Two-Color and Three-Color Physical Interface Policers
Physical Interface Policer Overview
A physical interface policer is a two-color or three-color policer that defines traffic rate limiting that you can apply to input or output traffic for all the logical interfaces and protocol families configured on a physical interface, even if the logical interfaces belong to different routing instances. This feature is useful when you want to perform aggregate policing for different protocol families and different logical interfaces on the same physical interface.
For example, suppose that a provider edge (PE) router has numerous logical interfaces, each corresponding to a different customer, configured on the same link to a customer edge (CE) device. Now suppose that a customer wants to apply one set of aggregated rate limits for certain types of traffic on a single physical interface. To accomplish this, you could apply a single physical interface policer to the physical interface, which rate-limits all the logical interfaces configured on the interface and all the routing instances to which those interfaces belong.
To configure a single-rate two-color physical interface policer, include the physical-interface-policer
statement at one of the following hierarchy levels:
[edit logical-system logical-system-name firewall policer policer-name]
[edit routing-instances routing-instance-name firewall policer policer-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name firewall policer policer-name]
To configure a single-rate or two-rate three-color physical interface policer,
include the physical-interface-policer
statement at one of the following hierarchy
levels:
[edit firewall three-color-policer policer-name]
[edit logical-system logical-system-name firewall three-color-policer policer-name]
[edit routing-instances routing-instance-name firewall three-color-policer policer-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name firewall three-color-policer policer-name]
You apply a physical interface policer to Layer 3 traffic by referencing the policer from a stateless firewall filter term and then applying the filter to a logical interface. You cannot apply a physical interface to Layer 3 traffic directly to the interface configuration.
To reference a single-rate two-color policer from a stateless firewall filter term,
use the policer
nonterminating action. To reference a single-rate or two-rate three-color
policer from a stateless firewall filter term, use the three-color-policer
nonterminating
action.
The following requirements apply to a stateless firewall filter that references a physical interface policer:
You must configure the firewall filter for a specific, supported protocol family:
ipv4
,ipv6
,mpls
,vpls
, or circuit cross-connect (ccc
), but not forfamily any
.You must configure the firewall filter as a physical interface filter by including the
physical-interface-filter
statement at the[edit firewall family family-name filter filter-name]
hierarchy level.A firewall filter that is defined as a physical interface filter can reference a physical interface policer only.
A firewall filter that is defined on the global (non-logical) system cannot be used in a logical system for interface-specific filter instances. More specifically, you cannot use a template for a physical-interface-filter that was created on the global system with a filter attachment that was created on the logical system. Both the template and the attachment must reside on the logical system for filtering to work correctly. This is because, for logical systems, filter instance naming is derived from the physical interface, but the same is not true for interface-specific filter instances.
A firewall filter that is defined as a physical interface filter cannot reference a policer configured with the
interface-specific
statement.You cannot configure a firewall filter as both a physical interface filter and as a logical interface filter that also includes the
interface-specific
statement.
See Also
Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface
This example shows how to configure a single-rate two-color policer as a physical interface policer.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
A physical interface policer specifies rate-limiting for aggregate traffic, which encompasses all protocol families and logical interfaces configured on a physical interface, even if the interfaces belong to different routing instances.
You can apply a physical interface policer to Layer 3 input or output traffic only by
referencing the policer from a stateless firewall filter that is configured for
specific a specific protocol family (not for family any
) and
configured as a physical interface filter. You configure the filter terms with match
conditions that select the types of packets you want to rate-limit, and you specify
the physical interface policer as the action to apply to matched packets.
Physical interface policers/filters are not supported for list filters.
Topology
The physical interface policer in this example,
shared-policer-A
, rate-limits to 10,000,000 bps and permits a
maximum burst of traffic of 500,000 bytes. You configure the policer to discard
packets in nonconforming flows, but you could instead configure the policer to
re-mark nonconforming traffic with a forwarding class, a packet loss priority
(PLP) level, or both.
