Basic Two-Rate Three-Color Policers
Two-Rate Three-Color Policer Overview
A two-rate three-color policer defines two bandwidth limits (one for guaranteed traffic and one for peak traffic) and two burst sizes (one for each of the bandwidth limits). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not necessarily packet length.
Two-rate three-color policing meters a traffic stream based on the following configured traffic criteria:
Committed information rate (CIR)—Bandwidth limit for guaranteed traffic.
Committed burst size (CBS)—Maximum packet size permitted for bursts of data that exceed the CIR.
Peak information rate (PIR)—Bandwidth limit for peak traffic.
Peak burst size (PBS)—Maximum packet size permitted for bursts of data that exceed the PIR.
Two-rate tricolor marking (two-rate TCM) classifies traffic as belonging to one of three color categories and performs congestion-control actions on the packets based on the color marking:
Green—Traffic that conforms to the bandwidth limit and burst size for guaranteed traffic (CIR and CBS). For a green traffic flow, two-rate TCM marks the packets with an implicit loss priority of
lowand transmits the packets.Yellow—Traffic that exceeds the bandwidth limit or burst size for guaranteed traffic (CIR or CBS) but not the bandwidth limit and burst size for peak traffic (PIR and PBS). For a yellow traffic flow, two-rate TCM marks packets with an implicit loss priority of
medium-highand transmits the packets.Red—Traffic that exceeds the bandwidth limit and burst size for peak traffic (PIR and PBS). For a red traffic flow, two-rate TCM marks packets with an implicit loss priority of
highand, optionally, discards the packets.
If congestion occurs downstream, the packets with higher loss priority are more likely to be discarded.
For both single-rate and two-rate three-color policers, the only configurable action is to discard packets in a red traffic flow.
For a tricolor marking policer referenced by a firewall filter term, the discard policing
action is supported on the following routing platforms:
EX Series switches
M7i and M10i routers with the Enhanced CFEB (CFEB-E)
M120 and M320 routers with Enhanced-III FPCs
MX Series routers with Trio MPCs
To apply a tricolor marking policer on these routing platforms,
it is not necessary to include the logical-interface-policer statement.
See Also
Example: Configuring a Two-Rate Three-Color Policer
This example shows how to configure a two-rate three-color policer.
Requirements
Support for two-rate three-color policers varies according to the device. It includes SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 Firewall devices running a compatible version of Junos OS.
No special configuration beyond device initialization is required before configuring this example.
Overview
A two-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic, plus a bandwidth limit and burst-size limit for peak traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green, and nonconforming traffic falls into one of two categories:
Nonconforming traffic that does not exceed peak traffic limits is categorized as yellow.
Nonconforming traffic that exceeds peak traffic limits is categorized as red.
Each category is associated with an action. For green traffic, packets are implicitly set with a loss-priority value of low and then transmitted.
For yellow traffic, packets are implicitly set with a loss-priority value of medium-high and then transmitted. For red traffic, packets are implicitly
set with a loss-priority value of high and then transmitted. If the policer configuration includes the optional action statement (action loss-priority
high then discard), then packets in a red flow are discarded instead.
You can apply a three-color policer to Layer 3 traffic as a firewall filter policer only. You reference the policer from a stateless firewall filter term, and then you apply the filter to the input or output of a logical interface at the protocol level.
Topology
In this example, you apply a color-aware, two-rate three-color policer to the input IPv4 traffic at logical interface fe-0/1/1.0. The IPv4
firewall filter term that references the policer does not apply any packet-filtering. The filter is used only to apply the three-color policer to the
interface.
You configure the policer to rate-limit traffic to a bandwidth limit of 40 Mbps and a burst-size limit of 100 KB for green traffic, and you
configure the policer to also allow a peak bandwidth limit of 60 Mbps and a peak burst-size limit of 200 KB for yellow traffic. Only nonconforming
traffic that exceeds the peak traffic limits is categorized as red. In this example, you configure the three-color policer action loss-priority high
then discard, which overrides the implicit marking of red traffic to a high loss priority.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring a Two-Rate Three-Color Policer
- Configuring an IPv4 Stateless Firewall Filter That References the Policer
- Applying the Filter to a Logical Interface at the Protocol Family Level
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary
to match your network configuration, copy and then paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from
configuration mode.
set firewall three-color-policer trTCM1-ca two-rate color-aware set firewall three-color-policer trTCM1-ca two-rate committed-information-rate 40m set firewall three-color-policer trTCM1-ca two-rate committed-burst-size 100k set firewall three-color-policer trTCM1-ca two-rate peak-information-rate 60m set firewall three-color-policer trTCM1-ca two-rate peak-burst-size 200k set firewall three-color-policer trTCM1-ca action loss-priority high then discard set firewall family inet filter filter-trtcm1ca-all term 1 then three-color-policer two-rate trTCM1-ca set interfaces ge-2/0/5 unit 0 family inet address 10.10.10.1/30 set interfaces ge-2/0/5 unit 0 family inet filter input filter-trtcm1ca-all set class-of-service interfaces ge-2/0/5 forwarding-class af
Configuring a Two-Rate Three-Color Policer
Step-by-Step Procedure
To configure a two-rate three-color policer:
Enable configuration of a three-color policer.
