- play_arrow Understanding and Configuring Junos Routing Policies
- play_arrow Overview
- Policy Framework Overview
- Comparison of Routing Policies and Firewall Filters
- Prefix Prioritization Overview
- FIB Prefix Prioritization
- Accounting of the Policer Overhead Attribute at the Interface Level
- Configuring the Accounting of Policer Overhead in Interface Statistics
- Understanding Routing Policies
- Protocol Support for Import and Export Policies
- Example: Applying Routing Policies at Different Levels of the BGP Hierarchy
- Default Routing Policies
- Example: Configuring a Conditional Default Route Policy
- play_arrow Evaluating Routing Policies Using Match Conditions, Actions, Terms, and Expressions
- How a Routing Policy Is Evaluated
- Categories of Routing Policy Match Conditions
- Routing Policy Match Conditions
- Route Filter Match Conditions
- Actions in Routing Policy Terms
- Summary of Routing Policy Actions
- Example: Configuring a Routing Policy to Advertise the Best External Route to Internal Peers
- Example: Configuring BGP to Advertise Inactive Routes
- Example: Using Routing Policy to Set a Preference Value for BGP Routes
- Example: Enabling BGP Route Advertisements
- Example: Rejecting Known Invalid Routes
- Example: Using Routing Policy in an ISP Network
- Understanding Policy Expressions
- Understanding Backup Selection Policy for OSPF Protocol
- Configuring Backup Selection Policy for the OSPF Protocol
- Configuring Backup Selection Policy for IS-IS Protocol
- Example: Configuring Backup Selection Policy for the OSPF or OSPF3 Protocol
- play_arrow Evaluating Complex Cases Using Policy Chains and Subroutines
- play_arrow Configuring Route Filters and Prefix Lists as Match Conditions
- Understanding Route Filters for Use in Routing Policy Match Conditions
- Understanding Route Filter and Source Address Filter Lists for Use in Routing Policy Match Conditions
- Understanding Load Balancing Using Source or Destination IP Only
- Configuring Load Balancing Using Source or Destination IP Only
- Walkup for Route Filters Overview
- Configuring Walkup for Route Filters to Improve Operational Efficiency
- Example: Configuring Route Filter Lists
- Example: Configuring Walkup for Route Filters Globally to Improve Operational Efficiency
- Example: Configuring Walkup for Route Filters Locally to Improve Operational Efficiency
- Example: Configuring a Route Filter Policy to Specify Priority for Prefixes Learned Through OSPF
- Example: Configuring the MED Using Route Filters
- Example: Configuring Layer 3 VPN Protocol Family Qualifiers for Route Filters
- Understanding Prefix Lists for Use in Routing Policy Match Conditions
- Example: Configuring Routing Policy Prefix Lists
- Example: Configuring the Priority for Route Prefixes in the RPD Infrastructure
- Configuring Priority for Route Prefixes in RPD Infrastructure
- play_arrow Configuring AS Paths as Match Conditions
- Understanding AS Path Regular Expressions for Use as Routing Policy Match Conditions
- Example: Using AS Path Regular Expressions
- Understanding Prepending AS Numbers to BGP AS Paths
- Example: Configuring a Routing Policy for AS Path Prepending
- Understanding Adding AS Numbers to BGP AS Paths
- Example: Advertising Multiple Paths in BGP
- Improve the Performance of AS Path Lookup in BGP Policy
- play_arrow Configuring Communities as Match Conditions
- Understanding BGP Communities, Extended Communities, and Large Communities as Routing Policy Match Conditions
- Understanding How to Define BGP Communities and Extended Communities
- How BGP Communities and Extended Communities Are Evaluated in Routing Policy Match Conditions
- Example: Configuring Communities in a Routing Policy
- Example: Configuring Extended Communities in a Routing Policy
- Example: Configuring BGP Large Communities
- Example: Configuring a Routing Policy Based on the Number of BGP Communities
- Example: Configuring a Routing Policy That Removes BGP Communities
- play_arrow Increasing Network Stability with BGP Route Flapping Actions
- play_arrow Tracking Traffic Usage with Source Class Usage and Destination Class Usage Actions
- Understanding Source Class Usage and Destination Class Usage Options
- Source Class Usage Overview
- Guidelines for Configuring SCU
- System Requirements for SCU
- Terms and Acronyms for SCU
