Two-Color and Three-Color Logical Interface Policers
Logical Interface (Aggregate) Policer Overview
A logical interface policer—also called an aggregate policer—is a two-color or three-color policer that defines traffic rate limiting that you can apply to input or output traffic for multiple protocol families on the same logical interface without creating multiple instances of the policer.
To configure a single-rate two-color logical
interface policer, include the logical-interface-policer statement at one of the following hierarchy levels:
To configure a single-rate or two-rate three-color logical
interface policer, include the logical-interface-policer statement at one of the following hierarchy levels:
[edit firewall three-color-policer name][edit logical-systems logical-system-name firewall three-color-policer name]
A three-color policer can be applied to Layer 2 traffic as a logical interface policer only. You cannot apply a three-color policer to Layer 2 traffic as a physical interface policer (through a firewall filter).
You apply a logical interface policer to Layer 3 traffic directly to the interface configuration at the logical unit level (to rate-limit all traffic types, regardless of the protocol family) or at the protocol family level (to rate-limit traffic of a specific protocol family). It is OK to reference a logical interface policer from a stateless firewall filter term and then apply the filter to a logical interface.
You can apply a logical interface policer to unicast traffic only. For information about configuring a stateless firewall filter for flooded traffic, see “Applying Forwarding Table Filters” in the “Traffic Sampling, Forwarding, and Monitoring” section of the Routing Policies, Firewall Filters, and Traffic Policers User Guide.
To display a logical interface policer on a particular interface,
issue the show interfaces policers operational mode command.
See Also
Example: Configuring a Two-Color Logical Interface (Aggregate) Policer
This example shows how to configure a single-rate two-color policer as a logical interface policer and apply it to incoming IPv4 traffic on a logical interface.
Requirements
Before you begin, make sure that the logical
interface to which you apply the two-color logical interface policer
is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit
Ethernet interface (xe-).
Overview
In this example, you configure the single-rate two-color policer policer_IFL as a logical interface policer and apply it to
incoming IPv4 traffic at logical interface ge-1/3/1.0.
Topology
If the input IPv4 traffic on the physical interface ge-1/3/1 exceeds the bandwidth limit equal to 90 percent of the media
rate with a 300 KB burst-size limit, then the logical interface
policer policer_IFL rate-limits the input IPv4 traffic
on the logical interface ge-1/3/1.0. Configure the policer
to mark nonconforming traffic by setting packet loss priority (PLP)
levels to high and classifying packets as best-effort.
As the incoming IPv4 traffic rate on the physical interface slows and conforms to the configured limits, Junos OS stops marking the incoming IPv4 packets at the logical interface.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the Logical Interfaces
- Configuring the Single-Rate Two-Color Policer as a Logical Interface Policer
- Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-1/3/1 vlan-tagging set interfaces ge-1/3/1 unit 0 vlan-id 100 set interfaces ge-1/3/1 unit 0 family inet address 10.10.10.1/30 set interfaces ge-1/3/1 unit 1 vlan-id 101 set interfaces ge-1/3/1 unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44 set firewall policer policer_IFL logical-interface-policer set firewall policer policer_IFL if-exceeding bandwidth-percent 90 set firewall policer policer_IFL if-exceeding burst-size-limit 300k set firewall policer policer_IFL then loss-priority high set firewall policer policer_IFL then forwarding-class best-effort set interfaces ge-1/3/1 unit 0 family inet policer input policer_IFL
Configuring the Logical Interfaces
Step-by-Step Procedure
To configure the logical interfaces:
Enable configuration of the interface.
[edit] user@host# edit interfaces ge-1/3/1
Configure single tagging.
[edit interfaces ge-1/3/1] user@host# set vlan-tagging
Configure logical interface
ge-1/3/1.0.[edit interfaces ge-1/3/1] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 10.10.10.1/30
Configure logical interface
ge-1/3/1.0.[edit interfaces ge-1/3/1] user@host# set unit 1 vlan-id 101 user@host# set unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44
Results
Confirm the configuration of the logical interfaces by
entering the show interfaces configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.10.10.1/30;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.20.1/30 {
arp 20.20.20.2 mac 00:00:11:22:33:44;
}
}
}
}
Configuring the Single-Rate Two-Color Policer as a Logical Interface Policer
Step-by-Step Procedure
To configure a single-rate two-color policer as a logical interface policer:
Enable configuration of a single-rate two-color policer.
[edit] user@host# edit firewall policer policer_IFL
Specify that the policer is a logical interface (aggregate) policer.
[edit firewall policer policer_IFL] user@host# set logical-interface-policer
A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied. The policer is applied directly to the interface rather than referenced by a firewall filter.
Specify the policer traffic limits.
Specify the bandwidth limit.
To specify the bandwidth limit as an absolute rate, from 8,000 bits per second through 50,000,000,000 bits per second, include the
bandwidth-limit bpsstatement.To specify the bandwidth limit as a percentage of the physical port speed on the interface, include the
bandwidth-percent percentstatement.
In this example, the CLI commands and output are based on a bandwidth limit specified as a percentage rather than as an absolute rate.
[edit firewall policer policer_IFL] user@host# set if-exceeding bandwidth-percent 90
Specify the burst-size limit, from 1,500 bytes through 100,000,000,000 bytes, which is the maximum packet size to be permitted for bursts of data that exceed the specified bandwidth limit.
[edit firewall policer policer_IFL] user@host# set if-exceeding burst-size-limit 300k
Specify the policer actions to be taken on traffic that exceeds the configured rate limits.
To discard the packet, include the
discardstatement.To set the loss-priority value of the packet, include the
loss-priority (low | medium-low | medium-high | high)statement.To classify the packet to a forwarding class, include the
forwarding-class (forwarding-class | assured-forwarding | best-effort | expedited-forwarding | network-control)statement.
In this example, the CLI commands and output are based on both setting the packet loss priority level and classifying the packet.
[edit firewall policer policer_IFL] user@host# set then loss-priority high user@host# set then forwarding-class best-effort
Results
Confirm the configuration of the policer by entering
the show firewall configuration mode command. If the command
output does not display the intended configuration, repeat the instructions
in this procedure to correct the configuration.
[edit]
user@host# show firewall
policer policer_IFL {
logical-interface-policer;
if-exceeding {
bandwidth-percent 90;
burst-size-limit 300k;
}
then {
loss-priority high;
forwarding-class best-effort;
}
}
Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface
Step-by-Step Procedure
To apply the two-color logical interface policer to input IPv4 traffic a logical interface:
Enable configuration of the logical interface.
[edit] user@host# edit interfaces ge-1/3/1 unit 0
Apply the policer to all traffic types or to a specific traffic type on the logical interface.
To apply the policer to all traffic types, regardless of the protocol family, include the
policer (input | output) policer-namestatement at the[edit interfaces interface-name unit number]hierarchy level.To apply the policer to traffic of a specific protocol family, include the
policer (input | output) policer-namestatement at the[edit interfaces interface-name unit unit-number family family-name]hierarchy level.
To apply the logical interface policer to incoming packets, use the
policer input policer-namestatement. To apply the logical interface policer to outgoing packets, use thepolicer output policer-namestatement.In this example, the CLI commands and output are based on rate-limiting the IPv4 input traffic at logical interface
ge-1/3/1.0.[edit interfaces ge-1/3/1 unit 0] user@host# set family inet policer input policer_IFL
Results
Confirm the configuration of the interface by entering
the show interfaces configuration mode command. If the
command output does not display the intended configuration, repeat
the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
policer input policer_IFL;
address 10.10.10.1/30;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.20.1/30 {
arp 20.20.20.2 mac 00:00:11:22:33:44;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying Traffic Statistics and Policers for the Logical Interface
- Displaying Statistics for the Policer
Displaying Traffic Statistics and Policers for the Logical Interface
Purpose
Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.
Action
Use the show interfaces operational mode command
for logical interface ge-1/3/1.0, and include the detail or extensive option. The command output section
for Traffic statistics lists the number
of bytes and packets received and transmitted on the logical interface.
The Protocol inet subsection contains
a Policer field that would list the policer policer_IFL as an input or output logical interface policer
as follows:
Input: policer_IFL-ge-1/3/1.0-log_int-i
Output: policer_IFL-ge-1/3/1.0-log_int-o
The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.
Displaying Statistics for the Policer
Purpose
Verify the number of packets evaluated by the policer.
Action
Use the show policer operational mode command
and optionally specify the name of the policer. The command output
displays the number of packets evaluated by each configured policer
(or the specified policer), in each direction. For the policer policer_IFL, the input and output policer names are displayed
as follows:
policer_IFL-ge-1/3/1.0-log_int-i
policer_IFL-ge-1/3/1.0-log_int-o
The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.
Example: Configuring a Three-Color Logical Interface (Aggregate) Policer
This example shows how to configure a two-rate three-color color-blind policer as a logical interface (aggregate) policer and apply the policer directly to Layer 2 input traffic at a supported logical interface.
Requirements
Before you begin, make sure that the logical
interface to which you apply the three-color logical interface policer
is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit
Ethernet interface (xe-) on an MX Series router.
Overview
A two-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic, plus a second set of bandwidth and burst-size limits for peak traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green, and nonconforming traffic falls into one of two categories:
Nonconforming traffic that does not exceed the bandwidth and burst-size limits for peak traffic is categorized as yellow.
Nonconforming traffic that exceeds the bandwidth and burst-size limits for peak traffic is categorized as red.
A logical interface policer defines traffic rate-limiting rules that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer.
You apply a logical interface policer directly to a logical interface at the logical unit level, and not by referencing the policer in a stateless firewall filter and then applying the filter to the logical interface at the protocol family level.
Topology
In this example, you configure the two-rate three-color policer trTCM2-cb as a color-blind logical interface policer and apply
the policer to incoming Layer 2 traffic on logical interface ge-1/3/1.0.
When using a three-color policer to rate-limit Layer 2 traffic, color-aware policing can be applied to egress traffic only.
The policer defines guaranteed traffic rate limits such that
traffic that conforms to the bandwidth limit of 40 Mbps with
a 100 KB allowance for traffic bursting (based on the token-bucket
formula) is categorized as green. As with any policed traffic, the
packets in a green flow are implicitly set to a low loss
priority and then transmitted.
Nonconforming traffic that falls within the peak traffic limits
of a 60 Mbps bandwidth limit and a 200 KB allowance for
traffic bursting (based on the token-bucket formula) is categorized
as yellow. The packets in a yellow traffic flow are implicitly set
to a medium-high loss priority and then transmitted.
Nonconforming traffic that exceeds the peak traffic limits are
categorized as red. The packets in a red traffic flow are implicitly
set to a high loss priority. In this example, the optional
policer action for red traffic (loss-priority high then discard) is configured, so packets in a red traffic flow are discarded instead
of transmitted.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the Logical Interfaces
- Configuring the Two-Rate Three-Color Policer as a Logical Interface Policer
- Applying the Three-Color Policer to the Layer 2 Input at the Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-1/3/1 vlan-tagging set interfaces ge-1/3/1 unit 0 vlan-id 100 set interfaces ge-1/3/1 unit 0 family inet address 10.10.10.1/30 set interfaces ge-1/3/1 unit 1 vlan-id 101 set interfaces ge-1/3/1 unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44 set firewall three-color-policer trTCM2-cb logical-interface-policer set firewall three-color-policer trTCM2-cb two-rate color-blind set firewall three-color-policer trTCM2-cb two-rate committed-information-rate 40m set firewall three-color-policer trTCM2-cb two-rate committed-burst-size 100k set firewall three-color-policer trTCM2-cb two-rate peak-information-rate 60m set firewall three-color-policer trTCM2-cb two-rate peak-burst-size 200k set firewall three-color-policer trTCM2-cb action loss-priority high then discard set interfaces ge-1/3/1 unit 0 layer2-policer input-three-color trTCM2-cb
Configuring the Logical Interfaces
Step-by-Step Procedure
To configure the logical interfaces:
Enable configuration of the interface.
[edit] user@host# edit interfaces ge-1/3/1
Configure single tagging.
[edit interfaces ge-1/3/1] user@host# set vlan-tagging
Configure logical interface
ge-1/3/1.0.[edit interfaces ge-1/3/1] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 10.10.10.1/30
Configure logical interface
ge-1/3/1.0.[edit interfaces ge-1/3/1] user@host# set unit 1 vlan-id 101 user@host# set unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44
Results
Confirm the configuration of the logical interfaces by
entering the show interfaces configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.10.10.1/30;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.20.1/30 {
arp 20.20.20.2 mac 00:00:11:22:33:44;
}
}
}
}
Configuring the Two-Rate Three-Color Policer as a Logical Interface Policer
Step-by-Step Procedure
To configure the two-rate three-color policer as a logical interface policer:
Enable configuration of a three-color policer.
[edit] user@host# edit firewall three-color-policer trTCM2-cb
Specify that the policer is a logical interface (aggregate) policer.
[edit firewall three-color-policer trTCM2-cb] user@host# set logical-interface-policer
A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied, and the policer is applied directly to the interface rather than referenced by a firewall filter.
Specify that the policer is two-rate and color-blind.
[edit firewall three-color-policer trTCM2-cb] user@host# set two-rate color-blind
A color-aware three-color policer takes into account any coloring markings that might have been set for a packet by another traffic policer configured at a previous network node, and any preexisting color markings are used in determining the appropriate policing action for the packet.
Because you are applying this three-color policer applied to input at Layer 2, you must configure the policer to be color-blind.
Specify the policer traffic limits used to classify a green traffic flow.
[edit firewall three-color-policer trTCM2-cb] user@host# set two-rate committed-information-rate 40m user@host# set two-rate committed-burst-size 100k
Specify the additional policer traffic limits used to classify a yellow or red traffic flow.
[edit firewall three-color-policer trTCM2-cb] user@host# set two-rate peak-information-rate 60m user@host# set two-rate peak-burst-size 200k
(Optional) Specify the configured policer action for packets in a red traffic flow.
[edit firewall three-color-policer trTCM2-cb] user@host# set action loss-priority high then discard
In color-aware mode, the three-color policer configured action can increase the packet loss priority (PLP) level of a packet, but never decrease it. For example, if a color-aware three-color policer meters a packet with a medium PLP marking, it can raise the PLP level to high, but cannot reduce the PLP level to low.
Results
Confirm the configuration of the three-color policer
by entering the show firewall configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
three-color-policer trTCM2-cb {
logical-interface-policer;
action {
loss-priority high then discard;
}
two-rate {
color-blind;
committed-information-rate 40m;
committed-burst-size 100k;
peak-information-rate 60m;
peak-burst-size 200k;
}
}
Applying the Three-Color Policer to the Layer 2 Input at the Logical Interface
Step-by-Step Procedure
To apply the three-color policer to the Layer 2 input at the logical interface:
Enable application of Layer 2 logical interface policers.
[edit] user@host# edit interfaces ge-1/3/1 unit 0
Apply the three-color logical interface policer to a logical interface input.
[edit interfaces ge-1/3/1 unit 0] user@host# set layer2-policerinput-three-color trTCM2-cb
Results
Confirm the configuration of the logical interfaces by
entering the show interfaces configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/1 {
vlan-tagging;
unit 0 {
vlan-id 100;
layer2-policer {
input-three-color trTCM2-cb;
}
family inet {
address 10.10.10.1/30;
}
}
unit 1 {
vlan-id 101;
family inet {
address 20.20.20.1/30 {
arp 20.20.20.2 mac 00:00:11:22:33:44;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying Traffic Statistics and Policers for the Logical Interface
- Displaying Statistics for the Policer
Displaying Traffic Statistics and Policers for the Logical Interface
Purpose
Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.
Action
Use the show interfaces operational mode command
for logical interface ge-1/3/1.0, and include the detail or extensive option. The command output section
for Traffic statistics lists the number
of bytes and packets received and transmitted on the logical interface,
and the Protocol inet section contains
a Policer field that would list the policer trTCM2-cb as an input or output policer as follows:
Input: trTCM2-cb-ge-1/3/1.0-log_int-i
Output: trTCM2-cb-ge-1/3/1.0-log_int-o
The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to in the input direction only.
Displaying Statistics for the Policer
Purpose
Verify the number of packets evaluated by the policer.
Action
Use the show policer operational mode command and optionally specify the name of
the policer. The command output displays the number of packets evaluated
by each configured policer (or the specified policer), in each direction.
For the policer trTCM2-cb, the input and output policer
names are displayed as follows:
trTCM2-cb-ge-1/3/1.0-log_int-i
trTCM2-cb-e-1/3/1.0-log_int-o
The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to input traffic only.