Physical Interface Policer Overview
A physical interface policer is a two-color or three-color policer that defines traffic rate limiting that you can apply to input or output traffic for all the logical interfaces and protocol families configured on a physical interface, even if the logical interfaces belong to different routing instances. This feature is useful when you want to perform aggregate policing for different protocol families and different logical interfaces on the same physical interface.
For example, suppose that a provider edge (PE) router has numerous logical interfaces, each corresponding to a different customer, configured on the same link to a customer edge (CE) device. Now suppose that a customer wants to apply one set of rate limits aggregately for certain types of traffic on a single physical interface. To accomplish this, you could apply a single physical interface policer to the physical interface, which rate-limits all the logical interfaces configured on the interface and all the routing instances to which those interfaces belong.
To configure a single-rate two-color physical interface policer, include the physical-interface-policer statement at one of the following hierarchy levels:
- [edit firewall policer policer-name]
- [edit logical-system logical-system-name firewall policer policer-name]
- [edit routing-instances routing-instance-name firewall policer policer-name]
- [edit logical-systems logical-system-name routing-instances routing-instance-name firewall policer policer-name]
To configure a single-rate or two-rate three-color physical interface policer, include the physical-interface-policer statement at one of the following hierarchy levels:
- [edit firewall three-color-policer policer-name]
- [edit logical-system logical-system-name firewall three-color-policer policer-name]
- [edit routing-instances routing-instance-name firewall three-color-policer policer-name]
- [edit logical-systems logical-system-name routing-instances routing-instance-name firewall three-color-policer policer-name]
You apply a physical interface policer to Layer 3 traffic by referencing the policer from a stateless firewall filter term and then applying the filter to a logical interface. You cannot apply a physical interface to Layer 3 traffic directly to the interface configuration.
To reference a single-rate two-color policer from a stateless firewall filter term, use the policer nonterminating action. To reference a single-rate or two-rate three-color policer from a stateless firewall filter term, use the three-color-policer nonterminating action.
The following requirements apply to a stateless firewall filter that references a physical interface policer:
- You must configure the firewall filter for a specific, supported protocol family: ipv4, ipv6, mpls, vpls, or circuit cross-connect (ccc), but not for family any.
- You must configure the firewall filter as a physical interface filter by including the physical-interface-filter statement at the [edit firewall family family-name filter filter-name] hierarchy level.
- A firewall filter that is defined as a physical interface filter can reference a physical interface policer only.
- A firewall filter that is defined as a physical interface filter cannot reference a policer configured with the interface-specific statement.
- You cannot configure a firewall filter as both a physical interface filter and as a logical interface filter that also includes the interface-specific statement.
