Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Three-Color Policer Configuration Overview

Table 1 describes the hierarchy levels at which you can configure and apply single-rate tricolor-marking (single-rate TCM) policers and two-rate tricolor-marking (two-rate TCM) policers to Layer 3 traffic. For information about applying three-color policers to Layer 2 traffic, see Three-Color Policing at Layer 2 Overview.

Table 1: Three-Color Policer Configuration and Application Overview

Policer Configuration

Layer 3 Application

Key Points
Single-Rate Three-Color Policer

Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface. Can be applied as a firewall filter policer only.Provides moderate allowances for short periods of traffic that exceed the committed burst size.

Basic single-rate TCM policer configuration:

[edit firewall]
three-color-policer policer-name {
    single-rate {
        (color-aware | color-blind);
        committed-information-rate bps;
        committed-burst-size bytes;
        excess-burst-size bytes;
    }
    action {
        loss-priority high then discard;
    }
}

Reference the policer from a firewall filter, and apply the filter to a protocol family on a logical interface:

[edit firewall]
family family-name {
    filter filter-name {
        term term-name {
            from {
                ... match-conditions ...
            }
            then {
                three-color-policer {
                    single-rate policer-name;
                }
            }
        }
    }
}

Apply the filter to a logical interface at the protocol family level:

[edit interfaces]
interface-name {
    unit unit-number {
        family family-name {
            filter {
                input filter-name;
                output filter-name;
            }
        }
    }
}

Policer configuration:

  • Include the single-rate (color-aware | color-blind) statement.

Firewall filter configuration:

  • Include the three-color-policer single-rate policer-name action.

Applying the firewall filter to the logical interface:

  • Include the filter (input | output) filter-name statement.
Single-Rate Three-Color Physical Interface Policer

Defines traffic rate limiting that applies to all logical interfaces and protocol families configured on a physical interface, even if the interfaces belong to different routing instances. Can be applied as a firewall filter policer only.

Physical interface single-rate TCM policer:

[edit firewall]
three-color-policer policer-name {
    physical-interface-policer;
    single-rate {
        (color-aware | color-blind);
        committed-information-rate bps;
        committed-burst-size bytes;
        excess-burst-size bytes;
    }
    action {
        loss-priority high then discard;
    }
}

Reference the policer from a physical interface filter only, and apply the filter to a protocol family on a logical interface:

[edit firewall]
family family-name {
    filter filter-name {
        physical-interface-filter
        term term-name {
            from {
                ... match-conditions ...
            }
            then {
                three-color-policer {
                    single-rate policer-name;
                }
            }
        }
    }
}

[edit interfaces]
interface-name {
    unit number {
        family family-name {
            filter {
                input filter-name;
                output filter-name;
            }
        }
    }
}

Policer configuration:

  • Include the physical-interface-policer statement.

Firewall filter configuration:

  • Include the physical-interface-filter statement.

Application:

  • Include the filter (input | output) filter-name statement.

Verification

  • To verify, use the show firewall filter filter-name operational mode command.
Basic Two-Rate Three-Color Policer

Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface. Can be applied as a firewall filter policer only.Provides moderate allowances for sustained periods of traffic that exceed the committed bandwidth limit or burst size.

Basic two-rate TCM policer configuration:

[edit firewall]
three-color-policer policer-name {
    two-rate {
        (color-aware | color-blind);
        committed-information-rate bps;
        committed-burst-size bytes;
        peak-information-rate bps;
        peak-burst-size bytes;
    }
    action {
        loss-priority high then discard;
    }
}

Reference the policer from a firewall filter, and apply the filter to a protocol family on a logical interface:

[edit firewall]
family family-name {
    filter filter-name {
        term term-name {
            from {
                ... match-conditions ...
            }
            then {
                three-color-policer {
                    two-rate policer-name;
                }
            }
        }
    }
}

[edit interfaces]
interface-name {
    unit unit-number {
        family family-name {
            filter {
                input filter-name;
                output filter-name;
            }
        }
    }
}

Policer configuration:

  • Include the two-rate (color-aware | color-blind) statement.

Firewall filter configuration:

  • Include the three-color-policer two-rate policer-name action.

Applying the firewall filter to the logical interface:

  • Include the filter (input | output) filter-name statement.

Related Documentation