[edit] user@host# set firewall three-color-policer trTCM1-ca
Configure the color mode of the two-rate three-color policer.
[edit firewall three-color-policer trTCM1-ca] user@host# set two-rate color-aware
Configure the two-rate guaranteed traffic limits.
[edit firewall three-color-policer trTCM1-ca] user@host# set two-rate committed-information-rate 40m user@host# set two-rate committed-burst-size 100k
Traffic that does not exceed both of these limits is categorized as green. Packets in a green flow are implicitly set to
lowloss priority and then transmitted.Configure the two-rate peak traffic limits.
[edit firewall three-color-policer trTCM1-ca] user@host# set two-rate peak-information-rate 60m user@host# set two-rate peak-burst-size 200k
Nonconforming traffic that does not exceed both of these limits is categorized as yellow. Packets in a yellow flow are implicitly set to
medium-highloss priority and then transmitted. Nonconforming traffic that exceeds both of these limits is categorized as red. Packets in a red flow are implicitly set tohighloss priority.(Optional) Configure the policer action for red traffic.
[edit firewall three-color-policer trTCM1-ca] user@host# set action loss-priority high then discard
For three-color policers, the only configurable action is to discard red packets. Red packets are packets that have been assigned high loss priority because they exceeded the peak information rate (PIR) and the peak burst size (PBS).
Results
Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not
display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
three-color-policer trTCM1-ca {
action {
loss-priority high then discard;
}
two-rate {
color-aware;
committed-information-rate 40m;
committed-burst-size 100k;
peak-information-rate 60m;
peak-burst-size 200k;
}
}
Configuring an IPv4 Stateless Firewall Filter That References the Policer
Step-by-Step Procedure
To configure an IPv4 stateless firewall filter that references the policer:
Enable configuration of an IPv4 standard stateless firewall filter.
[edit] user@host# set firewall family inet filter filter-trtcm1ca-all
Specify the filter term that references the policer.
[edit firewall family inet filter filter-trtcm1ca-all] user@host# set term 1 then three-color-policer two-rate trTCM1-ca
Note that the term does not specify any match conditions. The firewall filter passes all packets to the policer.
Results
Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. If the command output does
not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
family inet {
filter filter-trtcm1ca-all {
term 1 {
then {
three-color-policer {
two-rate trTCM1-ca;
}
}
}
}
}
three-color-policer trTCM1-ca {
action {
loss-priority high then discard;
}
two-rate {
color-aware;
committed-information-rate 40m;
committed-burst-size 100k;
peak-information-rate 60m;
peak-burst-size 200k;
}
}
Applying the Filter to a Logical Interface at the Protocol Family Level
Step-by-Step Procedure
To apply the filter to the logical interface at the protocol family level:
Enable configuration of an IPv4 firewall filter.
[edit] user@host# edit interfaces ge-2/0/5 unit 0 family inet
Apply the policer to the logical interface at the protocol family level.
[edit interfaces ge-2/0/5 unit 0 family inet] user@host# set address 10.10.10.1/30 user@host# set filter input filter-trtcm1ca-all
(MX Series routers and EX Series switches only) (Optional) For input policers, you can configure a fixed classifier. A fixed classifier reclassifies all incoming packets, regardless of any preexisting classification.
Note:Platform support depends on the Junos OS release in your implementation.
[edit] user@host# set class-of-service interfaces ge-2/0/5 forwarding-class af
The classifier name can be a configured classifier or one of the default classifiers.
Results
Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does
not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-2/0/5 {
unit 0 {
family inet {
address 10.10.10.1/30;
filter {
input filter-trtcm1ca-all;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Displaying the Firewall Filters Applied to the Logical Interface
Purpose
Verify that the firewall filter is applied to IPv4 input traffic at the logical interface.
Action
Use the show interfaces operational mode command for the logical interface ge-2/0/5.0, and specify detail mode.
The Protocol inet section of the command output displays IPv4 information for the logical interface. Within that section, the Input
Filters field displays the name of IPv4 firewall filters associated with the logical interface.
user@host> show interfaces ge-2/0/5.0 detail
Logical interface ge-2/0/5.0 (Index 105) (SNMP ifIndex 556) (Generation 170)
Flags: Device-Down SNMP-Traps 0x4004000 Encapsulation: ENET2
Traffic statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Protocol inet, MTU: 1500, Generation: 242, Route table: 0
Flags: Sendbcast-pkt-to-re
Input Filters: filter-trtcm1ca-all
Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
Destination: 10.20.130/24, Local: 10.20.130.1, Broadcast: 10.20.130.255,
Generation: 171
Protocol multiservice, MTU: Unlimited, Generation: 243, Route table: 0
Policer: Input: __default_arp_policer__