- play_arrow Subscriber Service Activation and Management
- play_arrow Subscriber Service Activation and Management
-
- play_arrow Configuring Dynamic Class of Service
- play_arrow CoS for Subscriber Access and Interfaces Overview
- play_arrow Configuring Scheduling and Shaping for Subscriber Access
- Configuring Traffic Scheduling and Shaping for Subscriber Access
- Configuring Schedulers in a Dynamic Profile for Subscriber Access
- Configuring Scheduler and Scheduler Map Sharing
- Example: Providing Unique Rate Configurations for Schedulers in a Dynamic Profile
- Example: Configuring Aggregate Scheduling of Queues for Residential Subscribers on Static IP Demux Interfaces
- Verifying the Scheduling and Shaping Configuration for Subscriber Access
- play_arrow Allocating Dedicated Queues for Each Logical Interface Using Per-Unit Scheduling
- play_arrow Configuring Hierarchical CoS Scheduling on MPLS Ethernet Pseudowire Subscriber Interfaces
- Enhanced Subscriber Management Subscriber Logical Interfaces or Interface Sets Over Underlying Logical Interfaces for a CoS scheduler Hierarchy
- Enhanced Subscriber Management Subscriber Logical Interfaces or Interface Sets Over MPLS Pseudowires for a CoS scheduler Hierarchy
- Configuring Layer 2 Subscriber Logical Interfaces for CoS Hierarchical Schedulers Using Dynamic Profiles for Differentiating Home and Access Node Networks
- Example: Configuring Layer 2 Subscriber Logical Interfaces for CoS Hierarchical Schedulers Using Static CoS for Differentiating Home and Access Node Networks
- play_arrow Configuring Dedicated Queue Scaling with Hierarchical CoS or Per-Unit Scheduling
- play_arrow Shaping Downstream Traffic Based on Frames or Cells
- Bandwidth Management for Downstream Traffic in Edge Networks Overview
- Configuring Dynamic Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Example: Configuring Dynamic Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Configuring Static Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Example: Configuring Static Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Setting Shaping Rate and Overhead Accounting Based on PPPoE Vendor-Specific Tags
- Configuring the Shaping Rate and Overhead Accounting Based on PPPoE Vendor-Specific Tags on Dynamic Subscriber Interfaces
- Reporting the Effective Shaping Rate for Subscribers
- Verifying the Effective Shaping Rate Reporting Configuration
- play_arrow Applying CoS to Households or Individual Subscribers Using ACI-Based Dynamic VLANs
- Applying CoS Attributes to VLANs Using Agent-Circuit-Identifiers
- Agent Circuit Identifier-Based Dynamic VLANs Bandwidth Management Overview
- Restrictions for Configuring Adjustment of CoS Shaping Rate and Overhead Accounting for Dynamic ACI Interface Sets
- Adjusting the CoS Shaping Rate and Overhead Accounting Parameters for Agent Circuit Identifier-Based Dynamic VLANs
- play_arrow Applying CoS to Households or Individual Subscribers Using Access Line Identifier Dynamic VLANs
- Applying CoS Attributes to VLANs Using Access-Line Identifiers
- Bandwidth Management Overview for Dynamic VLANs Based on Access-Line Identifiers
- Restrictions for Configuring Adjustment of CoS Shaping Rate and Overhead Accounting for Dynamic ALI Interface Sets
- Adjusting the CoS Shaping Rate and Overhead Accounting Parameters for Dynamic VLANs Based on Access-Line Identifiers
- play_arrow Managing Excess Bandwidth Distribution and Traffic Bursts
- play_arrow Applying CoS Using Parameters Received from RADIUS
- Subscriber Interfaces That Provide Initial CoS Parameters Dynamically Obtained from RADIUS
- Changing CoS Services Overview
- CoS Traffic Shaping Attributes for Dynamic Interface Sets and Member Subscriber Sessions Overview
- Guidelines for Configuring CoS Traffic Shaping Attributes for Dynamic Interface Sets and Member Subscriber Sessions
- Configuring Initial CoS Parameters Dynamically Obtained from RADIUS
- Configuring Static Default Values for Traffic Scheduling and Shaping
