- play_arrow Understanding and Configuring Junos Routing Policies
- play_arrow Overview
- Policy Framework Overview
- Comparison of Routing Policies and Firewall Filters
- Prefix Prioritization Overview
- FIB Prefix Prioritization
- Accounting of the Policer Overhead Attribute at the Interface Level
- Configuring the Accounting of Policer Overhead in Interface Statistics
- Understanding Routing Policies
- Protocol Support for Import and Export Policies
- Example: Applying Routing Policies at Different Levels of the BGP Hierarchy
- Default Routing Policies
- Example: Configuring a Conditional Default Route Policy
- play_arrow Evaluating Routing Policies Using Match Conditions, Actions, Terms, and Expressions
- How a Routing Policy Is Evaluated
- Categories of Routing Policy Match Conditions
- Routing Policy Match Conditions
- Route Filter Match Conditions
- Actions in Routing Policy Terms
- Summary of Routing Policy Actions
- Example: Configuring a Routing Policy to Advertise the Best External Route to Internal Peers
- Example: Configuring BGP to Advertise Inactive Routes
- Example: Using Routing Policy to Set a Preference Value for BGP Routes
- Example: Enabling BGP Route Advertisements
- Example: Rejecting Known Invalid Routes
- Example: Using Routing Policy in an ISP Network
- Understanding Policy Expressions
- Understanding Backup Selection Policy for OSPF Protocol
- Configuring Backup Selection Policy for the OSPF Protocol
- Configuring Backup Selection Policy for IS-IS Protocol
- Example: Configuring Backup Selection Policy for the OSPF or OSPF3 Protocol
- play_arrow Evaluating Complex Cases Using Policy Chains and Subroutines
- play_arrow Configuring Route Filters and Prefix Lists as Match Conditions
- Understanding Route Filters for Use in Routing Policy Match Conditions
- Understanding Route Filter and Source Address Filter Lists for Use in Routing Policy Match Conditions
- Understanding Load Balancing Using Source or Destination IP Only
- Configuring Load Balancing Using Source or Destination IP Only
- Walkup for Route Filters Overview
- Configuring Walkup for Route Filters to Improve Operational Efficiency
- Example: Configuring Route Filter Lists
- Example: Configuring Walkup for Route Filters Globally to Improve Operational Efficiency
- Example: Configuring Walkup for Route Filters Locally to Improve Operational Efficiency
- Example: Configuring a Route Filter Policy to Specify Priority for Prefixes Learned Through OSPF
- Example: Configuring the MED Using Route Filters
- Example: Configuring Layer 3 VPN Protocol Family Qualifiers for Route Filters
- Understanding Prefix Lists for Use in Routing Policy Match Conditions
- Example: Configuring Routing Policy Prefix Lists
- Example: Configuring the Priority for Route Prefixes in the RPD Infrastructure
- Configuring Priority for Route Prefixes in RPD Infrastructure
- play_arrow Configuring AS Paths as Match Conditions
- Understanding AS Path Regular Expressions for Use as Routing Policy Match Conditions
- Example: Using AS Path Regular Expressions
- Understanding Prepending AS Numbers to BGP AS Paths
- Example: Configuring a Routing Policy for AS Path Prepending
- Understanding Adding AS Numbers to BGP AS Paths
- Example: Advertising Multiple Paths in BGP
- Improve the Performance of AS Path Lookup in BGP Policy
- play_arrow Configuring Communities as Match Conditions
- Understanding BGP Communities, Extended Communities, and Large Communities as Routing Policy Match Conditions
- Understanding How to Define BGP Communities and Extended Communities
- How BGP Communities and Extended Communities Are Evaluated in Routing Policy Match Conditions
- Example: Configuring Communities in a Routing Policy
- Example: Configuring Extended Communities in a Routing Policy
- Example: Configuring BGP Large Communities
- Example: Configuring a Routing Policy Based on the Number of BGP Communities
- Example: Configuring a Routing Policy That Removes BGP Communities
- play_arrow Increasing Network Stability with BGP Route Flapping Actions
- play_arrow Tracking Traffic Usage with Source Class Usage and Destination Class Usage Actions
- Understanding Source Class Usage and Destination Class Usage Options
- Source Class Usage Overview
- Guidelines for Configuring SCU
- System Requirements for SCU
- Terms and Acronyms for SCU
- Roadmap for Configuring SCU
- Roadmap for Configuring SCU with Layer 3 VPNs
- Configuring Route Filters and Source Classes in a Routing Policy
- Applying the Policy to the Forwarding Table
- Enabling Accounting on Inbound and Outbound Interfaces
- Configuring Input SCU on the vt Interface of the Egress PE Router
- Mapping the SCU-Enabled vt Interface to the VRF Instance
- Configuring SCU on the Output Interface
- Associating an Accounting Profile with SCU Classes
- Verifying Your SCU Accounting Profile
- SCU Configuration
- SCU with Layer 3 VPNs Configuration
- Example: Grouping Source and Destination Prefixes into a Forwarding Class
- play_arrow Avoiding Traffic Routing Threats with Conditional Routing Policies
- Conditional Advertisement and Import Policy (Routing Table) with certain match conditions
- Conditional Advertisement Enabling Conditional Installation of Prefixes Use Cases
- Example: Configuring a Routing Policy for Conditional Advertisement Enabling Conditional Installation of Prefixes in a Routing Table
- play_arrow Protecting Against DoS Attacks by Forwarding Traffic to the Discard Interface
- play_arrow Improving Commit Times with Dynamic Routing Policies
- play_arrow Testing Before Applying Routing Policies
-
- play_arrow Configuring Firewall Filters
- play_arrow Understanding How Firewall Filters Protect Your Network
- Firewall Filters Overview
- Router Data Flow Overview
- Stateless Firewall Filter Overview
- Understanding How to Use Standard Firewall Filters
- Understanding How Firewall Filters Control Packet Flows
- Stateless Firewall Filter Components
- Stateless Firewall Filter Application Points
- How Standard Firewall Filters Evaluate Packets
- Understanding Firewall Filter Fast Lookup Filter
- Understanding Egress Firewall Filters with PVLANs
- Selective Class-based Filtering on PTX Routers
- Guidelines for Configuring Firewall Filters
- Guidelines for Applying Standard Firewall Filters
