Understanding the Use of Policers in Firewall Filters
Policing, or rate limiting, is an important component of firewall filters that lets you control the amount of traffic that enters an interface. A firewall filter configured with a policer permits only traffic at specified data rates to provide protection from denial-of-service (DOS) attacks. Traffic that exceeds the rate limits specified by the policer can be discarded. Discard is the only supported policer action.
A policer applies two types of rate limits on traffic:
- Bandwidth—The number of bits per second permitted, on average.
- Maximum burst size—The maximum size permitted for bursts of data that exceed the given bandwidth limit.
Policing uses an algorithm to enforce a limit on average bandwidth while allowing bursts up to a specified maximum value.
After you name and configure a policer, it is stored as a template. You can then use a policer in a firewall filter configuration.
Each policer that you configure includes an implicit counter that counts the number of packets that exceed the rate limits that are specified for the policer. To get filter or term-specific packets counts, you must configure a new policer for each filter or term that requires policing.