Related Documentation
- ACX, EX, M, MX, T Series
- Traffic Policing Overview
- EX, J, M, MX, PTX, SRX, T Series
- Standard Firewall Filter Nonterminating Actions
- EX, M, MX, T Series
- Prefix-Specific Counting and Policing Overview
Stateless Firewall Filters That Reference Policers Overview
Policing, or rate limiting, is an important component of firewall filters that lets you limit the amount of traffic that passes into or out of an interface.
A stateless firewall filter that references a policer can provide protection from denial-of-service (DOS) attacks. Traffic that exceeds the rate limits configured for the policer is either discarded or marked as lower priority than traffic that conforms to the configured rate limits. Packets can be marked for a lower priority by being set to a specific output queue, set to a specific packet loss priority (PLP) level, or both. When necessary, low-priority traffic can be discarded to prevent congestion.
A policer specifies two types of rate limits on traffic:
- Bandwidth limit—The average traffic rate permitted, specified as a number of bits per second.
- Maximum burst size—The packet size permitted for bursts of data that exceed the bandwidth limit.
Policing uses an algorithm to enforce a limit on average bandwidth while allowing bursts up to a specified maximum value. You can use policing to define specific classes of traffic on an interface and apply a set of rate limits to each class. After you name and configure a policer, it is stored as a template. You can then apply the policer in an interface configuration or, to rate-limit packet-filtered traffic only, in a firewall filter configuration.
For an IPv4 firewall filter term only, you can also specify a prefix-specific action as a nonterminating action that applies a policer to the matched packets. A prefix-specific action applies additional matching criteria on the filter-matched packets based on specified address prefix bits and then associates the matched packets with a counter and policer instance for that filter term or for all terms in the firewall filter.
To apply a policer or a prefix action to packet-filtered traffic, you can use the following firewall filter nonterminating actions:
- policer policer-name
- three-color-policer (single-rate | two-rate) policer-name
- prefix-action action-name
 | Note: The packet lengths that a policer considers depends on the address family of the firewall filter. See Understanding the Frame Length for Policing Packets. |
Related Documentation
- ACX, EX, M, MX, T Series
- Traffic Policing Overview
- EX, J, M, MX, PTX, SRX, T Series
- Standard Firewall Filter Nonterminating Actions
- EX, M, MX, T Series
- Prefix-Specific Counting and Policing Overview
Published: 2013-07-19
Related Documentation
- ACX, EX, M, MX, T Series
- Traffic Policing Overview
- EX, J, M, MX, PTX, SRX, T Series
- Standard Firewall Filter Nonterminating Actions
- EX, M, MX, T Series
- Prefix-Specific Counting and Policing Overview