- Supported Standards for Filtering
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filters
- play_arrow Firewall Filter Match Conditions and Actions
- Overview of Firewall Filters (OCX Series)
- Overview of Firewall Filter Profiles on ACX Series Routers (Junos OS Evolved)
- Understanding Firewall Filter Match Conditions
- Understanding Firewall Filter Planning
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Firewall Filter Flexible Match Conditions
- Firewall Filter Nonterminating Actions
- Firewall Filter Terminating Actions
- Firewall Filter Match Conditions and Actions (ACX Series Routers)
- Firewall Filter Match Conditions and Actions in ACX Series Routers (Junos OS Evolved)
- Firewall Filter Match Conditions for Protocol-Independent Traffic
- Firewall Filter Match Conditions for IPv4 Traffic
- Firewall Filter Match Conditions for IPv6 Traffic
- Firewall Filter Match Conditions Based on Numbers or Text Aliases
- Firewall Filter Match Conditions Based on Bit-Field Values
- Firewall Filter Match Conditions Based on Address Fields
- Firewall Filter Match Conditions Based on Address Classes
- Understanding IP-Based Filtering and Selective Port Mirroring of MPLS Traffic
- Firewall Filter Match Conditions for MPLS Traffic
- Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic
- Firewall Filter Match Conditions for VPLS Traffic
- Firewall Filter Match Conditions for Layer 2 CCC Traffic
- Firewall Filter Match Conditions for Layer 2 Bridging Traffic
- Firewall Filter Support on Loopback Interface
- play_arrow Applying Firewall Filters to Routing Engine Traffic
- Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs
- Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List
- Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources
- Example: Configure a Filter to Block Telnet and SSH Access
- Example: Configuring a Filter to Block TFTP Access
- Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags
- Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers
- Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods
- Example: Protecting the Routing Engine with a Packets-Per-Second Rate Limiting Filter
- Example: Configuring a Filter to Exclude DHCPv6 and ICMPv6 Control Traffic for LAC Subscriber
- Port Number Requirements for DHCP Firewall Filters
- Example: Configuring a DHCP Firewall Filter to Protect the Routing Engine
- play_arrow Applying Firewall Filters to Transit Traffic
- Example: Configuring a Filter for Use as an Ingress Queuing Filter
- Example: Configuring a Filter to Match on IPv6 Flags
- Example: Configuring a Filter to Match on Port and Protocol Fields
- Example: Configuring a Filter to Count Accepted and Rejected Packets
- Example: Configuring a Filter to Count and Discard IP Options Packets
- Example: Configuring a Filter to Count IP Options Packets
- Example: Configuring a Filter to Count and Sample Accepted Packets
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Match on Two Unrelated Criteria
- Example: Configuring a Filter to Accept DHCP Packets Based on Address
- Example: Configuring a Filter to Accept OSPF Packets from a Prefix
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
- Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation
- Configuring a Firewall Filter to Discard Ingress IPv6 Packets with a Mobility Extension Header
- Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses
- Example: Configuring a Rate-Limiting Filter Based on Destination Class
- play_arrow Configuring Firewall Filters in Logical Systems
- Firewall Filters in Logical Systems Overview
- Guidelines for Configuring and Applying Firewall Filters in Logical Systems
- References from a Firewall Filter in a Logical System to Subordinate Objects
- References from a Firewall Filter in a Logical System to Nonfirewall Objects
- References from a Nonfirewall Object in a Logical System to a Firewall Filter
- Example: Configuring Filter-Based Forwarding
- Example: Configuring Filter-Based Forwarding on Logical Systems
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Unsupported Firewall Filter Statements for Logical Systems
- Unsupported Actions for Firewall Filters in Logical Systems
- Filter-Based Forwarding for Routing Instances
- Forwarding Table Filters for Routing Instances on ACX Series Routers
- Configuring Forwarding Table Filters
- play_arrow Configuring Firewall Filter Accounting and Logging
- play_arrow Attaching Multiple Firewall Filters to a Single Interface
- Applying Firewall Filters to Interfaces
- Configuring Firewall Filters
- Multifield Classifier Example: Configuring Multifield Classification
- Multifield Classifier for Ingress Queuing on MX Series Routers with MPC
- Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
- Understanding Multiple Firewall Filters in a Nested Configuration
- Guidelines for Nesting References to Multiple Firewall Filters
- Understanding Multiple Firewall Filters Applied as a List
- Guidelines for Applying Multiple Firewall Filters as a List
- Example: Applying Lists of Multiple Firewall Filters
- Example: Nesting References to Multiple Firewall Filters
- Example: Filtering Packets Received on an Interface Set
- play_arrow Attaching a Single Firewall Filter to Multiple Interfaces
- Interface-Specific Firewall Filter Instances Overview
- Interface-Specific Firewall Filter Instances Overview
- Filtering Packets Received on a Set of Interface Groups Overview
- Filtering Packets Received on an Interface Set Overview
- Example: Configuring Interface-Specific Firewall Filter Counters
- Example: Configuring a Stateless Firewall Filter on an Interface Group
- play_arrow Configuring Filter-Based Tunneling Across IP Networks
- Understanding Filter-Based Tunneling Across IPv4 Networks
- Firewall Filter-Based L2TP Tunneling in IPv4 Networks Overview
- Interfaces That Support Filter-Based Tunneling Across IPv4 Networks
- Components of Filter-Based Tunneling Across IPv4 Networks
- Example: Transporting IPv6 Traffic Across IPv4 Using Filter-Based Tunneling
- play_arrow Configuring Service Filters
- Service Filter Overview
- How Service Filters Evaluate Packets
- Guidelines for Configuring Service Filters
- Guidelines for Applying Service Filters
- Example: Configuring and Applying Service Filters