To be able to use the policer to rate-limit IPv4 traffic, you reference the policer from an IPv4 physical interface filter. For this example, you configure the filter to pass the policer IPv4 packets that meet either of the following match terms:
-
Packets received through TCP and with the IP precedence fields
critical-ecp
(0xa0),immediate
(0x40), orpriority
(0x20) -
Packets received through TCP and with the IP precedence fields
internet-control
(0xc0) orroutine
(0x00)
You could also reference the policer from physical interface filters for other protocol families.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the Logical Interfaces on the Physical Interface
- Configuring a Physical Interface Policer
- Configuring an IPv4 Physical Interface Filter
- Applying the IPv4 Physical interface Filter to Reference the Physical Interface Policers
CLI Quick Configuration
To quickly configure this example, copy the following configuration commands
into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit]
hierarchy level.
set interfaces so-1/0/0 unit 0 family inet address 192.168.1.1/24 set interfaces so-1/0/0 unit 0 family vpls set interfaces so-1/0/0 unit 1 family mpls set firewall policer shared-policer-A physical-interface-policer set firewall policer shared-policer-A if-exceeding bandwidth-limit 100m burst-size-limit 500k set firewall policer shared-policer-A then discard set firewall family inet filter ipv4-filter physical-interface-filter set firewall family inet filter ipv4-filter term tcp-police-1 from precedence [ critical-ecp immediate priority ] set firewall family inet filter ipv4-filter term tcp-police-1 from protocol tcp set firewall family inet filter ipv4-filter term tcp-police-1 then policer shared-policer-A set firewall family inet filter ipv4-filter term tcp-police-2 from precedence [ internet-control routine ] set firewall family inet filter ipv4-filter term tcp-police-2 from protocol tcp set firewall family inet filter ipv4-filter term tcp-police-2 then policer shared-policer-A set interfaces so-1/0/0 unit 0 family inet filter input ipv4-filter
Configuring the Logical Interfaces on the Physical Interface
Step-by-Step Procedure
To configure the logical interfaces on the physical interface:
Enable configuration of logical interfaces.
[edit] user@host# edit interfaces so-1/0/0
Configure protocol families on logical unit 0.
[edit interfaces so-1/0/0] user@host# set unit 0 family inet address 192.168.1.1/24 user@host# set unit 0 family vpls
Configure protocol families on logical unit 1.
[edit interfaces so-1/0/0] user@host# set unit 1 family mpls
Results
Confirm the configuration of the firewall filter by entering the show interfaces
configuration mode command. If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show interfaces so-1/0/0 { unit 0 { family inet { address 192.168.1.1/24; } family vpls; } unit 1 { family mpls; } }
Configuring a Physical Interface Policer
Step-by-Step Procedure
To configure a physical interface policer:
Enable configuration of the two-color policer.
[edit] user@host# edit firewall policer shared-policer-A
Configure the type of two-color policer.
[edit firewall policer shared-policer-A] user@host# set physical-interface-policer
Configure the traffic limits and the action for packets in a nonconforming traffic flow.
[edit firewall policer shared-policer-A] user@host# set if-exceeding bandwidth-limit 100m burst-size-limit 500k user@host# set then discard
For a physical interface filter, the actions you can configure for packets in a nonconforming traffic flow are to discard the packets, assign a forwarding class, assign a PLP value, or assign both a forwarding class and a PLP value.
Results
Confirm the configuration of the policer by entering the show firewall
configuration mode command. If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show firewall policer shared-policer-A { physical-interface-policer; if-exceeding { bandwidth-limit 100m; burst-size-limit 500k; } then discard; }
Configuring an IPv4 Physical Interface Filter
Step-by-Step Procedure
To configure a physical interface policer as the action for terms in an IPv4 physical interface policer:
Configure a standard stateless firewall filter under a specific protocol family.
[edit] user@host# edit firewall family inet filter ipv4-filter
You cannot configure a physical interface firewall filter for
family any
.Configure the filter as a physical interface filter so that you can apply the physical interface policer as an action.
[edit firewall family inet filter ipv4-filter] user@host# set physical-interface-filter
Configure the first term to match IPv4 packets received through TCP with the IP precedence fields
critical-ecp
,immediate
, orpriority
and to apply the physical interface policer as a filter action.[edit firewall family inet filter ipv4-filter] user@host# set term tcp-police-1 from precedence [ critical-ecp immediate priority ] user@host# set term tcp-police-1 from protocol tcp user@host# set term tcp-police-1 then policer shared-policer-A
Configure the first term to match IPv4 packets received through TCP with the IP precedence fields
internet-control
orroutine
and to apply the physical interface policer as a filter action.[edit firewall family inet filter ipv4-filter] user@host# set term tcp-police-2 from precedence [ internet-control routine ] user@host# set term tcp-police-2 from protocol tcp user@host# set term tcp-police-2 then policer shared-policer-A
Results
Confirm the configuration of the firewall filter by entering the show firewall
configuration mode command. If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show firewall family inet { filter ipv4-filter { physical-interface-filter; term tcp-police-1 { from { precedence [ critical-ecp immediate priority ]; protocol tcp; } then policer shared-policer-A; } term tcp-police-2 { from { precedence [ internet-control routine ]; protocol tcp; } then policer shared-policer-A; } } } policer shared-policer-A { physical-interface-policer; if-exceeding { bandwidth-limit 100m; burst-size-limit 500k; } then discard; }
Applying the IPv4 Physical interface Filter to Reference the Physical Interface Policers
Step-by-Step Procedure
To apply the physical interface filter so it references the physical interface policers:
Enable configuration of IPv4 on the logical interface.
[edit] user@host# edit interfaces so-1/0/0 unit 0 family inet
Apply the IPv4 physical interface filter in the input direction.
[edit interfaces so-1/0/0 unit 0 family inet] user@host# set filter input ipv4-filter
Results
Confirm the configuration of the firewall filter by entering the show interfaces
configuration mode command. If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show interfaces so-1/0/0 { unit 0 { family inet { filter { input ipv4-filter; } address 192.168.1.1/24; } family vpls; } unit 1 { family mpls; } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying the Firewall Filters Applied to an Interface
- Displaying the Number of Packets Processed by the Policer at the Logical Interface
Displaying the Firewall Filters Applied to an Interface
Purpose
Verify that the firewall filter ipv4-filter
is applied to the IPv4
input traffic at logical interface so-1/0/0.0
.
Action
Use the show interfaces statistics
operational mode command for logical interface so-1/0/0.0
, and include
the detail
option. In the Protocol inet section
of the command output, the Input Filters field shows that
the firewall filter ipv4-filter
is applied in the input direction.
user@host> show interfaces statistics so-1/0/0 detail Logical interface so-1/0/0.0 (Index 79) (SNMP ifIndex 510) (Generation 149) Flags: Hardware-Down Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP Protocol inet, MTU: 4470, Generation: 173, Route table: 0 Flags: Sendbcast-pkt-to-re, Protocol-Down Input Filters: ipv4-filter Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10.39/16, Local: 10.39.1.1, Broadcast: 10.39.255.255, Generation: 163
Displaying the Number of Packets Processed by the Policer at the Logical Interface
Purpose
Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.
Action
Use the show firewall
operational mode command for the filter you
applied to the logical interface.
user@host> show firewall filter ipv4-filter Filter: ipv4-filter Policers: Name Packets shared-policer-A-tcp-police-1 32863 shared-policer-A-tcp-police-2 3870
The command output displays the name of policer (shared-policer-A
), the name
of the filter term (police-1
) under which the policer action is specified, and
the number of packets that matched the filter term. This is only the number of out-of-specification
(out-of-spec) packet counts, not all packets policed by the policer.