- Applying CoS Traffic-Shaping Attributes to Dynamic Interface Sets and Member Subscriber Sessions
- CoS Traffic Shaping Predefined Variables for Dynamic Interface Sets
- Example: Configuring Initial CoS Parameters Dynamically Obtained from RADIUS
- play_arrow Modifying a Subscriber’ s Shaping Characteristics After a Subscriber is Instantiated
- play_arrow Applying CoS to Groups of Subscriber Interfaces
- play_arrow Applying CoS to Subscriber Interfaces
- Applying Traffic Shaping and Scheduling to a Subscriber Interface in a Dynamic Profile
- Applying Minimal Shaping and Scheduling to Remaining Subscriber Traffic
- Applying a Rewrite Rule Definition to a Subscriber Interface in a Dynamic Profile
- Applying a Classifier to a Subscriber Interface in a Dynamic Profile
-
- play_arrow Configuring Dynamic Multicast
- play_arrow Configuring Dynamic IGMP to Support IP Multicasting for Subscribers
- play_arrow Configuring Dynamic MLD to Enable Subscribers to Access Multicast Networks
-
- play_arrow Configuring Application-Aware Policy Control and Reporting
- play_arrow Configuring Application-Aware Policy Control
- Understanding Application-Aware Policy Control for Subscriber Management
- Understanding PCC Rules for Subscriber Management
- Configuring Application-Aware Policy Control for Subscriber Management
- Installing Services Packages for Subscriber Management Application-Aware Policy Management
- Configuring Service Data Flow Filters
- Configuring Policy and Charging Control Action Profiles for Subscriber Management
- Configuring Policy and Charging Control Rules
- Configuring a Policy and Charging Control Rulebase
- Configuring a Policy and Charging Enforcement Function Profile for Subscriber Management
- Identifying the Service Interface That Handles Subscriber Management Application-Aware Policy Control
- Configuring PCC Rule Activation in a Subscriber Management Dynamic Profile
- Enabling Direct PCC Rule Activation by a PCRF for Subscriber Management
- play_arrow Configuring Application Identification
- play_arrow Configuring Reporting for Application-Aware Data Sessions
- Logging and Reporting Function for Subscribers
- Log Dictionary for Template Types
- Configuring Logging and Reporting for Subscriber Management
- Installing Services Packages for Subscriber Management Logging and Reporting
- Configuring an LRF Profile for Subscribers
- Applying Logging and Reporting Configuration to a Subscriber Management Service Set
- Configuring the Activation of an LRF Rule by a PCC Rule
-
- play_arrow Configuring HTTP Redirect Services
- play_arrow Configuring Captive Portal Content Delivery Services for Redirected Subscribers
- HTTP Redirect Service Overview
- Remote HTTP Redirect Server Operation Flow
- Local HTTP Redirect Server Operation Flow (MX Series, ACX7100-48L, ACX7332 and ACX7348)
- Configuring MS-MPC-Based or MX-SPC3-Based Static HTTP Redirect Services
- Configuring MS-MPC-Based or MX-SPC3-Based Converged HTTP Redirect Services
- Configuring Routing Engine-Based, Static HTTP Redirect Services
- Configuring Routing Engine-Based, Converged HTTP Redirect Services
- Adding Subscriber Information to HTTP Redirect URLs
- How to Automatically Remove the HTTP Redirect Service After the Initial Redirect
- Example: Configuring HTTP Redirect Services Using a Next-Hop Method and Attaching It to a Static Interface
-
- play_arrow Configuring Subscriber Secure Policy
- play_arrow Configuring Subscriber Secure Policy Traffic Mirroring Overview
- play_arrow Configuring RADIUS-Initiated Subscriber Secure Policy Traffic Mirroring
- RADIUS-Initiated Subscriber Secure Policy Overview
- Subscriber Secure Policy Traffic Mirroring Architecture Using RADIUS
- RADIUS-Initiated Traffic Mirroring Interfaces
- RADIUS-Initiated Traffic Mirroring Process at Subscriber Login
- RADIUS-Initiated Traffic Mirroring Process for Logged-In Subscribers
- RADIUS Attributes Used for Subscriber Secure Policy
- Using the Packet Header to Track Subscribers on the Mediation Device