- Service Filter Match Conditions for IPv4 or IPv6 Traffic
- Service Filter Nonterminating Actions
- Service Filter Terminating Actions
- play_arrow Configuring Simple Filters
- play_arrow Configuring Layer 2 Firewall Filters
- Understanding Firewall Filters Used to Control Traffic Within Bridge Domains and VPLS Instances
- Example: Configuring Filtering of Frames by MAC Address
- Example: Configuring Filtering of Frames by IEEE 802.1p Bits
- Example: Configuring Filtering of Frames by Packet Loss Priority
- Example: Configuring Policing and Marking of Traffic Entering a VPLS Core
- Understanding Firewall Filters on OVSDB-Managed Interfaces
- Example: Applying a Firewall Filter to OVSDB-Managed Interfaces
- play_arrow Configuring Firewall Filters for Forwarding, Fragments, and Policing
- Filter-Based Forwarding Overview
- Firewall Filters That Handle Fragmented Packets Overview
- Stateless Firewall Filters That Reference Policers Overview
- Example: Configuring Filter-Based Forwarding on the Source Address
- Example: Configuring Filter-Based Forwarding to a Specific Outgoing Interface or Destination IP Address
- play_arrow Configuring Firewall Filters (EX Series Switches)
- Firewall Filters for EX Series Switches Overview
- Understanding Planning of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Understanding How Firewall Filters Control Packet Flows
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Configuring Firewall Filters (CLI Procedure)
- Understanding How Firewall Filters Test a Packet's Protocol
- Understanding Filter-Based Forwarding for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Verifying That Policers Are Operational
- Troubleshooting Firewall Filters
- play_arrow Configuring Firewall Filters (QFX Series Switches, EX4600 Switches, PTX Series Routers)
- Overview of Firewall Filters (QFX Series)
- Understanding Firewall Filter Planning
- Planning the Number of Firewall Filters to Create
- Firewall Filter Match Conditions and Actions (QFX and EX Series Switches)
- Firewall Filter Match Conditions and Actions (QFX10000 Switches)
- Firewall Filter Match Conditions and Actions (PTX Series Routers)
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Configuring Firewall Filters
- Applying Firewall Filters to Interfaces
- Overview of MPLS Firewall Filters on Loopback Interface
- Configuring MPLS Firewall Filters and Policers on Switches
- Configuring MPLS Firewall Filters and Policers on Routers
- Configuring MPLS Firewall Filters and Policers
- Understanding How a Firewall Filter Tests a Protocol
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets
- Understanding Filter-Based Forwarding
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Configuring a Firewall Filter to De-Encapsulate GRE or IPIP Traffic
- Verifying That Firewall Filters Are Operational
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filter Configuration
- play_arrow Configuring Firewall Filter Accounting and Logging (EX9200 Switches)
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
Basic Single-Rate Two-Color Policers
Single-Rate Two-Color Policer Overview
Single-rate two color policing enforces a configured rate of traffic flow for a particular service level by applying implicit or configured actions to traffic that does not conform to the limits. When you apply a single-rate two-color policer to the input or output traffic at an interface, the policer meters the traffic flow to the rate limit defined by the following components:
Bandwidth limit—The average number of bits per second permitted for packets received or transmitted at the interface. You can specify the bandwidth limit as an absolute number of bits per second or as a percentage value from 1 through 100. If a percentage value is specified, the effective bandwidth limit is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate.
Packets per second (pps) limit (MX Series with MPC only)–The average number of packets per second permitted for packets received or transmitted at the interface. You specify the pps limit as an absolute number of packets per second.
Burst-size limit—The maximum size permitted for bursts of data.
Packet burst limit–
For a traffic flow that conforms to the configured limits (categorized as green traffic),
packets are implicitly marked with a packet loss priority (PLP) level of
low and are allowed to pass through the interface unrestricted.
For a traffic flow that exceeds the configured limits (categorized as red traffic), packets are handled according to the traffic-policing actions configured for the policer. The action might be to discard the packet, or the action might be to re-mark the packet with a specified forwarding class, a specified PLP, or both, and then transmit the packet.
To rate-limit Layer 3 traffic, you can apply a two-color policer in the following ways:
Directly to a logical interface, at a specific protocol level.
As the action of a standard stateless firewall filter that is applied to a logical interface, at a specific protocol level.
To rate-limit Layer 2 traffic, you can apply a two-color policer as a logical interface policer only. You cannot apply a two-color policer to Layer 2 traffic through a firewall filter.
On MX platforms, Packet Loss Priority (PLP) is not implicitly to low (green) when the
traffic flow confirms to the configured policer limit. Instead it takes the user
configured PLP values like high, medium-high, medium-low. Use
dp-rewrite under edit firewall policer
<policer-name> to enable this behavior on MX platforms. If the
knob is not enabled, then the packets may carry their original color and loss
priority.
See Also
Example: Limiting Inbound Traffic at Your Network Border by Configuring an Ingress Single-Rate Two-Color Policer
This example shows you how to configure an ingress single-rate two-color policer to filter incoming traffic. The policer enforces the class-of-service (CoS) strategy for in-contract and out-of-contract traffic. You can apply a single-rate two-color policer to incoming packets, outgoing packets, or both. This example applies the policer as an input (ingress) policer. The goal of this topic is to provide you with an introduction to policing by using a example that shows traffic policing in action.
