the policer to allow incoming traffic to burst a maximum of 2 megabytes above the committed information rate and still be marked with low packet loss priority (green).

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate committed-burst-size 2m
  6. Configure the policer to allow guaranteed bandwidth of 100 megabytes under normal line conditions. This is the average rate up threshold under which packets are marked with low packet loss priority (green).

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate committed-information-rate 100m
  7. Configure the policer to allow incoming packets to burst a maximum of 4 megabytes above the peak information rate and still be marked with medium-high packet loss priority (yellow). Packets that exceed the peak burst size are marked with high packet loss priority (red).

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate peak-burst-size 4m
  8. Configure the policer to allow a maximum achievable rate of 100 megabytes. Packets that exceed the committed information rate but are below the peak information rate are marked with medium-high packet loss priority (yellow). Packets that exceed the peak information rate are marked with high packet loss priority (red).

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group firewall three-color-policer vxlan-policer two-rate peak-information-rate 100m
  9. Configure the firewall filter vxlan-filter to send matching packets (all packets, because there is no from statement) to the policer:

    content_copy zoom_out_map
    [edit]
    user@switch# set groups vxlan-policer-group firewall family ethernet-switching filter vxlan-filter term t1 then three-color-policer two-rate vxlan-policer
  10. Apply the group to enable its configuration:

    content_copy zoom_out_map
    [edit]
    user@switch# set apply-groups vxlan-policer-group
external-footer-nav