- Configuring RADIUS-Initiated Subscriber Secure Policy Mirroring Overview
- Guidelines for Configuring Subscriber Secure Policy Mirroring
- Configuring Support for Subscriber Secure Policy Mirroring
- Configuring RADIUS Server Support for Subscriber Secure Policy Mirroring
- Terminating RADIUS-Initiated Subscriber Traffic Mirroring
- play_arrow Configuring DTCP-Initiated Subscriber Secure Policy Traffic Mirroring
- DTCP-Initiated Subscriber Secure Policy Overview
- Subscriber Secure Policy Traffic Mirroring Architecture Using DTCP
- DTCP-Initiated Traffic Mirroring Interfaces
- DTCP-Initiated Traffic Mirroring Process
- DTCP Messages Used for Subscriber Secure Policy
- Packet Header for Mirrored Traffic Sent to Mediation Device
- Configuring DTCP-Initiated Subscriber Secure Policy Mirroring Overview
- Guidelines for Configuring Subscriber Secure Policy Mirroring
- Configuring Support for Subscriber Secure Policy Mirroring
- Configuring the Mediation Device as a User on the Router
- Configuring a DTCP-over-SSH Connection to the Mediation Device
- Configuring the Mediation Device to Provision Traffic Mirroring
- Disabling RADIUS-Initiated Subscriber Secure Policy Mirroring
- Example: Configuring Traffic That Is Mirrored Using DTCP-Initiated Subscriber Secure Policy
- Terminating DTCP-Initiated Subscriber Traffic Mirroring Sessions
- play_arrow Configuring DTCP Messages Used for DTCP-Initiated Subscriber Secure Policy Mirroring
- play_arrow Configuring Subscriber Secure Policy Support for IPv4 Multicast Traffic
- play_arrow Configuring Intercept-Related Information for Subscriber Secure Policy
-
- play_arrow Configuring Stateless, Rule-Based Services Using Application-Aware Access Lists
- play_arrow AACL Overview
- play_arrow Configuring AACL Rules
- play_arrow Example: Configuring AACL Rules
- play_arrow Example: Configuring AACL Rule Sets
- play_arrow Configuring Logging of AACL Flows
-
- play_arrow Remote Device and Service Management
- play_arrow Configuring Remote Device Services Management
- play_arrow Configuring TCP Port Forwarding for Remote Subscriber Services
- play_arrow Configuring IPFIX Mediation for Remote Device Monitoring
- play_arrow Collection and Export of Local Telemetry Data on the IPFIX Mediator
-
- play_arrow Troubleshooting
- play_arrow Contacting Juniper Networks Technical Support
- play_arrow Knowledge Base
-
- play_arrow Configuration Statements and Operational Commands
- [OBSOLETE] applications (Services AACL)
- [OBSOLETE] application-group-any
- [OBSOLETE] application-groups (Services AACL)
- [OBSOLETE] destination-address (Application Aware Access List)
- [OBSOLETE] destination-address-range
- [OBSOLETE] destination-prefix-list (Services AACL)
- [OBSOLETE] from
- [OBSOLETE] match-direction
- [OBSOLETE] nested-applications
- [OBSOLETE] rule
- [OBSOLETE] rule-set
- [OBSOLETE] source-address (AACL)
- [OBSOLETE] source-address-range
- [OBSOLETE] source-prefix-list
- [OBSOLETE] term
- [OBSOLETE] then (Application Aware Access List)
- Junos CLI Reference Overview
ON THIS PAGE
Example: Configuring Hierarchical Policers to Limit Rates of Services in a Static Environment
This example shows how to configure a hierarchical policer and apply the policer to ingress Layer 2 traffic at a logical interface on an MX Series router.
Requirements
Before you begin, be sure that your environment meets the following requirements:
The interface on which you apply the hierarchical policer is an interface hosted on an MX Series router.
No other policer is applied to the input of the interface on which you apply the hierarchical policer.
You are aware that, if you apply the hierarchical policer to logical interface on which an input filter is also applied, the policer is executed first.
Overview
In this example, you configure a hierarchical policer and apply the policer to ingress Layer 2 traffic at a logical interface. Table 1 describes the hierarchy levels at which you can configure and apply hierarchical policers on logical and physical interfaces.