Policers use a concept known as a token bucket to allocate system resources based on the parameters defined for the policer. A thorough explanation of the token bucket concept and its underlying algorithms is beyond the scope of this document. For more information about traffic policing, and CoS in general, refer to QOS-Enabled Networks—Tools and Foundations by Miguel Barreiros and Peter Lundqvist. This book is available at many online booksellers and at www.juniper.net/books.
Requirements
To verify this procedure, this example uses a traffic generator. The traffic generator can be hardware-based or it can be software running on a server or host machine.
The functionality in this procedure is widely supported on devices that run Junos OS. The example shown here was tested and verified on MX Series routers running Junos OS Release 10.4.
Overview
Single-rate two-color policing enforces a configured rate of traffic flow for a particular service level by applying implicit or configured actions to traffic that does not conform to the limits. When you apply a single-rate two-color policer to the input or output traffic at an interface, the policer meters the traffic flow to the rate limit defined by the following components:
Bandwidth limit—The average number of bits per second permitted for packets received or transmitted at the interface. You can specify the bandwidth limit as an absolute number of bits per second or as a percentage value from 1 through 100. If a percentage value is specified, the effective bandwidth limit is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate.
Burst-size limit—The maximum size permitted for bursts of data. Burst sizes are measured in bytes. We recommend two formulas for calculating burst size:
Burst size = bandwidth x allowable time for burst traffic / 8
Or
Burst size = interface mtu x 10
For information about configuring the burst size, see Determining Proper Burst Size for Traffic Policers.
Note:There is a finite buffer space for an interface. In general, the estimated total buffer depth for an interface is about 125 ms.
For a traffic flow that conforms to the configured limits (categorized as green traffic), packets are implicitly marked with a packet loss priority (PLP) level of low and are allowed to pass through the interface unrestricted.
For a traffic flow that exceeds the configured limits (categorized as red traffic), packets are handled according to the traffic-policing actions configured for the policer. This example discards packets that burst over the 15 KBps limit.
To rate-limit Layer 3 traffic, you can apply a two-color policer in the following ways:
Directly to a logical interface, at a specific protocol level.
As the action of a standard stateless firewall filter that is applied to a logical interface, at a specific protocol level. This is the technique used in this example.
To rate-limit Layer 2 traffic, you can apply a two-color policer as a logical interface policer only. You cannot apply a two-color policer to Layer 2 traffic through a firewall filter.
You can choose either bandwidth-limit or bandwidth percent within the policer, as they are mutually exclusive. You cannot configure a policer to use bandwidth percent for aggregate, tunnel, and software interfaces.
In this example, the host is a traffic generator emulating a webserver. Devices R1 and R2 are owned by a service provider. The webserver is accessed by users on Device Host2. Device Host1 will be sending traffic with a source TCP HTTP port of 80 to the users. A single-rate two-color policer is configured and applied to the interface on Device R1 that connects to Device Host1. The policer enforces the contractual bandwidth availability made between the owner of the webserver and the service provider that owns Device R1 for the web traffic that flows over the link that connects Device Host1 to Device R1.
In accordance with the contractual bandwidth availability made between the owner of the webserver and the service provider that owns Devices R1 and R2, the policer will limit the HTTP port 80 traffic originating from Device Host1 to using 700 Mbps (70 percent) of the available bandwidth with an allowable burst rate of 10 x the MTU size of the gigabit Ethernet interface between the host Device Host1 and Device R1.
In a real-world scenario you would probably also rate limit traffic for a variety of other ports such as FTP, SFTP, SSH, TELNET, SMTP, IMAP, and POP3 because they are often included as additional services with web hosting services.
You need to leave some additional bandwidth available that is not rate limited for network control protocols such as routing protocols, DNS, and any other protocols required to keep network connectivity operational. This is why the firewall filter has a final accept condition on it.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Device R1
set interfaces ge-2/0/5 description to-Host set interfaces ge-2/0/5 unit 0 family inet address 172.16.70.2/30 set interfaces ge-2/0/5 unit 0 family inet filter input mf-classifier set interfaces ge-2/0/8 description to-R2 set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.1/30 set interfaces lo0 unit 0 description looback-interface set interfaces lo0 unit 0 family inet address 192.168.13.1/32 set firewall policer discard if-exceeding bandwidth-limit 700m set firewall policer discard if-exceeding burst-size-limit 15k set firewall policer discard then discard set firewall family inet filter mf-classifier term t1 from protocol tcp set firewall family inet filter mf-classifier term t1 from port 80 set firewall family inet filter mf-classifier term t1 then policer discard set firewall family inet filter mf-classifier term t2 then accept set protocols ospf area 0.0.0.0 interface ge-2/0/5.0 passive set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
Device R2
set interfaces ge-2/0/8 description to-R1 set interfaces ge-2/0/8 unit 0 family inet address 10.50.0.2/30 set interfaces ge-2/0/7 description to-Host set interfaces ge-2/0/7 unit 0 family inet address 172.16.80.2/30 set interfaces lo0 unit 0 description looback-interface set interfaces lo0 unit 0 family inet address 192.168.14.1/32 set protocols ospf area 0.0.0.0 interface ge-2/0/7.0 passive set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Device R1:
Configure the device interfaces.
content_copy zoom_out_map[edit interfaces] user@R1# set ge-2/0/5 description to-Host user@R1# set ge-2/0/5 unit 0 family inet address 172.16.70.2/30 user@R1# set ge-2/0/8 description to-R2 user@R1# set ge-2/0/8 unit 0 family inet address 10.50.0.1/30 user@R1# set lo0 unit 0 description looback-interface user@R1# set lo0 unit 0 family inet address 192.168.13.1/32
Apply the firewall filter to interface ge-2/0/5 as an input filter.
content_copy zoom_out_map[edit interfaces ge-2/0/5 unit 0 family inet] user@R1# set filter input mf-classifier
Configure the policer to rate-limit to a bandwidth of 700 Mbps and a burst size of 15000 KBps for HTTP traffic (TCP port 80).
content_copy zoom_out_map[edit firewall policer discard] user@R1# set if-exceeding bandwidth-limit 700m user@R1# set if-exceeding burst-size-limit 15k
Configure the policer to discard packets in the red traffic flow.
content_copy zoom_out_map[edit firewall policer discard] user@R1# set then discard
Configure the two conditions of the firewall to accept all TCP traffic to port HTTP (port 80).
content_copy zoom_out_map[edit firewall family inet filter mf-classifier] user@R1# set term t1 from protocol tcp user@R1# set term t1 from port 80
Configure the firewall action to rate-limit HTTP TCP traffic using the policer.
content_copy zoom_out_map[edit firewall family inet filter mf-classifier] user@R1# set term t1 then policer discard
At the end of the firewall filter, configure a default action that accepts all other traffic.
Otherwise, all traffic that arrives on the interface and is not explicitly accepted by the firewall is discarded.
content_copy zoom_out_map[edit firewall family inet filter mf-classifier] user@R1# set term t2 then accept
Configure OSPF.
content_copy zoom_out_map[edit protocols ospf] user@R1# set area 0.0.0.0 interface ge-2/0/5.0 passive user@R1# set area 0.0.0.0 interface lo0.0 passive user@R1# set area 0.0.0.0 interface ge-2/0/8.0
Step-by-Step Procedure
To configure Device R2:
Configure the device interfaces.
content_copy zoom_out_map[edit interfaces] user@R1# set ge-2/0/8 description to-R1 user@R1# set ge-2/0/7 description to-Host user@R1# set lo0 unit 0 description looback-interface user@R1# set ge-2/0/8 unit 0 family inet address 10.50.0.2/30 user@R1# set ge-2/0/7 unit 0 family inet address 172.16.80.2/30 user@R1# set lo0 unit 0 family inet address 192.168.14.1/32
Configure OSPF.
content_copy zoom_out_map[edit protocols ospf] user@R1# set area 0.0.0.0 interface ge-2/0/7.0 passive user@R1# set area 0.0.0.0 interface lo0.0 passive user@R1# set area 0.0.0.0 interface ge-2/0/8.0
Results
From configuration mode, confirm your configuration
by entering the show interfaces , show firewall, and show protocols ospf commands. If the output does
not display the intended configuration, repeat the instructions in
this example to correct the configuration.
user@R1# show interfaces
ge-2/0/5 {
description to-Host;
unit 0 {
family inet {
filter {
input mf-classifier;
}
address 172.16.70.2/30;
}
}
}
ge-2/0/8 {
description to-R2;
unit 0 {
family inet {
address 10.50.0.1/30;
}
}
}
lo0 {
unit 0 {
description looback-interface;
family inet {
address 192.168.13.1/32;
}
}
}
user@R1# show firewall
family inet {
filter mf-classifier {
term t1 {
from {
protocol tcp;
port 80;
}
then policer discard;
}
term t2 {
then accept;
}
}
}
policer discard {
if-exceeding {
bandwidth-limit 700m;
burst-size-limit 15k;
}
then discard;
}
user@R1# show protocols ospf
area 0.0.0.0 {
interface ge-2/0/5.0 {
passive;
}
interface lo0.0 {
passive;
}
interface ge-2/0/8.0;
}
If you are done configuring Device R1, enter commit from configuration mode.
user@R2# show interfaces
ge-2/0/7 {
description to-Host;
unit 0 {
family inet {
address 172.16.80.2/30;
}
}
}
ge-2/0/8 {
description to-R1;
unit 0 {
family inet {
address 10.50.0.2/30;
}
}
}
lo0 {
unit 0 {
description looback-interface;
family inet {
address 192.168.14.1/32;
}
}
}
user@R2# show protocols ospf
area 0.0.0.0 {
interface ge-2/0/7.0 {
passive;
}
interface lo0.0 {
passive;
}
interface ge-2/0/8.0;
}
If you are done configuring Device R2, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Clearing the Counters
Purpose
Confirm that the firewall counters are cleared.
Action
On Device R1, run the clear firewall all command
to reset the firewall counters to 0.
user@R1> clear firewall all
Sending TCP Traffic into the Network and Monitoring the Discards
Purpose
Make sure that the traffic of interest that is sent is rate-limited on the input interface (ge-2/0/5).
Action
Use a traffic generator to send 10 TCP packets with a source port of 80.
The -s flag sets the source port. The -k flag causes the source port to remain steady at 80 instead of incrementing. The -c flag sets the number of packets to 10. The -d flag sets the packet size.
The destination IP address of 172.16.80.1 belongs to Device Host 2 that is connected to Device R2. The user on Device Host 2 has requested a webpage from Device Host 1 (the webserver emulated by the traffic generator on Device Host 1). The packets that being rate-limited are sent from Device Host 1 in response to the request from Device Host 2.
