Supported Platforms
Related Documentation
- QFabric System, QFX Series standalone switches
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- QFX Series
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
Overview of Policers
A switch polices traffic by limiting the input or output transmission rate of a class of traffic according to user-defined criteria. Policing (or rate-limiting) traffic allows you to control the maximum rate of traffic sent or received on an interface and to provide multiple priority levels or classes of service.
Policer Overview
You use policers to apply limits to traffic flow and set consequences for packets that exceed these limits—usually applying a higher loss priority—so that if packets encounter downstream congestion, they can be discarded first. Policers apply only to unicast packets.
Policers provide two functions: metering and marking. A policer meters (measures) each packet against traffic rates and burst sizes that you configure. It then passes the packet and the metering result to the marker, which assigns a packet loss priority that corresponds to the metering result. Figure 1 illustrates this process.
Figure 1: Flow of Tricolor Marking Policer Operation

After you name and configure a policer, you use it by specifying it as an action in one or more firewall filters.
Policer Types
A switch supports three types of policers:
- Single-rate two-color marker—A two-color policer
(or “policer” when used without qualification) meters
the traffic stream and classifies packets into two categories of packet
loss priority (PLP) according to a configured bandwidth and burst-size
limit. You can mark packets that exceed the bandwidth and burst-size
limit with a specified PLP or simply discard them.
You can specify this type of policer in an ingress or egress firewall.
Note: A two-color policer is most useful for metering traffic at the port (physical interface) level.
- Single-rate three-color marker—This type of policer
is defined in RFC 2697, A Single Rate Three Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification
system for a Differentiated Services (DiffServ) environment. This
type of policer meters traffic based on one rate—the configured
committed information rate (CIR) as well as the committed burst size
(CBS) and the excess burst size (EBS). The CIR specifies the average
rate at which bits are admitted to the switch. The CBS specifies the
usual burst size in bytes and the EBS specifies the maximum burst
size in bytes. The EBS must be greater than or equal to the CBS, and
neither can be 0.
You can specify this type of policer in an ingress or egress firewall.
Note: A single-rate three-color marker (TCM) is most useful when a service is structured according to packet length and not peak arrival rate.
- Two-rate three-color marker—This type of policer
is defined in RFC 2698, A Two Rate Three Color Marker, as part of an assured forwarding per-hop-behavior classification
system for a Differentiated Services environment. This type of policer
meters traffic based on two rates—the CIR and peak information
rate (PIR) along with their associated burst sizes, the CBS and peak
burst size (PBS). The PIR specifies the maximum rate at which bits
are admitted to the network and must be greater than or equal to the
CIR.
You can specify this type of policer in an ingress or egress firewall.
Note: A two-rate three-color policer is most useful when a service is structured according to arrival rates and not necessarily packet length.
See Table 1 for information about how metering results are applied for each of these policer types.
Policer Actions
Policer actions are implicit or explicit and vary by policer type. Implicit means that Junos OS assigns the loss priority automatically. Table 1 describes the policer actions.
Table 1: Policer Actions
Policer | Marking | Implicit Action | Configurable Action |
---|---|---|---|
Single-rate two-color | Green (conforming) | Assign low loss priority | None |
Red (nonconforming) | None | Discard | |
Single-rate three-color | Green (conforming) | Assign low loss priority | None |
Yellow (above the CIR and CBS) | Assign medium-high loss priority | None | |
Red (above the EBS) | Assign high loss priority | Discard | |
Two-rate three-color | Green (conforming) | Assign low loss priority | None |
Yellow (above the CIR and CBS) | Assign medium-high loss priority | None | |
Red (above the PIR and PBS) | Assign high loss priority | Discard |
![]() | Note: If you specify a policer in an egress firewall filter, the only supported action is discard. |
Policer Colors
Single-rate and two-rate three-color policers can operate in two modes:
- Color-blind—In color-blind mode, the three-color policer assumes that all packets examined have not been previously marked or metered. In other words, the three-color policer is “blind” to any previous coloring a packet might have had.
- Color-aware—In color-aware mode, the three-color policer assumes that all packets examined have been previously marked or metered. In other words, the three-color policer is “aware” of the previous coloring a packet might have had. In color-aware mode, the three-color policer can increase the PLP of a packet but cannot decrease it. For example, if a color-aware three-color policer meters a packet with a medium PLP marking, it can raise the PLP level to high but cannot reduce the PLP level to low.