Policer Configuration | Layer 2 Application | Key Points |
|---|---|---|
| Hierarchical Policer Hierarchically rate-limits Layer 2 ingress traffic for all protocol families. Cannot be applied to egress traffic, Layer 3 traffic, or at a specific protocol level of the interface hierarchy. Supported on interfaces on Dense Port Concentrators (DPCs) in MX Series routers. | ||
Aggregate and premium policing components of a hierarchical policer: [edit dynamic-profiles profile-name firewall]
hierarchical-policer policer-name {
aggregate {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
discard;
forwarding-class class-name;
loss-priority supported-value;
}
}
premium {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
discard;
}
}
}
| Option A (physical interface)—Apply directly to Layer 2 input traffic on a physical interface: [edit dynamic-profiles profile-name interfaces]
interface-name {
layer2-policer {
input-hierarchical-policer policer-name;
}
}
| Hierarchically rate-limit Layer 2 ingress traffic for all protocol families and logical interfaces configured on a physical interface. Include the Note: If you apply a hierarchical policer at a physical interface, you cannot also apply a hierarchical policer to any of the member logical interfaces. |
Option B (logical interface)—Apply directly to Layer 2 input traffic on a logical interface: [edit dynamic-profiles profile-name interfaces]
interface-name {
unit unit-number {
layer2-policer {
input-hierarchical-policer policer-name;
}
}
}
| Hierarchically rate-limit Layer 2 ingress traffic for all protocol families configured on a specific logical interface. Include the Note: You must configure at least one protocol family for the logical interface. | |
You apply the policer to the Gigabit Ethernet logical interface ge-1/2/0.0, which you configure for IPv4 traffic. When you apply the hierarchical policer to the logical interface, IPv4 traffic is hierarchically rate-limited. If you choose to apply the hierarchical policer to physical interface ge-1/2/0, hierarchical policing applies to IPv4 traffic across the logical interface as well.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring a Basic Dynamic Profile for Subscriber Management
- Configuring the Interfaces
- Configuring the Firewall Filter
- Configuring the Forwarding Classes
- Configuring the Hierarchical Policer
- Applying the Hierarchical Policer to Layer 2 Ingress Traffic at a Physical or Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.
set dynamic-profiles basic-profile set dynamic-profiles basic-profile interfaces “$junos-interface-ifd-name” set dynamic-profiles basic-profile interfaces "$junos-interface-ifd-name" unit “$junos-underlying-interface-unit” set dynamic-profiles basic-profile interfaces "$junos-interface-ifd-name" unit $junos-underlying-interface-unit family inet set dynamic-profiles interfaces ge-1/2/0 unit 0 family inet address 203.0.113.80/31 set dynamic-profiles basic-profile firewall family inet filter hierarch-filter set dynamic-profiles basic-profile firewall family inet filter hierarch-filter interface-specific set dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip1 set dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip2 set dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip1 from precedence critical-ecp protocol set dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip1 from protocol tcp set dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip1 then hierarchical-policer hp1-share filter-specific set dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip2 from precedence internet-control set dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip2 from protocol tcp set dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip2 then hierarchical-policer hp2-share set class-of-service forwarding-classes class fc0 queue-num 0 priority high policing-priority premium set class-of-service forwarding-classes class fc1 queue-num 1 priority low policing-priority normal set class-of-service forwarding-classes class fc2 queue-num 2 priority low policing-priority normal set class-of-service forwarding-classes class fc3 queue-num 3 priority low policing-priority normal set dynamic-profiles basic-profile firewall hierarchical-policer policer-agg-prem aggregate if-exceeding bandwidth-limit 10m burst-size-limit 100k set dynamic-profiles basic-profile firewall hierarchical-policer policer-agg-prem aggregate then forwarding-class fc1 set dynamic-profiles basic-profile firewall hierarchical-policer policer-agg-prem premium if-exceeding bandwidth-limit 2m burst-size-limit 50k set dynamic-profiles basic-profile firewall hierarchical-policer policer-agg-prem premium then discard set dynamic-profiles basic-profile interfaces ge-1/2/0 unit 0 layer2-policer input-hierarchical-policer policer-agg-prem
Configuring a Basic Dynamic Profile for Subscriber Management
Step-by-Step Procedure
A dynamic profile is a set of characteristics, defined in a type of template, that you can use to provide dynamic subscriber access and services for broadband applications. These services are assigned dynamically to interfaces. A basic profile must contain a profile name and have both an interface variable name (such as $junos-interface-ifd-name) included at the [edit dynamic-profiles profile-name interfaces hierarchy level and logical interface variable name (such as $junos-underlying-interface-unit or $junos-interface-unit) at the [edit dynamic-profiles profile-name interfaces variable-interface-name unit] hierarchy level.
Create the new dynamic profile.
content_copy zoom_out_map[edit] user@host# set dynamic-profiles basic-profile
Define the
interface-namevariable statement with the internal $junos-interface-ifd-name variable used by the router to match the interface name of the receiving interface.content_copy zoom_out_map[edit dynamic-profiles basic-profile] user@host# set interfaces “$junos-interface-ifd-name”
Define the
variable-interface-name unitstatement with the internal variable.When referencing an existing interface, specify the $junos-underlying-interface-unit variable used by the router to match the unit value of the receiving interface.
When creating dynamic interfaces, specify the $junos-interface-unit variable used by the router to generate a unit value for the interface.
content_copy zoom_out_map[edit dynamic-profiles basic-profile interfaces "$junos-interface-ifd-name"] user@host# set unit $junos-underlying-interface-unit
or
content_copy zoom_out_map[edit dynamic-profiles basic-profile interfaces "$junos-interface-ifd-name"] user@host# set unit $junos-interface-unit
Define the family address type (inet for IPv4) for the $junos-interface-unit variable.
content_copy zoom_out_map[edit dynamic-profiles basic-profile interfaces "$junos-interface-ifd-name" unit $junos-underlying-interface-unit] user@host# set family inet
Results
Confirm the configuration of the dynamic profile by entering the show dynamic-profiles configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show dynamic-profiles
dynamic-profiles {
basic-profile {
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-underlying-interface-unit" {
family inet;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the Interfaces
Step-by-Step Procedure
Define the physical and logical interfaces for this hierarchical policer example.
Configure the physical interface.
content_copy zoom_out_map[edit dynamic-profiles basic-profile] user@host# set interfaces ge-1/2/0
Configure the logical interface as unit 0 with its IPv4 (inet) protocol family interface.
content_copy zoom_out_map[edit dynamic-profiles basic-profile interfaces ge-1/2/0] user@host# set unit 0 family inet address 203.0.113.80/31
Note:If you apply a Layer 2 policer to this logical interface, you must configure at least one protocol family.
Results
Confirm the configuration by entering the show dynamic-profiles basic-profile interfaces configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show dynamic-profiles basic-profile interfaces
ge-1/2/0 {
unit 0 {
family inet {
address 203.0.113.80/31;
}
}
}
Configuring the Firewall Filter
Step-by-Step Procedure
To configure a hierarchical policer as a filter action, you must first configure a firewall filter.
Configure the family address type (inet for IPv4) for the firewall filter and specify the filter name.
We recommend that you name the filter something that indicates the filter’s purpose.
content_copy zoom_out_map[edit dynamic-profiles basic-profile] user@host# set firewall family inet filter hierarch-filter
To override the aggregation of the counters and policing actions and make each counter or policy function specific to each interface application, include the
interface-specificstatement in the filter.content_copy zoom_out_map[edit dynamic-profiles basic-profile firewall family inet filter hierarch-filter] user@host# set interface-specific
Specify the term names for the filter.
Make each term name unique and represent what its function is.
content_copy zoom_out_map[edit dynamic-profiles basic-profile firewall family inet filter hierarch-filter] user@host# set term match-ip1 user@host# set term match-ip2
In each firewall filter term, specify the conditions used to match components of a packet.
Configure the first term to match IPv4 packets received through TCP with the IP precedence field critical-ecp (0xa0) protocol, and apply the hierarchical policer as a filter action.
content_copy zoom_out_map[edit dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip1] user@host# set from precedence critical-ecp protocol user@host# set from protocol tcp
Specify the actions to take when the packet matches all of the conditions in the first term. Enable all hierarchical policers in one filter to share the same policer instance in the Packet Forward Engine.
content_copy zoom_out_map[edit dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip1] user@host# set then hierarchical-policer hp1-share filter-specific
Configure the second term to match IPv4 packets received through TCP with the IP precedence field internet-control (0xc0), and apply the hierarchical policer as a filter action.
content_copy zoom_out_map[edit dynamic-profiles basic-profile firewall family inet filter hierarch-filter term match-ip2] user@host# set from precedence internet-control user@host# set from protocol tcp
Specify the actions to take when the packet matches all of the conditions in the second term.