Note:In this example the policer numbers are reduced to a bandwidth limit of 8 Kbps and a burst size limit of 1500 KBps to ensure that some packets are dropped during this test.
content_copy zoom_out_map[root@host]# hping 172.16.80.1 -c 10 -s 80 -k -d 300 [User@Host]# hping 172.16.80.1 -c 10 -s 80 -k -d 350 HPING 172.16.80.1 (eth1 172.16.80.1): NO FLAGS are set, 40 headers + 350 data bytes len=46 ip=172.16.80.1 ttl=62 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.5 ms . . . --- 172.16.80.1 hping statistic --- 10 packets transmitted, 6 packets received, 40% packet loss round-trip min/avg/max = 0.5/3000.8/7001.3 ms
On Device R1, check the firewall counters by using the
show firewallcommand.content_copy zoom_out_mapuser@R1> show firewall User@R1# run show firewall Filter: __default_bpdu_filter__ Filter: mf-classifier Policers: Name Bytes Packets discard-t1 1560 4
Meaning
In Steps 1 and 2 the output from both devices shows that 4 packets were discarded This means that there was at least 8 Kbps of green (in-contract HTTP port 80) traffic and that the 1500 KBps burst option for red out-of-contract HTTP port 80 traffic was exceeded.
Example: Configuring Interface and Firewall Filter Policers at the Same Interface
This example shows how to configure three single-rate two-color policers and apply the policers to the IPv4 input traffic at the same single-tag virtual LAN (VLAN) logical interface.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you configure three single-rate two-color policers and apply the policers to the IPv4 input traffic at the same single-tag VLAN logical interface. Two policers are applied to the interface through a firewall filter, and one policer is applied directly to the interface.
You configure one policer, named p-all-1m-5k-discard, to rate-limit traffic to 1 Mbps with a burst size of 5000 bytes.
You apply this policer directly to IPv4 input traffic at the logical
interface. When you apply a policer directly to protocol-specific
traffic at a logical interface, the policer is said to be applied
as an interface policer.
You configure the other two policers to allow burst sizes of 500 KB, and you apply these policers to IPv4 input traffic at the logical interface by using an IPv4 standard stateless firewall filter. When you apply a policer to protocol-specific traffic at a logical interface through a firewall filter action, the policer is said to be applied as a firewall-filter policer.
You configure the policer named
p-icmp-500k-500k-discardto rate-limit traffic to 500 Kbps with a burst size of 500 K bytes by discarding packets that do not conform to these limits. You configure one of the firewall filter terms to apply this policer to Internet Control Message Protocol (ICMP) packets.You configure the policer named
p-ftp-10p-500k-discardto rate-limit traffic to a 10 percent bandwidth with a burst size of 500 KB by discarding packets that do not conform to these limits. You configure another firewall-filter term to apply this policer to File Transfer Protocol (FTP) packets.
A policer that you configure with a bandwidth limit expressed as a percentage value (rather than as an absolute bandwidth value) is called a bandwidth policer. Only single-rate two-color policers can be configured with a percentage bandwidth specification. By default, a bandwidth policer rate-limits traffic to the specified percentage of the line rate of the physical interface underlying the target logical interface.
Topology
You configure the target logical interface as a single-tag VLAN logical interface on a Fast Ethernet interface operating at 100 Mbps. This means that the policer you configure with the 10-percent bandwidth-limit (the policer that you apply to FTP packets) rate-limits the FTP traffic on this interface to 10 Mbps.
In this example, you do not configure the bandwidth policer as a logical-bandwidth policer. Therefore, the percentage is based on the physical media rate rather than on the configured shaping rate of the logical interface.
The firewall filter that you configure to reference two of the policers must be configured as an interface-specific filter. Because the policer that is used to rate-limit FTP packets specifies the bandwidth limit as a percentage value, the firewall filter that references this policer must be configured as an interface-specific filter. Thus, if this firewall filter were to be applied to multiple interfaces instead of just the Fast Ethernet interface in this example, unique policers and counters would be created for each interface to which the filter is applied.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the Single-Tag VLAN Logical Interface
- Configuring the Three Policers
- Configuring the IPv4 Firewall Filter
- Applying the Interface Policer and Firewall Filter Policers to the Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces fe-0/1/1 vlan-tagging set interfaces fe-0/1/1 unit 0 vlan-id 100 set interfaces fe-0/1/1 unit 0 family inet address 10.20.15.1/24 set interfaces fe-0/1/1 unit 1 vlan-id 101 set interfaces fe-0/1/1 unit 1 family inet address 10.20.240.1/24 set firewall policer p-all-1m-5k-discard if-exceeding bandwidth-limit 1m set firewall policer p-all-1m-5k-discard if-exceeding burst-size-limit 5k set firewall policer p-all-1m-5k-discard then discard set firewall policer p-ftp-10p-500k-discard if-exceeding bandwidth-percent 10 set firewall policer p-ftp-10p-500k-discard if-exceeding burst-size-limit 500k set firewall policer p-ftp-10p-500k-discard then discard set firewall policer p-icmp-500k-500k-discard if-exceeding bandwidth-limit 500k set firewall policer p-icmp-500k-500k-discard if-exceeding burst-size-limit 500k set firewall policer p-icmp-500k-500k-discard then discard set firewall family inet filter filter-ipv4-with-limits interface-specific set firewall family inet filter filter-ipv4-with-limits term t-ftp from protocol tcp set firewall family inet filter filter-ipv4-with-limits term t-ftp from port ftp set firewall family inet filter filter-ipv4-with-limits term t-ftp from port ftp-data set firewall family inet filter filter-ipv4-with-limits term t-ftp then policer p-ftp-10p-500k-discard set firewall family inet filter filter-ipv4-with-limits term t-icmp from protocol icmp set firewall family inet filter filter-ipv4-with-limits term t-icmp then policer p-icmp-500k-500k-discard set firewall family inet filter filter-ipv4-with-limits term catch-all then accept set interfaces fe-0/1/1 unit 1 family inet filter input filter-ipv4-with-limits set interfaces fe-0/1/1 unit 1 family inet policer input p-all-1m-5k-discard
Configuring the Single-Tag VLAN Logical Interface
Step-by-Step Procedure
To configure the single-tag VLAN logical interface:
Enable configuration of the Fast Ethernet interface.
