Bandwidth Policers
Bandwidth Policer Overview
For a single-rate two-color policer only, you can specify the bandwidth limit as a percentage value from 1 through 100 instead of as an absolute number of bits per second. This type of two-color policer, called a bandwidth policer, rate-limits traffic to a bandwidth limit that is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate.
Guidelines for Configuring a Bandwidth Policer
The following guidelines apply to configuring a bandwidth policer:
To specify a percentage bandwidth limit, you include the
bandwidth-percent percentagestatement in place of thebandwidth-limit bpsstatement.By default, a bandwidth policer calculates the percentage bandwidth limit based on the physical interface port speed. To configure a bandwidth policer to calculate the percentage bandwidth limit based on the configured logical interface shaping rate instead, include the
logical-bandwidth-policerstatement at the[edit firewall policer policer-name]hierarchy level. This type of bandwidth policer is called a logical bandwidth policer.You can configure a logical interface shaping rate by including the
shaping-rate bpsstatement at the[edit class-of-service interfaces interface interface-name unit logical-unit-number]hierarchy level. A logical interface shaping rate causes the specified amount of bandwidth to be allocated to the logical interface.Note:If you configure a logical-bandwidth policer and then apply the policer to a logical interface that is not configured with a shaping rate, then the policer rate-limits traffic on that logical interface to calculate the percentage bandwidth limit based on the physical interface port speed, even if you include the
logical-bandwidth-policerstatement in the bandwidth policer configuration.If you reference a bandwidth policer from a stateless firewall filter term, you must include the
interface-specificstatement in the firewall filter configuration.
Guidelines for Applying a Bandwidth Policer
The following guidelines pertain to applying a bandwidth policer to traffic:
You can use a bandwidth policer to rate-limit protocol-specific traffic (not
family any) at the input or output of a logical interface.You can apply a bandwidth policer directly to protocol-specific input or output traffic at a logical interface.
To send only selected packets to a bandwidth policer, you can reference the bandwidth policer from a stateless firewall filter term and then apply the filter to logical interface traffic for a specific protocol family.
To reference a logical bandwidth policer from a firewall filter, you must include the
interface-specificstatement in the firewall filter configuration.You cannot use a bandwidth policer for forwarding-table filters.
You cannot apply a bandwidth policer to an aggregate interface, a tunnel interface, or a software interface.
See Also
Example: Configuring a Logical Bandwidth Policer
This example shows how to configure a logical bandwidth policer.
Requirements
Before you begin, make sure that you have two logical units available on a Gigabit Ethernet interface.
Overview
In this example, you configure a single-rate two-color policer that specifies the bandwidth limit as a percentage value rather than as an absolute number
of bits per second. This type of policer is called a bandwidth policer. By default, a bandwidth policer enforces a bandwidth
limit based on the line rate of the underlying physical interface. As an option, you can configure a bandwidth policer to enforce a bandwidth limit based
on the configured shaping rate of the logical interface. To configure this type of bandwidth policer, called a logical bandwidth policer,
you include the logical-bandwidth-policer statement in the policer configuration.
To configure a logical interface shaping rate, include the shaping-rate bps statement at the [edit class-of-service
interfaces interface interface-name unit logical-unit-number] hierarchy level. This class-of-service (CoS)
configuration statement causes the specified amount of bandwidth to be allocated to the logical interface.
If you configure a policer bandwidth limit as a percentage but a shaping rate is not configured for the target logical interface, the policer bandwidth limit is calculated as a percentage of the physical interface media rate, even if you enable the logical-bandwidth policing feature.
To apply a logical bandwidth policer to a logical interface, you can apply the policer directly to the logical interface at the protocol family level or (if you only need to rate-limit filtered packets) you can reference the policer from a stateless firewall filter configured to operate in interface-specific mode.
Topology
In this example, you configure two logical interfaces on a single Gigabit Ethernet interface and configure a shaping rate on each logical interface.
On logical interface ge-1/3/0.0, you allocate 4 Mbps of bandwidth. On logical interface ge-1/3/0.1, you allocate 2 Mbps of
bandwidth.
You also configure a logical bandwidth policer with a bandwidth limit of 50 percent and a maximum burst size of 125,000 bytes, and then you
apply the policer to input and output traffic at the logical units configured on ge-1/3/0.0. For logical interface ge-1/3/0.0, the policer
rate-limits to a bandwidth limit of 2 Mbps (50 percent of the 4 Mbps shaping rate configured for the logical interface). For logical interface ge-1/3/0.1,
the policer rate-limits traffic to a bandwidth limit of 1 Mbps (50 percent of the 2 Mbps shaping rate configured for the logical interface).
