Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring a Two-Color Logical Interface (Aggregate) Policer

This example shows how to configure a single-rate two-color policer as a logical interface policer and apply it to incoming IPv4 traffic on a logical interface.

Requirements

Before you begin, make sure that the logical interface to which you apply the two-color logical interface policer is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit Ethernet interface (xe-).

Overview

In this example, you configure the single-rate two-color policer policer_IFL as a logical interface policer and apply it to incoming IPv4 traffic at logical interface ge-1/3/1.0.

Topology

If the input IPv4 traffic on the physical interface ge-1/3/1 exceeds the bandwidth limit equal to 90 percent of the media rate with a 300 KB burst-size limit, then the logical interface policer policer_IFL rate-limits the input IPv4 traffic on the logical interface ge-1/3/1.0. Configure the policer to mark nonconforming traffic by setting packet loss priority (PLP) levels to high and classifying packets as best-effort.

As the incoming IPv4 traffic rate on the physical interface slows and conforms to the configured limits, Junos OS stops marking the incoming IPv4 packets at the logical interface.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

set interfaces ge-1/3/1 vlan-taggingset interfaces ge-1/3/1 unit 0 vlan-id 100set interfaces ge-1/3/1 unit 0 family inet address 10.10.10.1/30set interfaces ge-1/3/1 unit 1 vlan-id 101set interfaces ge-1/3/1 unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44set firewall policer policer_IFL logical-interface-policerset firewall policer policer_IFL if-exceeding bandwidth-percent 90set firewall policer policer_IFL if-exceeding burst-size-limit 300kset firewall policer policer_IFL then loss-priority highset firewall policer policer_IFL then forwarding-class best-effortset interfaces ge-1/3/1 unit 0 family inet policer input policer_IFL

Configuring the Logical Interfaces

Step-by-Step Procedure

To configure the logical interfaces:

  1. Enable configuration of the interface.

    [edit]user@host# edit interfaces ge-1/3/1

  2. Configure single tagging.

    [edit interfaces ge-1/3/1]user@host# set vlan-tagging

  3. Configure logical interface ge-1/3/1.0.

    [edit interfaces ge-1/3/1]user@host# set unit 0 vlan-id 100user@host# set unit 0 family inet address 10.10.10.1/30

  4. Configure logical interface ge-1/3/1.0.

    [edit interfaces ge-1/3/1]user@host# set unit 1 vlan-id 101user@host# set unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44

Results

Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show interfacesge-1/3/1 {vlan-tagging;unit 0 {vlan-id 100;family inet {address 10.10.10.1/30;}}unit 1 {vlan-id 101;family inet {address 20.20.20.1/30 {arp 20.20.20.2 mac 00:00:11:22:33:44;}}}}

Configuring the Single-Rate Two-Color Policer as a Logical Interface Policer

Step-by-Step Procedure

To configure a single-rate two-color policer as a logical interface policer:

  1. Enable configuration of a single-rate two-color policer.

    [edit]user@host# edit firewall policer policer_IFL

  2. Specify that the policer is a logical interface (aggregate) policer.

    [edit firewall policer policer_IFL]user@host# set logical-interface-policer
    A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied. The policer is applied directly to the interface rather than referenced by a firewall filter.

  3. Specify the policer traffic limits.

    1. Specify the bandwidth limit.

      • To specify the bandwidth limit as an absolute rate, from 8,000 bits per second through 50,000,000,000 bits per second, include the bandwidth-limit bps statement.
      • To specify the bandwidth limit as a percentage of the physical port speed on the interface, include the bandwidth-percent percent statement.

      In this example, the CLI commands and output are based on a bandwidth limit specified as a percentage rather than as an absolute rate.

      [edit firewall policer policer_IFL]user@host# set if-exceeding bandwidth-percent 90

    2. Specify the burst-size limit, from 1,500 bytes through 100,000,000,000 bytes, which is the maximum packet size to be permitted for bursts of data that exceed the specified bandwidth limit.

      [edit firewall policer policer_IFL]user@host# set if-exceeding burst-size-limit 300k

  4. Specify the policer actions to be taken on traffic that exceeds the configured rate limits.

    • To discard the packet, include the discard statement.
    • To set the loss-priority value of the packet, include the loss-priority (low | medium-low | medium-high | high) statement.
    • To classify the packet to a forwarding class, include the forwarding-class (forwarding-class | assured-forwarding | best-effort | expedited-forwarding | network-control) statement.

    In this example, the CLI commands and output are based on both setting the packet loss priority level and classifying the packet.

    [edit firewall policer policer_IFL]user@host# set then loss-priority highuser@host# set then forwarding-class best-effort

Results

Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show firewallpolicer policer_IFL {logical-interface-policer;if-exceeding {bandwidth-percent 90;burst-size-limit 300k;}then {loss-priority high;forwarding-class best-effort;}}

Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface

Step-by-Step Procedure

To apply the two-color logical interface policer to input IPv4 traffic a logical interface:

  1. Enable configuration of the logical interface.

    [edit]user@host# edit interfaces ge-1/3/1 unit 0

  2. Apply the policer to all traffic types or to a specific traffic type on the logical interface.

    • To apply the policer to all traffic types, regardless of the protocol family, include the policer (input | output) policer-name statement at the [edit interfaces interface-name unit number] hierarchy level.
    • To apply the policer to traffic of a specific protocol family, include the policer (input | output) policer-name statement at the [edit interfaces interface-name unit unit-number family family-name] hierarchy level.
    To apply the logical interface policer to incoming packets, use the policer input policer-name statement. To apply the logical interface policer to outgoing packets, use the policer output policer-name statement.

    In this example, the CLI commands and output are based on rate-limiting the IPv4 input traffic at logical interface ge-1/3/1.0.

    [edit interfaces ge-1/3/1 unit 0]user@host# set family inet policer input policer_IFL

Results

Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show interfacesge-1/3/1 {vlan-tagging;unit 0 {vlan-id 100;family inet {policer input policer_IFL;address 10.10.10.1/30;}}unit 1 {vlan-id 101;family inet {address 20.20.20.1/30 {arp 20.20.20.2 mac 00:00:11:22:33:44;}}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying Traffic Statistics and Policers for the Logical Interface

Purpose

Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

Action

Use the show interfaces operational mode command for logical interface ge-1/3/1.0, and include the detail or extensive option. The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface. The Protocol inet subsection contains a Policer field that would list the policer policer_IFL as an input or output logical interface policer as follows:

  • Input: policer_IFL-ge-1/3/1.0-log_int-i
  • Output: policer_IFL-ge-1/3/1.0-log_int-o

The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.

Displaying Statistics for the Policer

Purpose

Verify the number of packets evaluated by the policer.

Action

Use the show policer operational mode command and optionally specify the name of the policer. The command output displays the number of packets evaluated by each configured policer (or the specified policer), in each direction. For the policer policer_IFL, the input and output policer names are displayed as follows:

  • policer_IFL-ge-1/3/1.0-log_int-i
  • policer_IFL-ge-1/3/1.0-log_int-o

The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.

 

Related Documentation

 

Published: 2012-11-16

Previous Page Next Page