content_copy zoom_out_map[edit] user@host# edit interfaces fe-0/1/1
Enable single-tag VLAN framing.
content_copy zoom_out_map[edit interfaces fe-0/1/1] user@host# set vlan-tagging
Bind VLAN IDs to the logical interfaces.
content_copy zoom_out_map[edit interfaces fe-0/1/1] user@host# set unit 0 vlan-id 100 user@host# set unit 1 vlan-id 101
Configure IPv4 on the single-tag VLAN logical interfaces.
content_copy zoom_out_map[edit interfaces fe-0/1/1] user@host# set unit 0 family inet address 10.20.15.1/24 user@host# set unit 1 family inet address 10.20.240.1/24
Results
Confirm the configuration of the VLAN by entering the show interfaces configuration mode command. If the command
output does not display the intended configuration, repeat the instructions
in this procedure to correct the configuration.
[edit]
user@host# show interfaces
fe-0/1/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.20.15.1/24;
}
}
unit 1 {
vlan-id 101;
family inet {
address 10.20.240.1/24;
}
}
}
Configuring the Three Policers
Step-by-Step Procedure
To configure the three policers:
Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth of 1 Mbps and a burst size of 5000 bytes.
Note:You apply this policer directly to all IPv4 input traffic at the single-tag VLAN logical interface, so the packets will not be filtered before being subjected to rate limiting.
content_copy zoom_out_map[edit] user@host# edit firewall policer p-all-1m-5k-discard
Configure the first policer.
content_copy zoom_out_map[edit firewall policer p-all-1m-5k-discard] user@host# set if-exceeding bandwidth-limit 1m user@host# set if-exceeding burst-size-limit 5k user@host# set then discard
Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth specified as “10 percent” and a burst size of 500,000 bytes.
You apply this policer only to the FTP traffic at the single-tag VLAN logical interface.
You apply this policer as the action of an IPv4 firewall filter term that matches FTP packets from TCP.
content_copy zoom_out_map[edit firewall policer p-all-1m-5k-discard] user@host# up [edit] user@host# edit firewall policer p-ftp-10p-500k-discard
Configure policing limits and actions.
content_copy zoom_out_map[edit firewall policer p-ftp-10p-500k-discard] user@host# set if-exceeding bandwidth-percent 10 user@host# set if-exceeding burst-size-limit 500k user@host# set then discard
Because the bandwidth limit is specified as a percentage, the firewall filter that references this policer must be configured as an interface-specific filter.
Note:If you wanted this policer to rate-limit to 10 percent of the logical interface configured shaping rate (rather than to 10 percent of the physical interface media rate), you would need to include the
logical-bandwidth-policerstatement at the[edit firewall policer p-all-1m-5k-discard]hierarchy level. This type of policer is called a logical-bandwidth policer.Enable configuration of the IPv4 firewall filter policer for ICMP packets.
content_copy zoom_out_map[edit firewall policer p-ftp-10p-500k-discard] user@host# up [edit] user@host# edit firewall policer p-icmp-500k-500k-discard
Configure policing limits and actions.
content_copy zoom_out_map[edit firewall policer p-icmp-500k-500k-discard] user@host# set if-exceeding bandwidth-limit 500k user@host# set if-exceeding burst-size-limit 500k user@host# set then discard
Results
Confirm the configuration of the policers by entering
the show firewall configuration mode command. If the command
output does not display the intended configuration, repeat the instructions
in this procedure to correct the configuration.
[edit] user@host# show firewall policer p-all-1m-5k-discard { if-exceeding { bandwidth-limit 1m; burst-size-limit 5k; } then discard; } policer p-ftp-10p-500k-discard { if-exceeding { bandwidth-percent 10; burst-size-limit 500k; } then discard; } policer p-icmp-500k-500k-discard { if-exceeding { bandwidth-limit 500k; burst-size-limit 500k; } then discard; }
Configuring the IPv4 Firewall Filter
Step-by-Step Procedure
To configure the IPv4 firewall filter:
Enable configuration of the IPv4 firewall filter.
content_copy zoom_out_map[edit] user@host# edit firewall family inet filter filter-ipv4-with-limits
Configure the firewall filter as interface-specific.
content_copy zoom_out_map[edit firewall family inet filter filter-ipv4-with-limits] user@host# set interface-specific
The firewall filter must be interface-specific because one of the policers referenced is configured with a bandwidth limit expressed as a percentage value.
Enable configuration of a filter term to rate-limit FTP packets.
content_copy zoom_out_map[edit firewall family inet filter filter-ipv4-with-limits] user@host# edit term t-ftp [edit firewall family inet filter filter-ipv4-with-limits term t-ftp] user@host# set from protocol tcp user@host# set from port [ ftp ftp-data ]
FTP messages are sent over TCP port 20 (
ftp) and received over TCP port 21 (ftp-data).Configure the filter term to match FTP packets.
content_copy zoom_out_map[edit firewall family inet filter filter-ipv4-with-limits term t-ftp] user@host# set then policer p-ftp-10p-500k-discard
Enable configuration of a filter term to rate-limit ICMP packets.
content_copy zoom_out_map[edit firewall family inet filter filter-ipv4-with-limits term t-ftp] user@host# up [edit firewall family inet filter filter-ipv4-with-limits] user@host# edit term t-icmp
Configure the filter term for ICMP packets
content_copy zoom_out_map[edit firewall family inet filter filter-ipv4-with-limits term t-icmp] user@host# set from protocol icmp user@host# set then policer p-icmp-500k-500k-discard
Configure a filter term to accept all other packets without policing.
content_copy zoom_out_map[edit firewall family inet filter filter-ipv4-with-limits term t-icmp] user@host# up [edit firewall family inet filter filter-ipv4-with-limits] user@host# set term catch-all then accept
Results
Confirm the configuration of the firewall filter by entering
the show firewall configuration mode command. If the command
output does not display the intended configuration, repeat the instructions
in this procedure to correct the configuration.