If no shaping rate is configured for a target logical interface, the policer rate-limits to a bandwidth limit calculated as 50 percent of the physical interface media rate. For example, if you apply a 50 percent bandwidth policer to input or output traffic at a Gigabit Ethernet logical interface without rate shaping, the policer applies a bandwidth limit of 500 Mbps (50 percent of 1000 Mbps).
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the Logical Interfaces
- Configuring Traffic Rate-Shaping by Specifying the Amount of Bandwidth to be Allocated to the Logical Interface
- Configuring the Logical Bandwidth Policer
- Applying the Logical Bandwidth Policers to the Logical Interfaces
CLI Quick Configuration
To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands
into the CLI at the [edit] hierarchy level.
set interfaces ge-1/3/0 per-unit-scheduler set interfaces ge-1/3/0 vlan-tagging set interfaces ge-1/3/0 unit 0 vlan-id 100 set interfaces ge-1/3/0 unit 0 family inet address 172.16.1.1/30 set interfaces ge-1/3/0 unit 1 vlan-id 200 set interfaces ge-1/3/0 unit 1 family inet address 172.16.2.1/30 set class-of-service interfaces ge-1/3/0 unit 0 shaping-rate 4m set class-of-service interfaces ge-1/3/0 unit 1 shaping-rate 2m set firewall policer LB-policer logical-bandwidth-policer set firewall policer LB-policer if-exceeding bandwidth-percent 50 set firewall policer LB-policer if-exceeding burst-size-limit 125k set firewall policer LB-policer then discard set interfaces ge-1/3/0 unit 0 family inet policer input LB-policer set interfaces ge-1/3/0 unit 0 family inet policer output LB-policer set interfaces ge-1/3/0 unit 1 family inet policer input LB-policer set interfaces ge-1/3/0 unit 1 family inet policer output LB-policer
Configuring the Logical Interfaces
Step-by-Step Procedure
To configure the logical interfaces:
Enable configuration of the physical interface.
[edit] user@host# edit interfaces ge-1/3/0 [edit interfaces ge-1/3/0] user@host# set per-unit-scheduler user@host# set vlan-tagging
Configure the first logical interface.
[edit interfaces ge-1/3/0] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 172.16.1.1/30
Configure the second logical interface.
[edit interfaces ge-1/3/0] user@host# set unit 1 vlan-id 200 user@host# set unit 1 family inet address 172.16.2.1/30
Results
Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does
not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/0 {
per-unit-scheduler;
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 172.16.1.1/30;
}
}
unit 1 {
vlan-id 200;
family inet {
address 172.16.2.1/30;
}
}
}
Configuring Traffic Rate-Shaping by Specifying the Amount of Bandwidth to be Allocated to the Logical Interface
Step-by-Step Procedure
To configure rate shaping by specifying the bandwidth to be allocated to the logical interface:
Enable CoS configuration on the physical interface.
[edit] user@host# edit class-of-service interfaces ge-1/3/0
Configure rate shaping for the logical interfaces.
[edit class-of-service interfaces ge-1/3/0] user@host# set unit 0 shaping-rate 4m user@host# set unit 1 shaping-rate 2m
These statements allocate 4 Mbps of bandwidth to logical unit
ge-1/3/0.0and 2 Mbps of bandwidth to logical unitge-1/3/0.1.
Results
Confirm the configuration of the rate shaping by entering the show class-of-service configuration mode command. If the command output
does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show class-of-service
interfaces {
ge-1/3/0 {
unit 0 {
shaping-rate 4m;
}
unit 1 {
shaping-rate 2m;
}
}
}
Configuring the Logical Bandwidth Policer
Step-by-Step Procedure
To configure the logical bandwidth policer:
Enable configuration of a single-rate two-color policer.
[edit] user@host# edit firewall policer LB-policer
Configure the policer as a logical-bandwidth policer.
[edit firewall policer LB-policer] user@host# set logical-bandwidth-policer
This applies the rate-limiting to logical interfaces.
Configure the policer traffic limits and actions.