- Roadmap for Configuring SCU
- Roadmap for Configuring SCU with Layer 3 VPNs
- Configuring Route Filters and Source Classes in a Routing Policy
- Applying the Policy to the Forwarding Table
- Enabling Accounting on Inbound and Outbound Interfaces
- Configuring Input SCU on the vt Interface of the Egress PE Router
- Mapping the SCU-Enabled vt Interface to the VRF Instance
- Configuring SCU on the Output Interface
- Associating an Accounting Profile with SCU Classes
- Verifying Your SCU Accounting Profile
- SCU Configuration
- SCU with Layer 3 VPNs Configuration
- Example: Grouping Source and Destination Prefixes into a Forwarding Class
- play_arrow Avoiding Traffic Routing Threats with Conditional Routing Policies
- Conditional Advertisement and Import Policy (Routing Table) with certain match conditions
- Conditional Advertisement Enabling Conditional Installation of Prefixes Use Cases
- Example: Configuring a Routing Policy for Conditional Advertisement Enabling Conditional Installation of Prefixes in a Routing Table
- play_arrow Protecting Against DoS Attacks by Forwarding Traffic to the Discard Interface
- play_arrow Improving Commit Times with Dynamic Routing Policies
- play_arrow Testing Before Applying Routing Policies
-
- play_arrow Configuring Firewall Filters
- play_arrow Understanding How Firewall Filters Protect Your Network
- Firewall Filters Overview
- Router Data Flow Overview
- Stateless Firewall Filter Overview
- Understanding How to Use Standard Firewall Filters
- Understanding How Firewall Filters Control Packet Flows
- Stateless Firewall Filter Components
- Stateless Firewall Filter Application Points
- How Standard Firewall Filters Evaluate Packets
- Understanding Firewall Filter Fast Lookup Filter
- Understanding Egress Firewall Filters with PVLANs
- Selective Class-based Filtering on PTX Routers
- Guidelines for Configuring Firewall Filters
- Guidelines for Applying Standard Firewall Filters
- Supported Standards for Filtering
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filters
- play_arrow Firewall Filter Match Conditions and Actions
- Overview of Firewall Filters (OCX Series)
- Overview of Firewall Filter Profiles on ACX Series Routers (Junos OS Evolved)
- Understanding Firewall Filter Match Conditions
- Understanding Firewall Filter Planning
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Firewall Filter Flexible Match Conditions
- Firewall Filter Nonterminating Actions
- Firewall Filter Terminating Actions
- Firewall Filter Match Conditions and Actions (ACX Series Routers)
- Firewall Filter Match Conditions and Actions in ACX Series Routers (Junos OS Evolved)
- Firewall Filter Match Conditions for Protocol-Independent Traffic
- Firewall Filter Match Conditions for IPv4 Traffic
- Firewall Filter Match Conditions for IPv6 Traffic
- Firewall Filter Match Conditions Based on Numbers or Text Aliases
- Firewall Filter Match Conditions Based on Bit-Field Values
- Firewall Filter Match Conditions Based on Address Fields
- Firewall Filter Match Conditions Based on Address Classes
- Understanding IP-Based Filtering and Selective Port Mirroring of MPLS Traffic
- Firewall Filter Match Conditions for MPLS Traffic
- Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic
- Firewall Filter Match Conditions for VPLS Traffic
- Firewall Filter Match Conditions for Layer 2 CCC Traffic
- Firewall Filter Match Conditions for Layer 2 Bridging Traffic
- Firewall Filter Support on Loopback Interface
- play_arrow Applying Firewall Filters to Routing Engine Traffic
- Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs
- Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List
- Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources
- Example: Configure a Filter to Block Telnet and SSH Access
- Example: Configuring a Filter to Block TFTP Access
- Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags
- Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers
- Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods
- Example: Protecting the Routing Engine with a Packets-Per-Second Rate Limiting Filter
- Example: Configuring a Filter to Exclude DHCPv6 and ICMPv6 Control Traffic for LAC Subscriber
- Port Number Requirements for DHCP Firewall Filters
- Example: Configuring a DHCP Firewall Filter to Protect the Routing Engine
- play_arrow Applying Firewall Filters to Transit Traffic
- Example: Configuring a Filter for Use as an Ingress Queuing Filter
- Example: Configuring a Filter to Match on IPv6 Flags
- Example: Configuring a Filter to Match on Port and Protocol Fields
- Example: Configuring a Filter to Count Accepted and Rejected Packets
- Example: Configuring a Filter to Count and Discard IP Options Packets
- Example: Configuring a Filter to Count IP Options Packets
- Example: Configuring a Filter to Count and Sample Accepted Packets
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Match on Two Unrelated Criteria
- Example: Configuring a Filter to Accept DHCP Packets Based on Address
- Example: Configuring a Filter to Accept OSPF Packets from a Prefix
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
- Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation
- Configuring a Firewall Filter to Discard Ingress IPv6 Packets with a Mobility Extension Header
- Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses
- Example: Configuring a Rate-Limiting Filter Based on Destination Class
- play_arrow Configuring Firewall Filters in Logical Systems
- Firewall Filters in Logical Systems Overview
- Guidelines for Configuring and Applying Firewall Filters in Logical Systems
- References from a Firewall Filter in a Logical System to Subordinate Objects
- References from a Firewall Filter in a Logical System to Nonfirewall Objects
- References from a Nonfirewall Object in a Logical System to a Firewall Filter
- Example: Configuring Filter-Based Forwarding
- Example: Configuring Filter-Based Forwarding on Logical Systems
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Unsupported Firewall Filter Statements for Logical Systems
- Unsupported Actions for Firewall Filters in Logical Systems
- Filter-Based Forwarding for Routing Instances
- Forwarding Table Filters for Routing Instances on ACX Series Routers
- Configuring Forwarding Table Filters
- play_arrow Configuring Firewall Filter Accounting and Logging
- play_arrow Attaching Multiple Firewall Filters to a Single Interface
- Applying Firewall Filters to Interfaces
- Configuring Firewall Filters
- Multifield Classifier Example: Configuring Multifield Classification
- Multifield Classifier for Ingress Queuing on MX Series Routers with MPC
- Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
- Understanding Multiple Firewall Filters in a Nested Configuration
- Guidelines for Nesting References to Multiple Firewall Filters
- Understanding Multiple Firewall Filters Applied as a List
- Guidelines for Applying Multiple Firewall Filters as a List
- Example: Applying Lists of Multiple Firewall Filters
- Example: Nesting References to Multiple Firewall Filters
- Example: Filtering Packets Received on an Interface Set
- play_arrow Attaching a Single Firewall Filter to Multiple Interfaces
- Interface-Specific Firewall Filter Instances Overview
- Interface-Specific Firewall Filter Instances Overview
- Filtering Packets Received on a Set of Interface Groups Overview
- Filtering Packets Received on an Interface Set Overview
- Example: Configuring Interface-Specific Firewall Filter Counters
- Example: Configuring a Stateless Firewall Filter on an Interface Group
- play_arrow Configuring Filter-Based Tunneling Across IP Networks
- Understanding Filter-Based Tunneling Across IPv4 Networks
- Firewall Filter-Based L2TP Tunneling in IPv4 Networks Overview
- Interfaces That Support Filter-Based Tunneling Across IPv4 Networks
- Components of Filter-Based Tunneling Across IPv4 Networks
- Example: Transporting IPv6 Traffic Across IPv4 Using Filter-Based Tunneling
- play_arrow Configuring Service Filters
- Service Filter Overview
- How Service Filters Evaluate Packets
- Guidelines for Configuring Service Filters
- Guidelines for Applying Service Filters
- Example: Configuring and Applying Service Filters
- Service Filter Match Conditions for IPv4 or IPv6 Traffic
- Service Filter Nonterminating Actions
- Service Filter Terminating Actions
- play_arrow Configuring Simple Filters
- play_arrow Configuring Layer 2 Firewall Filters
- Understanding Firewall Filters Used to Control Traffic Within Bridge Domains and VPLS Instances
- Example: Configuring Filtering of Frames by MAC Address
- Example: Configuring Filtering of Frames by IEEE 802.1p Bits
- Example: Configuring Filtering of Frames by Packet Loss Priority
- Example: Configuring Policing and Marking of Traffic Entering a VPLS Core
- Understanding Firewall Filters on OVSDB-Managed Interfaces
- Example: Applying a Firewall Filter to OVSDB-Managed Interfaces
- play_arrow Configuring Firewall Filters for Forwarding, Fragments, and Policing
- Filter-Based Forwarding Overview
- Firewall Filters That Handle Fragmented Packets Overview
- Stateless Firewall Filters That Reference Policers Overview
- Example: Configuring Filter-Based Forwarding on the Source Address
- Example: Configuring Filter-Based Forwarding to a Specific Outgoing Interface or Destination IP Address
- play_arrow Configuring Firewall Filters (EX Series Switches)
- Firewall Filters for EX Series Switches Overview
- Understanding Planning of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Understanding How Firewall Filters Control Packet Flows
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Configuring Firewall Filters (CLI Procedure)
- Understanding How Firewall Filters Test a Packet's Protocol
- Understanding Filter-Based Forwarding for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Verifying That Policers Are Operational
- Troubleshooting Firewall Filters
- play_arrow Configuring Firewall Filters (QFX Series Switches, EX4600 Switches, PTX Series Routers)
- Overview of Firewall Filters (QFX Series)
- Understanding Firewall Filter Planning
- Planning the Number of Firewall Filters to Create
- Firewall Filter Match Conditions and Actions (QFX and EX Series Switches)
- Firewall Filter Match Conditions and Actions (QFX10000 Switches)
- Firewall Filter Match Conditions and Actions (PTX Series Routers)
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Configuring Firewall Filters
- Applying Firewall Filters to Interfaces
- Overview of MPLS Firewall Filters on Loopback Interface
- Configuring MPLS Firewall Filters and Policers on Switches
- Configuring MPLS Firewall Filters and Policers on Routers
- Configuring MPLS Firewall Filters and Policers
- Understanding How a Firewall Filter Tests a Protocol
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets
- Understanding Filter-Based Forwarding
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Configuring a Firewall Filter to De-Encapsulate GRE or IPIP Traffic
- Verifying That Firewall Filters Are Operational
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filter Configuration
- play_arrow Configuring Firewall Filter Accounting and Logging (EX9200 Switches)
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
Two-Color and Three-Color Logical Interface Policers
Logical Interface (Aggregate) Policer Overview
A logical interface policer—also called an aggregate policer—is a two-color or three-color policer that defines traffic rate limiting that you can apply to input or output traffic for multiple protocol families on the same logical interface without creating multiple instances of the policer.
To configure a single-rate two-color logical
interface policer, include the logical-interface-policer statement at one of the following hierarchy levels:
To configure a single-rate or two-rate three-color logical
interface policer, include the logical-interface-policer statement at one of the following hierarchy levels:
[edit firewall three-color-policer name][edit logical-systems logical-system-name firewall three-color-policer name]
A three-color policer can be applied to Layer 2 traffic as a logical interface policer only. You cannot apply a three-color policer to Layer 2 traffic as a physical interface policer (through a firewall filter).
You apply a logical interface policer to Layer 3 traffic directly to the interface configuration at the logical unit level (to rate-limit all traffic types, regardless of the protocol family) or at the protocol family level (to rate-limit traffic of a specific protocol family). It is OK to reference a logical interface policer from a stateless firewall filter term and then apply the filter to a logical interface.
You can apply a logical interface policer to unicast traffic only. For information about configuring a stateless firewall filter for flooded traffic, see “Applying Forwarding Table Filters” in the “Traffic Sampling, Forwarding, and Monitoring” section of the Routing Policies, Firewall Filters, and Traffic Policers User Guide.
To display a logical interface policer on a particular interface,
issue the show interfaces policers operational mode command.
See Also
Example: Configuring a Two-Color Logical Interface (Aggregate) Policer
This example shows how to configure a single-rate two-color policer as a logical interface policer and apply it to incoming IPv4 traffic on a logical interface.
Requirements
Before you begin, make sure that the logical
interface to which you apply the two-color logical interface policer
is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit
Ethernet interface (xe-).
Overview
In this example, you configure the single-rate two-color policer policer_IFL as a logical interface policer and apply it to
incoming IPv4 traffic at logical interface ge-1/3/1.0.
Topology
If the input IPv4 traffic on the physical interface ge-1/3/1 exceeds the bandwidth limit equal to 90 percent of the media
rate with a 300 KB burst-size limit, then the logical interface
policer policer_IFL rate-limits the input IPv4 traffic
on the logical interface ge-1/3/1.0. Configure the policer
to mark nonconforming traffic by setting packet loss priority (PLP)
levels to high and classifying packets as best-effort.
As the incoming IPv4 traffic rate on the physical interface slows and conforms to the configured limits, Junos OS stops marking the incoming IPv4 packets at the logical interface.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the Logical Interfaces
- Configuring the Single-Rate Two-Color Policer as a Logical Interface Policer
- Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-1/3/1 vlan-tagging set interfaces ge-1/3/1 unit 0 vlan-id 100 set interfaces ge-1/3/1 unit 0 family inet address 10.10.10.1/30 set interfaces ge-1/3/1 unit 1 vlan-id 101 set interfaces ge-1/3/1 unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44 set firewall policer policer_IFL logical-interface-policer set firewall policer policer_IFL if-exceeding bandwidth-percent 90 set firewall policer policer_IFL if-exceeding burst-size-limit 300k set firewall policer policer_IFL then loss-priority high set firewall policer policer_IFL then forwarding-class best-effort set interfaces ge-1/3/1 unit 0 family inet policer input policer_IFL
Configuring the Logical Interfaces
Step-by-Step Procedure
To configure the logical interfaces:
Enable configuration of the interface.
content_copy zoom_out_map[edit] user@host# edit interfaces ge-1/3/1
Configure single tagging.
content_copy zoom_out_map[edit interfaces ge-1/3/1] user@host# set vlan-tagging
Configure logical interface
ge-1/3/1.0.content_copy zoom_out_map[edit interfaces ge-1/3/1] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 10.10.10.1/30
Configure logical interface
ge-1/3/1.0.content_copy zoom_out_map[edit interfaces ge-1/3/1] user@host# set unit 1 vlan-id 101 user@host# set unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44
Results
Confirm the configuration of the logical interfaces by
entering the show interfaces configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.10.10.1/30;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.20.1/30 {
arp 20.20.20.2 mac 00:00:11:22:33:44;
}
}
}
}
Configuring the Single-Rate Two-Color Policer as a Logical Interface Policer
Step-by-Step Procedure
To configure a single-rate two-color policer as a logical interface policer:
Enable configuration of a single-rate two-color policer.
content_copy zoom_out_map[edit] user@host# edit firewall policer policer_IFL
Specify that the policer is a logical interface (aggregate) policer.
content_copy zoom_out_map[edit firewall policer policer_IFL] user@host# set logical-interface-policer
A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied. The policer is applied directly to the interface rather than referenced by a firewall filter.
Specify the policer traffic limits.
Specify the bandwidth limit.
To specify the bandwidth limit as an absolute rate, from 8,000 bits per second through 50,000,000,000 bits per second, include the
bandwidth-limit bpsstatement.To specify the bandwidth limit as a percentage of the physical port speed on the interface, include the
bandwidth-percent percentstatement.
In this example, the CLI commands and output are based on a bandwidth limit specified as a percentage rather than as an absolute rate.
content_copy zoom_out_map[edit firewall policer policer_IFL] user@host# set if-exceeding bandwidth-percent 90
Specify the burst-size limit, from 1,500 bytes through 100,000,000,000 bytes, which is the maximum packet size to be permitted for bursts of data that exceed the specified bandwidth limit.
content_copy zoom_out_map[edit firewall policer policer_IFL] user@host# set if-exceeding burst-size-limit 300k
Specify the policer actions to be taken on traffic that exceeds the configured rate limits.
To discard the packet, include the
discardstatement.To set the loss-priority value of the packet, include the
loss-priority (low | medium-low | medium-high | high)statement.To classify the packet to a forwarding class, include the
forwarding-class (forwarding-class | assured-forwarding | best-effort | expedited-forwarding | network-control)statement.
In this example, the CLI commands and output are based on both setting the packet loss priority level and classifying the packet.
content_copy zoom_out_map[edit firewall policer policer_IFL] user@host# set then loss-priority high user@host# set then forwarding-class best-effort
Results
Confirm the configuration of the policer by entering
the show firewall configuration mode command. If the command
output does not display the intended configuration, repeat the instructions
in this procedure to correct the configuration.
[edit]
user@host# show firewall
policer policer_IFL {
logical-interface-policer;
if-exceeding {
bandwidth-percent 90;
burst-size-limit 300k;
}
then {
loss-priority high;
forwarding-class best-effort;
}
}
Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface
Step-by-Step Procedure
To apply the two-color logical interface policer to input IPv4 traffic a logical interface:
Enable configuration of the logical interface.
content_copy zoom_out_map[edit] user@host# edit interfaces ge-1/3/1 unit 0
Apply the policer to all traffic types or to a specific traffic type on the logical interface.
To apply the policer to all traffic types, regardless of the protocol family, include the
policer (input | output) policer-namestatement at the[edit interfaces interface-name unit number]hierarchy level.To apply the policer to traffic of a specific protocol family, include the
policer (input | output) policer-namestatement at the[edit interfaces interface-name unit unit-number family family-name]hierarchy level.
To apply the logical interface policer to incoming packets, use the
policer input policer-namestatement. To apply the logical interface policer to outgoing packets, use thepolicer output policer-namestatement.In this example, the CLI commands and output are based on rate-limiting the IPv4 input traffic at logical interface
ge-1/3/1.0.content_copy zoom_out_map[edit interfaces ge-1/3/1 unit 0] user@host# set family inet policer input policer_IFL
Results
Confirm the configuration of the interface by entering
the show interfaces configuration mode command. If the
command output does not display the intended configuration, repeat
the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
policer input policer_IFL;
address 10.10.10.1/30;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.20.1/30 {
arp 20.20.20.2 mac 00:00:11:22:33:44;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying Traffic Statistics and Policers for the Logical Interface
- Displaying Statistics for the Policer
Displaying Traffic Statistics and Policers for the Logical Interface
Purpose
Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.
Action
Use the show interfaces operational mode command
for logical interface ge-1/3/1.0, and include the detail or extensive option. The command output section
for Traffic statistics lists the number
of bytes and packets received and transmitted on the logical interface.
The Protocol inet subsection contains
a Policer field that would list the policer policer_IFL as an input or output logical interface policer
as follows:
Input: policer_IFL-ge-1/3/1.0-log_int-i
Output: policer_IFL-ge-1/3/1.0-log_int-o
The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.
Displaying Statistics for the Policer
Purpose
Verify the number of packets evaluated by the policer.
Action
Use the show policer operational mode command
and optionally specify the name of the policer. The command output
displays the number of packets evaluated by each configured policer
(or the specified policer), in each direction. For the policer policer_IFL, the input and output policer names are displayed
as follows:
policer_IFL-ge-1/3/1.0-log_int-i
policer_IFL-ge-1/3/1.0-log_int-o
The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.
Example: Configuring a Three-Color Logical Interface (Aggregate) Policer
This example shows how to configure a two-rate three-color color-blind policer as a logical interface (aggregate) policer and apply the policer directly to Layer 2 input traffic at a supported logical interface.
Requirements
Before you begin, make sure that the logical
interface to which you apply the three-color logical interface policer
is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit
Ethernet interface (xe-) on an MX Series router.
Overview
A two-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic, plus a second set of bandwidth and burst-size limits for peak traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green, and nonconforming traffic falls into one of two categories:
Nonconforming traffic that does not exceed the bandwidth and burst-size limits for peak traffic is categorized as yellow.
Nonconforming traffic that exceeds the bandwidth and burst-size limits for peak traffic is categorized as red.
A logical interface policer defines traffic rate-limiting rules that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer.
You apply a logical interface policer directly to a logical interface at the logical unit level, and not by referencing the policer in a stateless firewall filter and then applying the filter to the logical interface at the protocol family level.
Topology
In this example, you configure the two-rate three-color policer trTCM2-cb as a color-blind logical interface policer and apply
the policer to incoming Layer 2 traffic on logical interface ge-1/3/1.0.
When using a three-color policer to rate-limit Layer 2 traffic, color-aware policing can be applied to egress traffic only.
The policer defines guaranteed traffic rate limits such that
traffic that conforms to the bandwidth limit of 40 Mbps with
a 100 KB allowance for traffic bursting (based on the token-bucket
formula) is categorized as green. As with any policed traffic, the
packets in a green flow are implicitly set to a low loss
priority and then transmitted.
Nonconforming traffic that falls within the peak traffic limits
of a 60 Mbps bandwidth limit and a 200 KB allowance for
traffic bursting (based on the token-bucket formula) is categorized
as yellow. The packets in a yellow traffic flow are implicitly set
to a medium-high loss priority and then transmitted.
Nonconforming traffic that exceeds the peak traffic limits are
categorized as red. The packets in a red traffic flow are implicitly
set to a high loss priority. In this example, the optional
policer action for red traffic (loss-priority high then discard) is configured, so packets in a red traffic flow are discarded instead
of transmitted.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the Logical Interfaces
- Configuring the Two-Rate Three-Color Policer as a Logical Interface Policer
- Applying the Three-Color Policer to the Layer 2 Input at the Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-1/3/1 vlan-tagging set interfaces ge-1/3/1 unit 0 vlan-id 100 set interfaces ge-1/3/1 unit 0 family inet address 10.10.10.1/30 set interfaces ge-1/3/1 unit 1 vlan-id 101 set interfaces ge-1/3/1 unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44 set firewall three-color-policer trTCM2-cb logical-interface-policer set firewall three-color-policer trTCM2-cb two-rate color-blind set firewall three-color-policer trTCM2-cb two-rate committed-information-rate 40m set firewall three-color-policer trTCM2-cb two-rate committed-burst-size 100k set firewall three-color-policer trTCM2-cb two-rate peak-information-rate 60m set firewall three-color-policer trTCM2-cb two-rate peak-burst-size 200k set firewall three-color-policer trTCM2-cb action loss-priority high then discard set interfaces ge-1/3/1 unit 0 layer2-policer input-three-color trTCM2-cb
Configuring the Logical Interfaces
Step-by-Step Procedure
To configure the logical interfaces:
Enable configuration of the interface.
content_copy zoom_out_map[edit] user@host# edit interfaces ge-1/3/1
Configure single tagging.
content_copy zoom_out_map[edit interfaces ge-1/3/1] user@host# set vlan-tagging
Configure logical interface
ge-1/3/1.0.content_copy zoom_out_map[edit interfaces ge-1/3/1] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 10.10.10.1/30
Configure logical interface
ge-1/3/1.0.content_copy zoom_out_map[edit interfaces ge-1/3/1] user@host# set unit 1 vlan-id 101 user@host# set unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44
Results
Confirm the configuration of the logical interfaces by
entering the show interfaces configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.10.10.1/30;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.20.1/30 {
arp 20.20.20.2 mac 00:00:11:22:33:44;
}
}
}
}
Configuring the Two-Rate Three-Color Policer as a Logical Interface Policer
Step-by-Step Procedure
To configure the two-rate three-color policer as a logical interface policer:
Enable configuration of a three-color policer.
content_copy zoom_out_map[edit] user@host# edit firewall three-color-policer trTCM2-cb
Specify that the policer is a logical interface (aggregate) policer.
content_copy zoom_out_map[edit firewall three-color-policer trTCM2-cb] user@host# set logical-interface-policer
A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied, and the policer is applied directly to the interface rather than referenced by a firewall filter.
Specify that the policer is two-rate and color-blind.
content_copy zoom_out_map[edit firewall three-color-policer trTCM2-cb] user@host# set two-rate color-blind
A color-aware three-color policer takes into account any coloring markings that might have been set for a packet by another traffic policer configured at a previous network node, and any preexisting color markings are used in determining the appropriate policing action for the packet.
Because you are applying this three-color policer applied to input at Layer 2, you must configure the policer to be color-blind.
Specify the policer traffic limits used to classify a green traffic flow.
content_copy zoom_out_map[edit firewall three-color-policer trTCM2-cb] user@host# set two-rate committed-information-rate 40m user@host# set two-rate committed-burst-size 100k
Specify the additional policer traffic limits used to classify a yellow or red traffic flow.
content_copy zoom_out_map[edit firewall three-color-policer trTCM2-cb] user@host# set two-rate peak-information-rate 60m user@host# set two-rate peak-burst-size 200k
(Optional) Specify the configured policer action for packets in a red traffic flow.
content_copy zoom_out_map[edit firewall three-color-policer trTCM2-cb] user@host# set action loss-priority high then discard
In color-aware mode, the three-color policer configured action can increase the packet loss priority (PLP) level of a packet, but never decrease it. For example, if a color-aware three-color policer meters a packet with a medium PLP marking, it can raise the PLP level to high, but cannot reduce the PLP level to low.
Results
Confirm the configuration of the three-color policer
by entering the show firewall configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
three-color-policer trTCM2-cb {
logical-interface-policer;
action {
loss-priority high then discard;
}
two-rate {
color-blind;
committed-information-rate 40m;
committed-burst-size 100k;
peak-information-rate 60m;
peak-burst-size 200k;
}
}
Applying the Three-Color Policer to the Layer 2 Input at the Logical Interface
Step-by-Step Procedure
To apply the three-color policer to the Layer 2 input at the logical interface:
Enable application of Layer 2 logical interface policers.
content_copy zoom_out_map[edit] user@host# edit interfaces ge-1/3/1 unit 0
Apply the three-color logical interface policer to a logical interface input.
content_copy zoom_out_map[edit interfaces ge-1/3/1 unit 0] user@host# set layer2-policerinput-three-color trTCM2-cb
Results
Confirm the configuration of the logical interfaces by
entering the show interfaces configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
layer2-policer {
input-three-color trTCM2-cb;
}
family inet {
address 10.10.10.1/30;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.20.1/30 {
arp 20.20.20.2 mac 00:00:11:22:33:44;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying Traffic Statistics and Policers for the Logical Interface
- Displaying Statistics for the Policer
Displaying Traffic Statistics and Policers for the Logical Interface
Purpose
Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.
Action
Use the show interfaces operational mode command
for logical interface ge-1/3/1.0, and include the detail or extensive option. The command output section
for Traffic statistics lists the number
of bytes and packets received and transmitted on the logical interface,
and the Protocol inet section contains
a Policer field that would list the policer trTCM2-cb as an input or output policer as follows:
Input: trTCM2-cb-ge-1/3/1.0-log_int-i
Output: trTCM2-cb-ge-1/3/1.0-log_int-o
The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to in the input direction only.
Displaying Statistics for the Policer
Purpose
Verify the number of packets evaluated by the policer.
Action
Use the show policer operational mode command and optionally specify the name of
the policer. The command output displays the number of packets evaluated
by each configured policer (or the specified policer), in each direction.
For the policer trTCM2-cb, the input and output policer
names are displayed as follows:
trTCM2-cb-ge-1/3/1.0-log_int-i
trTCM2-cb-e-1/3/1.0-log_int-o
The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.
