Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Two-Color and Three-Color Physical Interface Policers

Physical Interface Policer Overview

A physical interface policer is a two-color or three-color policer that defines traffic rate limiting that you can apply to input or output traffic for all the logical interfaces and protocol families configured on a physical interface, even if the logical interfaces belong to different routing instances. This feature is useful when you want to perform aggregate policing for different protocol families and different logical interfaces on the same physical interface.

For example, suppose that a provider edge (PE) router has numerous logical interfaces, each corresponding to a different customer, configured on the same link to a customer edge (CE) device. Now suppose that a customer wants to apply one set of aggregated rate limits for certain types of traffic on a single physical interface. To accomplish this, you could apply a single physical interface policer to the physical interface, which rate-limits all the logical interfaces configured on the interface and all the routing instances to which those interfaces belong.

To configure a single-rate two-color physical interface policer, include the physical-interface-policer statement at one of the following hierarchy levels:

To configure a single-rate or two-rate three-color physical interface policer, include the physical-interface-policer statement at one of the following hierarchy levels:

You apply a physical interface policer to Layer 3 traffic by referencing the policer from a stateless firewall filter term and then applying the filter to a logical interface. You cannot apply a physical interface to Layer 3 traffic directly to the interface configuration.

To reference a single-rate two-color policer from a stateless firewall filter term, use the policer nonterminating action. To reference a single-rate or two-rate three-color policer from a stateless firewall filter term, use the three-color-policer nonterminating action.

The following requirements apply to a stateless firewall filter that references a physical interface policer:

  • You must configure the firewall filter for a specific, supported protocol family: ipv4, ipv6, mpls, vpls, or circuit cross-connect (ccc), but not for family any.

  • You must configure the firewall filter as a physical interface filter by including the physical-interface-filter statement at the [edit firewall family family-name filter filter-name] hierarchy level.

  • A firewall filter that is defined as a physical interface filter can reference a physical interface policer only.

  • A firewall filter that is defined on the global (non-logical) system cannot be used in a logical system for interface-specific filter instances. More specifically, you cannot use a template for a physical-interface-filter that was created on the global system with a filter attachment that was created on the logical system. Both the template and the attachment must reside on the logical system for filtering to work correctly. This is because, for logical systems, filter instance naming is derived from the physical interface, but the same is not true for interface-specific filter instances.

  • A firewall filter that is defined as a physical interface filter cannot reference a policer configured with the interface-specific statement.

  • You cannot configure a firewall filter as both a physical interface filter and as a logical interface filter that also includes the interface-specific statement.

Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface

This example shows how to configure a single-rate two-color policer as a physical interface policer.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

A physical interface policer specifies rate-limiting for aggregate traffic, which encompasses all protocol families and logical interfaces configured on a physical interface, even if the interfaces belong to different routing instances.

You can apply a physical interface policer to Layer 3 input or output traffic only by referencing the policer from a stateless firewall filter that is configured for specific a specific protocol family (not for family any) and configured as a physical interface filter. You configure the filter terms with match conditions that select the types of packets you want to rate-limit, and you specify the physical interface policer as the action to apply to matched packets.

Note:

Physical interface policers/filters are not supported for list filters.

Topology

The physical interface policer in this example, shared-policer-A, rate-limits to 10,000,000 bps and permits a maximum burst of traffic of 500,000 bytes. You configure the policer to discard packets in nonconforming flows, but you could instead configure the policer to re-mark nonconforming traffic with a forwarding class, a packet loss priority (PLP) level, or both.

To be able to use the policer to rate-limit IPv4 traffic, you reference the policer from an IPv4 physical interface filter. For this example, you configure the filter to pass the policer IPv4 packets that meet either of the following match terms:

  • Packets received through TCP and with the IP precedence fields critical-ecp (0xa0), immediate (0x40), or priority (0x20)

  • Packets received through TCP and with the IP precedence fields internet-control (0xc0) or routine (0x00)

You could also reference the policer from physical interface filters for other protocol families.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Logical Interfaces on the Physical Interface

Step-by-Step Procedure

To configure the logical interfaces on the physical interface:

  1. Enable configuration of logical interfaces.

  2. Configure protocol families on logical unit 0.

  3. Configure protocol families on logical unit 1.

Results

Confirm the configuration of the firewall filter by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring a Physical Interface Policer

Step-by-Step Procedure

To configure a physical interface policer:

  1. Enable configuration of the two-color policer.

  2. Configure the type of two-color policer.

  3. Configure the traffic limits and the action for packets in a nonconforming traffic flow.

    For a physical interface filter, the actions you can configure for packets in a nonconforming traffic flow are to discard the packets, assign a forwarding class, assign a PLP value, or assign both a forwarding class and a PLP value.

Results

Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring an IPv4 Physical Interface Filter

Step-by-Step Procedure

To configure a physical interface policer as the action for terms in an IPv4 physical interface policer:

  1. Configure a standard stateless firewall filter under a specific protocol family.

    You cannot configure a physical interface firewall filter for family any.

  2. Configure the filter as a physical interface filter so that you can apply the physical interface policer as an action.

  3. Configure the first term to match IPv4 packets received through TCP with the IP precedence fields critical-ecp, immediate, or priority and to apply the physical interface policer as a filter action.

  4. Configure the first term to match IPv4 packets received through TCP with the IP precedence fields internet-control or routine and to apply the physical interface policer as a filter action.

Results

Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the IPv4 Physical interface Filter to Reference the Physical Interface Policers

Step-by-Step Procedure

To apply the physical interface filter so it references the physical interface policers:

  1. Enable configuration of IPv4 on the logical interface.

  2. Apply the IPv4 physical interface filter in the input direction.

Results

Confirm the configuration of the firewall filter by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Displaying the Firewall Filters Applied to an Interface

Purpose

Verify that the firewall filter ipv4-filter is applied to the IPv4 input traffic at logical interface so-1/0/0.0.

Action

Use the show interfaces statistics operational mode command for logical interface so-1/0/0.0, and include the detail option. In the Protocol inet section of the command output, the Input Filters field shows that the firewall filter ipv4-filter is applied in the input direction.

Displaying the Number of Packets Processed by the Policer at the Logical Interface

Purpose

Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.

Action

Use the show firewall operational mode command for the filter you applied to the logical interface.

The command output displays the name of policer (shared-policer-A), the name of the filter term (police-1) under which the policer action is specified, and the number of packets that matched the filter term. This is only the number of out-of-specification (out-of-spec) packet counts, not all packets policed by the policer.