Filter-Specific Policers
You can configure policers to be filter-specific, which means that Junos OS creates only one policer instance regardless of how many times the policer is referenced. When you do this, rate limiting is applied in aggregate, so if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms, the total bandwidth allowed by the filter is 1 Gbps. However, the behavior of a filter-specific policer is affected by how the firewall filter terms that reference the policer are stored in TCAM. If you create a filter-specific policer and reference it in multiple firewall filter terms, the policer allows more traffic than expected if the terms are stored in different TCAM slices. For example, if you configure a policer to discard traffic that exceeds 1 Gbps and reference that policer in three different terms that are stored in three separate memory slices, the total bandwidth allowed by the filter is 3 Gbps, not 1 Gbps.
To prevent this unexpected behavior from occurring, use the information about TCAM slices presented in Planning the Number of Firewall Filters to Create to organize your configuration file so that all the firewall filter terms that reference a given filter-specific policer are stored in the same TCAM slice.
Suggested Naming Convention for Policers
We recommend that you use the naming convention policertypeTCM#-color type when configuring three-color policers and policer# when configuring two-color policers. TCM stands for three-color marker. Because policers can be numerous and must be applied correctly to work, a simple naming convention makes it easier to apply the policers properly. For example, the first single-rate, color-aware three-color policer configured would be named srTCM1-ca. The second two-rate, color-blind three-color configured would be named trTCM2-cb. The elements of this naming convention are explained below:
- sr (single-rate)
- tr (two-rate)
- TCM (tricolor marking)
- 1 or 2 (number of marker)
- ca (color-aware)
- cb (color-blind)
Policer Counters
Each policer that you configure includes an implicit counter that counts the number of packets that exceed the rate limits that are specified for the policer. If you use the same policer in multiple terms—either within the same filter or in different filters—the implicit counter counts all the packets that are policed in all of these terms. If you want to obtain separate packet counts for each term, use these options:
- Configure a unique policer for each term.
- Configure only one policer, but use a unique, explicit counter in each term.
Policer Algorithms
Policing uses the token-bucket algorithm, which enforces a limit on average bandwidth while allowing bursts up to a specified maximum value. It offers more flexibility than the leaky bucket algorithm in allowing a certain amount of bursty traffic before it starts discarding packets.
How Many Policers are Supported?
You can configure and commit the following numbers of policers on QFX3500 and QFX3600 devices when they are operating as standalone switches:
- Two-color policers used in ingress firewall filters: 767
- Three-color policers used in ingress firewall filters: 767
- Two-color policers used in egress firewall filters: 1022
- Three-color policers used in egress firewall filters: 512
Policers can Limit Egress Firewall Filters
The number of egress policers that you configure can affect the total number of allowed egress firewall filters. Every policer has two implicit counters that consume two entries in a 1024-entry TCAM that is used for counters, including counters that are configured as action modifiers in firewall filter terms. (Policers consume two entries because one is used for green packets and one is used for nongreen packets regardless of policer type.) If the TCAM becomes full, you cannot commit any more egress firewall filters that have terms with counters. For example, if you configure and commit 512 egress policers (two-color, three-color, or a combination of both policer types), all of the memory entries for counters are used up. If later in your configuration file you insert additional egress firewall filters with terms that also include counters, none of the terms in those filters are committed because there is no available memory space for the counters.
Here are some additional examples:
- Assume that you configure egress filters that include a total of 512 policers and no counters. Later in your configuration file you include another egress filter with 10 terms, 1 of which has a counter action modifier. None of the terms in this filter are committed because there is not enough TCAM space for the counter.
- Assume that you configure egress filters that include
a total of 500 policers, so 1000 TCAM entries are occupied. Later
in your configuration file you include the following two egress filters:
- Filter A with 20 terms and 20 counters. All the terms in this filter are committed because there is enough TCAM space for all the counters.
- Filter B comes after Filter A and has five terms and five counters. None of the terms in this filter are committed because there is not enough memory space for all the counters. (Five TCAM entries are required but only four are available.)
You can prevent this problem by ensuring that egress firewall filter terms with counter actions are placed earlier in your configuration file than terms that include policers. In this circumstance, Junos OS commits policers even if there is not enough TCAM space for the implicit counters. For example, assume the following:
- You have 1024 egress firewall filter terms with counter actions.
- Later in your configuration file you have an egress filter with 10 terms. None of the terms have counters but one has a policer action modifier.
You can successfully commit the filter with 10 terms even though there is not enough TCAM space for the implicit counters of the policer. The policer is committed without the counters.
Related Documentation
- QFabric System, QFX Series standalone switches
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- QFX Series
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
Published: 2014-07-23
Supported Platforms
Related Documentation
- QFabric System, QFX Series standalone switches
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- QFX Series
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking