Supported Platforms
Related Documentation
- M, MX, PTX, SRX, T Series
- filter-specific
- MX, T Series
- Hierarchical Policer Overview
- MX Series
- Hierarchical Policer as Filter Action
Example: Configuring Hierarchical Policers as Filter Actions
This example shows how to configure a hierarchical policer and apply the policer to ingress Layer 3 traffic at a logical interface on the MX-series platform.
Requirements
Before you begin, be sure that your environment meets the following requirements:
- Supported on MX Series routers.
Overview
In this example, you configure a hierarchical policer as a filter action.
Configuration
Example: Hierarchical Policer as Filter Action
Step-by-Step Procedure
You can have hierarchical policers as one type of filter action. To configure a firewall filter:
Configure the family address type for a firewall filter:
[edit firewall]user@host# set family inetSpecify the filter name:
[edit firewall family inet]user@host# set filter inet-filterSpecify the term name:
[edit firewall family inet filter inet-filter]user@host# set term t1In each firewall filter term, specify the match conditions to use to match components of a packet:
[edit firewall family inet filter inet-filter term t1]user@host# set from precedence critical-ecp immediate priorityuser@host# set from protocol tcpIn each firewall filter term, specify the actions to take if the packet matches all the condition in that term:
[edit firewall family inet filter inet-filter term t1]user@host# set then hierarchical-policer HP1(Optional) Enable all hierarchical policers in one filter to share the same policer instance in PFE:
[edit firewall family inet filter inet-filter term t1]user@host# set then hierarchical-policer HP1 filter-specific
Results
Confirm the configuration by entering the show firewall configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
Example: Defining the Interface:
Step-by-Step Procedure
To define the interface:
Enable configuration of the physical interface:
[edit]user@host# edit interfaces ge-1/2/0 unit 0Configure the family address:
[edit interfaces ge-1/2/0 unit 0]user@host# set family inet address 10.100.16.2/24Specify the filter name:
[edit interfaces ge-1/2/0 unit 0 family inet]user@host# set filter inet-filteruser@host# set address 10.100.16.2/24
Results
Confirm the configuration by entering the show interfaces configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
Verification
Confirm that the configuration is working properly.
Displaying Packets for the Firewall
Purpose
Verify the number of packets evaluated by the policer. Premium policer counters are not supported.
Action
Use the show firewall operational mode command. The command output displays the number of packets.
Filter: __default_bpdu_filter__ Filter: utp_4550-ge-1/0/0.100-in Counters: Name Bytes Packets c_ef-ge-1/0/0.0-i 1696750 15425 c_other-ge-1/0/0.0-i 0 0 Policers: Name Packets hp_abc-filter-ge-1/0/0.0-i 7509
Related Documentation
- M, MX, PTX, SRX, T Series
- filter-specific
- MX, T Series
- Hierarchical Policer Overview
- MX Series
- Hierarchical Policer as Filter Action
Published: 2013-02-11
Supported Platforms
Related Documentation
- M, MX, PTX, SRX, T Series
- filter-specific
- MX, T Series
- Hierarchical Policer Overview
- MX Series
- Hierarchical Policer as Filter Action