[edit firewall policer LB-policer] user@host# set if-exceeding bandwidth-percent 50 user@host# set if-exceeding burst-size-limit 125k user@host# set then discard
Results
Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not
display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show firewall policer LB-policer { logical-bandwidth-policer; if-exceeding { bandwidth-percent 50; burst-size-limit 125k; } then discard; }
Applying the Logical Bandwidth Policers to the Logical Interfaces
Step-by-Step Procedure
To configure the logical bandwidth policers to the logical interfaces:
Enable configuration of the interface.
[edit] user@host# edit interfaces ge-1/3/0
Apply the logical bandwidth policer to the first logical interface.
[edit interfaces ge-1/3/0] user@host# set unit 0 family inet policer input LB-policer user@host# set unit 0 family inet policer output LB-policer
Apply the policing to the second logical interface.
[edit interfaces ge-1/3/0] user@host# set unit 1 family inet policer input LB-policer user@host# set unit 1 family inet policer output LB-policer
Results
Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does
not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-1/3/0 {
per-unit-scheduler;
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
policer {
input LB-policer;
output LB-policer;
}
address 172.16.1.1/30;
}
}
unit 1 {
vlan-id 200;
family inet {
policer {
input LB-policer;
output LB-policer;
}
address 172.16.2.1/30;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Displaying Traffic Statistics and Policers for the Logical Interface
- Displaying Statistics for the Policer
Displaying Traffic Statistics and Policers for the Logical Interface
Purpose
Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.
Action
Use the show interfaces operational mode command for logical interfaces ge-1/3/0.0 and ge-1/3/0.1, and include
the detail or extensive option. The command output section for Traffic statistics lists the number of bytes
and packets received and transmitted on the logical interface, and the Protocol inet section contains a Policer field
that lists the policer LB-policer as an input or output policer as follows:
Input: LB-policer-ge-1/3/0.0-inet-i
Output: LB-policer-ge-1/3/0.0-inet-o
In this example, the policer is applied to logical interface traffic in both the input and output directions.
user@host> show interfaces ge-1/3/0.0 detail
Logical interface ge-1/3/0.0 (Index 80) (SNMP ifIndex 154) (Generation 150)
Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.100 ] Encapsulation: ENET2
Traffic statistics:
Input bytes : 0
Output bytes : 46
Input packets: 0
Output packets: 1
Local statistics:
Input bytes : 0
Output bytes : 46
Input packets: 0
Output packets: 1
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Protocol inet, MTU: 1500, Generation: 174, Route table: 0
Flags: Sendbcast-pkt-to-re
Policer: Input: LB-policer-ge-1/3/0.0-inet-i, Output: LB-policer-ge-1/3/0.0-inet-o
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.16.1.0/30, Local: 172.16.1.1, Broadcast: 172.16.1.3, Generation: 165
user@host> show interfaces ge-1/3/0.1 detail
Logical interface ge-1/3/0.1 (Index 81) (SNMP ifIndex 543) (Generation 151)
Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.200 ] Encapsulation: ENET2
Traffic statistics:
Input bytes : 0
Output bytes : 46
Input packets: 0
Output packets: 1
Local statistics:
Input bytes : 0
Output bytes : 46
Input packets: 0
Output packets: 1
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Protocol inet, MTU: 1500, Generation: 175, Route table: 0
Flags: Sendbcast-pkt-to-re
Policer: Input: LB-policer-ge-1/3/0.1-inet-i, Output: LB-policer-ge-1/3/0.1-inet-o
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.17.1.0/30, Local: 172.17.1.1, Broadcast: 172.17.1.3, Generation: 167
Displaying Statistics for the Policer
Purpose
Verify the number of packets evaluated by the policer.
Action
Use the show policer operational mode command and optionally specify the name of the policer.
The command output displays the number of packets evaluated by each configured policer (or the specified policer), in each direction. For the policer LB-policer,
the input and output policer names are displayed as follows:
LB-policer-ge-1/3/0.0-inet-i
LB-policer-ge-1/3/0.0-inet-o
LB-policer-ge-1/3/0.1-inet-i
LB-policer-ge-1/3/0.1-inet-o
The -inet-i suffix denotes a policer applied to logical interface input traffic, while the -inet-o suffix
denotes a policer applied to logical interface output traffic. In this example, the policer is applied to both input and output traffic on logical interface ge-1/3/0.0 and
logical interface ge-1/3/0.1.
user@host> show policer Policers: Name Packets __default_arp_policer__ 0 LB-policer-ge-1/3/0.0-inet-i 0 LB-policer-ge-1/3/0.0-inet-o 0 LB-policer-ge-1/3/0.1-inet-i 0 LB-policer-ge-1/3/0.1-inet-o 0