[edit] user@host# show firewall family inet { filter filter-ipv4-with-limits { interface-specific; term t-ftp { from { protocol tcp; port [ ftp ftp-data ]; } then policer p-ftp-10p-500k-discard; } term t-icmp { from { protocol icmp; } then policer p-icmp-500k-500k-discard; } term catch-all { then accept; } } } policer p-all-1m-5k-discard { if-exceeding { bandwidth-limit 1m; burst-size-limit 5k; } then discard; } policer p-ftp-10p-500k-discard { if-exceeding { bandwidth-percent 10; burst-size-limit 500k; } then discard; } policer p-icmp-500k-500k-discard { if-exceeding { bandwidth-limit 500k; burst-size-limit 500k; } then discard; }
Applying the Interface Policer and Firewall Filter Policers to the Logical Interface
Step-by-Step Procedure
To apply the three policers to the VLAN:
Enable configuration of IPv4 on the logical interface.
content_copy zoom_out_map[edit] user@host# edit interfaces fe-0/1/1 unit 1 family inet
Apply the firewall filter policers to the interface.
content_copy zoom_out_map[edit interfaces fe-0/1/1 unit 1 family inet] user@host# set filter input filter-ipv4-with-limits
Apply the interface policer to the interface.
content_copy zoom_out_map[edit interfaces fe-0/1/1 unit 1 family inet] user@host# set policer input p-all-1m-5k-discard
Input packets at
fe-0/1/1.0are evaluated against the interface policer before they are evaluated against the firewall filter policers. For more information, see Order of Policer and Firewall Filter Operations.
Results
Confirm the configuration of the interface by entering
the show interfaces configuration mode command. If the
command output does not display the intended configuration, repeat
the instructions in this procedure to correct the configuration.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying Policers Applied Directly to the Logical Interface
- Displaying Statistics for the Policer Applied Directly to the Logical Interface
- Displaying the Policers and Firewall Filters Applied to an Interface
- Displaying Statistics for the Firewall Filter Policers
Displaying Policers Applied Directly to the Logical Interface
Purpose
Verify that the interface policer is evaluated when packets are received on the logical interface.
Action
Use the show interfaces policers operational mode command for logical interface fe-0/1/1.1. The command output section for the Proto column and Input Policer column shows that the policer p-all-1m-5k-discard is
evaluated when packets are received on the logical interface.
user@host> show interfaces policers fe-0/1/1.1
Interface Admin Link Proto Input Policer Output Policer
fe-0/1/1.1 up up
inet p-all-1m-5k-discard-fe-0/1/1.1-inet-i
In this example, the interface policer is applied to logical interface traffic in the input direction only.
Displaying Statistics for the Policer Applied Directly to the Logical Interface
Purpose
Verify the number of packets evaluated by the interface policer.
Action
Use the show policer operational mode command and optionally specify the name of
the policer. The command output displays the number of packets evaluated
by each configured policer (or the specified policer), in each direction.
user@host> show policer p-all-1m-5k-discard-fe-0/1/1.1-inet-i Policers: Name Bytes Packets p-all-1m-5k-discard-fe-0/1/1.1-inet-i 200 5
Displaying the Policers and Firewall Filters Applied to an Interface
Purpose
Verify that the firewall filter filter-ipv4-with-limits is applied to the IPv4 input traffic at logical interface fe-0/1/1.1.
Action
Use the show interfaces statistics operational mode command for logical
interface fe-0/1/1.1, and include the detail option. Under the Protocol inet section
of the command output section, the Input Filters and Policer lines display the names of
filter and policer applied to the logical interface in the input direction.
user@host> show interfaces statistics fe-0/1/1.1 detail
Logical interface fe-0/1/1.1 (Index 83) (SNMP ifIndex 545) (Generation 153)
Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.100 ] Encapsulation: ENET2
Traffic statistics:
Input bytes : 0
Output bytes : 46
Input packets: 0
Output packets: 1
Local statistics:
Input bytes : 0
Output bytes : 46
Input packets: 0
Output packets: 1
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Protocol inet, MTU: 1500, Generation: 176, Route table: 0
Flags: Sendbcast-pkt-to-re
Input Filters: filter-ipv4-with-limits-fe-0/1/1.1-i
Policer: Input: p-all-1m-5k-discard-fe-0/1/1.1-inet-i
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.20.130/24, Local: 10.20.130.1, Broadcast: 10.20.130.255,
Generation: 169
In this example, the two firewall filter policers are applied to logical interface traffic in the input direction only.
Displaying Statistics for the Firewall Filter Policers
Purpose
Verify the number of packets evaluated by the firewall filter policers.
Action
Use the show firewall operational mode command
for the filter you applied to the logical interface.
[edit] user@host> show firewall filter filter-ipv4-with-limits-fe-0/1/1.1-i Filter: filter-ipv4-with-limits-fe-0/1/1.1-i Policers: Name Bytes Packets p-ftp-10p-500k-discard-t-ftp-fe-0/1/1.1-i 0 0 p-icmp-500k-500k-discard-t-icmp-fe-0/1/1.1-i 0 0
The command output displays the names of the policers (p-ftp-10p-500k-discard and p-icmp-500k-500k-discard), combined with the names of the filter terms (t-ftp and t-icmp, respectively) under which the policer action is specified.
The policer-specific output lines display the number of packets that
matched the filter term. This is only the number of out-of-specification
(out-of-spec) packet counts, not all packets policed by the policer.
