layer2-policer (firewall)
Syntax
layer2-policer
Hierarchy Level
[edit firewall family <firewall filter family> filter <firewall filter name>]
Description
By default, a packet gets policed by a policer on the packet's layer 3 header
length along with the packet's payload length. Applying the
layer2-policer configuration on a firewall filter
allows the policer to account layer 2 overhead, which changes the policer
behavior as well as the firewall filter counter behavior and will calculate
filter count bytes to full frame length.
-
Default policer overhead calculation
-
layer 3 header length + payload length
-
-
Policer overhead calculation after applying the
layer2-policerconfiguration-
layer 2 header length + layer 3 header length + payload length
-
Example
The following configurations show the layer2-policer
configuration applied to the f_inet,
f_inet6, f_mpls, and
f_any firewall filters configured for the supported
firewall filter families - INET, INET6, MPLS, and ANY, respectively.
Setting the layer2-policer configuration in the the
f_inet firewall filter configuration for INET
firewall filter family.
set firewall family inet filter f_inet layer2-policer set firewall family inet filter f_inet term t1 then policer pc1 set firewall family inet filter f_inet term t1 then count c1 set firewall family inet filter f_inet term t1 then accept
Setting the layer2-policer configuration in the
f_inet6 firewall filter configuration for INET6
firewall filter family.
set firewall family inet6 filter f_inet6 layer2-policer set firewall family inet6 filter f_inet6 term t1 then policer pc1 set firewall family inet6 filter f_inet6 term t1 then count c1 set firewall family inet6 filter f_inet6 term t1 then accept
Setting the layer2-policer configuration in the
f_mpls firewall filter configuration for MPLS
firewall filter family.
set firewall family mpls filter f_mpls layer2-policer set firewall family mpls filter f_mpls term t1 then policer pc1 set firewall family mpls filter f_mpls term t1 then count c1 set firewall family mpls filter f_mpls term t1 then accept
Setting the layer2-policer configuration in the
f_any firewall filter configuration for ANY firewall
filter family.
set firewall family any filter f_any layer2-policer set firewall family any filter f_any term t1 then policer pc1 set firewall family any filter f_any term t1 then count c1 set firewall family any filter f_any term t1 then accept
Configuring the policer in the firewall filter.
set firewall policer pc1 if-exceeding bandwidth-limit 20k set firewall policer pc1 if-exceeding burst-size-limit 2k set firewall policer pc1 then discard
Applying the firewall filter to the interface. In the following configuration, the firewall filter for INET firewall filter family is applied to the interface.
set interfaces et-2/0/13:2 unit 0 family inet filter input f_inet
Viewing statistics. In the following output, statistics of the firewall filter for the INET firewall family is shown.
Filter: f_inet Counters: Name Bytes Packets c1 872960 6820 Policers: Name Bytes Packets pc1-t1 370688 2896
Default
Default policer overhead calculation is - layer 3 header length + payload length.
Required Privilege Level
firewall—To view this statement in the configuration.
firewall-control—To add this statement to the configuration
Release Information
Statement introduced in Junos OS Evolved Release 24.3R1
Supported on:
-
PTX10001-36MR
-
PTX10003
-
PTX10004 - LC1201 & LC1202
-
PTX10008 - LC1201 & LC1201
-
PTX10016 - LC1201 & LC1201
-
PTX10002-36QDD