Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Two-Color Policer Configuration Overview

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, you can configure and apply single-rate two-color policers to Layer 3 traffic.

Note:

For vSRX Virtual Firewall, SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, and SRX4600 firewalls, we recommend limiting the traffic rate in a given policer to 80 Mbps or less.

Table 1 describes the hierarchy levels at which you can configure and apply them.

Table 1: Two-Color Policer Configuration and Application Overview

Policer Configuration

Layer 3 Application

Key Points
Single-Rate Two-Color Policer

Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface. Can be applied as an interface policer or as a firewall filter policer.

Basic policer configuration:

[edit firewall]
policer policer-name {
    if-exceeding {
        bandwidth-limit bps;
        burst-size-limit bytes;
    }
    then {
        discard;
        forwarding-class class-name;
        loss-priority supported-value;
    }
}

Method A—Apply as an interface policer at the protocol family level:

[edit interfaces]
interface-name {
    unit unit-number {
        family family-name {
            policer {
                input policer-name;
                output policer-name;
            }
        }
    }
}

Method B—Apply as a firewall filter policer at the protocol family level:

[edit firewall]
family family-name {
    filter filter-name {
        interface-specific; # (*)
        from {
            ... match-conditions ...
        }
        then {
            policer policer-name;
        }
    }
}

[edit interfaces]
interface-name {
    unit unit-number {
        family family-name {
            filter {
                input filter-name;
                output filter-name;
            }
            ... protocol-configuration ...
        }
    }
}

Policer configuration:

  • Use bandwidth-limit bps to specify an absolute value.

Firewall filter configuration (*)

  • If applying to multiple interfaces, include the interface-specific statement to create unique policers and counters for each interface.

Interface policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show policer operational mode command.

Firewall filter policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show firewall filter filter-name operational mode command.
Logical Interface (Aggregate) Policer

Defines traffic rate limiting that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer. Can be applied directly to a logical interface configuration only.

Logical interface policer configuration:

[edit firewall]
policer policer-name {
    logical-interface-policer;
    if-exceeding {
        bandwidth-limit bps;
        burst-size-limit bytes;
    }
    then {
        discard;
        forwarding-class class-name;
        loss-priority supported-value;
    }
}

Method A—Apply as an interface policer only:

[edit interfaces]
interface-name {
    unit unit-number {
        policer { # All protocols
            input policer-name;
            output policer-name;
        }
        family family-name {
            policer { # One protocol
                input policer-name;
                output policer-name;
            }
        }
    }
}

Method B—Apply as a firewall filter policer at the protocol family level:

[edit firewall]
family family-name {
    filter filter-name {
        interface-specific;
        term term-name{
            from {
                ... match-conditions ...
            }
        }
        then {
            policer policer-name;
        }
    }
}

Policer configuration:

  • Include the logical-interface-policer statement.

Two options for interface policer application:

  • To rate-limit all traffic types, regardless of the protocol family, apply the logical interface policer at the logical unit level.

  • To rate-limit traffic of a specific protocol family, apply the logical interface policer at the protocol family level.

Interface policer verification:

  • Use the show interfaces (detail | extensive) operational mode command.

  • Use the show policer operational mode command.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D40
Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, you can configure and apply single-rate two-color policers to Layer 3 traffic.