content_copy zoom_out_map[edit dynamic-profiles basic-profile firewall family inet filter inet-filter term match-ip2] user@host# set then hierarchical-policer hp2-share
Results
Confirm the configuration by entering the show dynamic-profiles basic-profile firewall configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show dynamic-profiles basic-profile firewall
family inet {
filter hierarch-filter {
interface-specific;
term match-ip1 {
from {
precedence critical-ecp protocol;
protocol tcp;
}
then hierarchical-policer hp1-share;
}
term match-ip2 {
from {
precedence internet-control;
protocol tcp;
}
then hierarchical-policer hp2-share;
}
}
}
Configuring the Forwarding Classes
Step-by-Step Procedure
Define forwarding classes referenced as aggregate policer actions. For hierarchical policers to work, ingress traffic must be correctly classified into premium and non-premium buckets. Some class-of-service (CoS) configuration is required because the hierarchical policer must be able to separate premium/expedited forwarding (EF) traffic from non-premium/non-EF traffic.
Enable configuration of the forwarding classes.
content_copy zoom_out_map[edit] user@host# set class-of-service forwarding-classes
Define CoS forwarding classes to include the designation of which forwarding class is premium. This defaults to the forwarding class associated with EF traffic.
content_copy zoom_out_map[edit class-of-service forwarding-classes] user@host# set class fc0 queue-num 0 priority high policing-priority premium user@host# set class fc1 queue-num 1 priority low policing-priority normal user@host# set class fc2 queue-num 2 priority low policing-priority normal user@host# set class fc3 queue-num 3 priority low policing-priority normal
Results
Confirm the configuration of the forwarding classes referenced as aggregate policer actions by entering the show class-of-service configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show class-of-service
forwarding-classes {
class fc0 queue-num 0 priority high policing-priority premium;
class fc1 queue-num 1 priority low policing-priority normal;
class fc2 queue-num 2 priority low policing-priority normal;
class fc3 queue-num 3 priority low policing-priority normal;
}
Configuring the Hierarchical Policer
Step-by-Step Procedure
Configure the aggregate and premium policing components of a hierarchical policer.
Enable configuration of the hierarchical policer.
content_copy zoom_out_map[edit dynamic-profiles basic-profile] user@host# set firewall hierarchical-policer policer-agg-prem
Configure the aggregate policer to have a bandwidth limit set to 10 Mbps, burst-size limit set to 100 KB, and nonconforming action set to change the forwarding class to fc1.
content_copy zoom_out_map[edit dynamic-profiles basic-profile firewall hierarchical-policer policer-agg-prem] user@host# set aggregate if-exceeding bandwidth-limit 10m burst-size-limit 100k user@host# set aggregate then forwarding-class fc1
Note:For aggregate policers, the configurable actions for a packet in a nonconforming flow are to discard the packet, change the loss priority, or change the forwarding class.
Configure the premium policer to have a bandwidth limit set to 2 Mbps, burst-size limit set to 50 KB, and nonconforming action set to discard packets.
content_copy zoom_out_map[edit dynamic-profiles basic-profile firewall hierarchical-policer policer-agg-prem] user@host# set premium if-exceeding bandwidth-limit 2m burst-size-limit 50k user@host# set premium then discard
Note:The bandwidth limit for the premium policer must not be greater than that of the aggregate policer. For the premium policers, the only configurable action for a packet in a nonconforming traffic flow is to discard the packet.
Results
Confirm the configuration of the hierarchical policer by entering the show dynamic-profiles basic-profile firewall configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show dynamic-profiles basic-profile firewall
hierarchical-policer policer-agg-prem {
aggregate {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 100k;
}
then {
forwarding-class fc1;
}
}
premium {
if-exceeding {
bandwidth-limit 2m;
burst-size-limit 50k;
}
then {
discard;
}
}
}
Applying the Hierarchical Policer to Layer 2 Ingress Traffic at a Physical or Logical Interface
Step-by-Step Procedure
You can apply policers directly to an interface or applied through a filter to affect only matching traffic. In most cases, you can invoke a policing function at ingress, egress, or in both directions.
For physical interfaces, a hierarchical policer uses a single policer instance to rate-limit all logical interfaces and protocol families configured on a physical interface, even if the logical interfaces have mutually exclusive families such as inet or bridge.
For logical interfaces, a hierarchical policer can police the traffic from multiple protocol families without requiring a separate instantiation of a policer for each such family on the logical interface.
To hierarchically rate-limit Layer 2 ingress traffic for IPv4 traffic on logical interface ge-1/2/0.0, reference the policer from the logical interface configuration.
Configure the logical interface.
content_copy zoom_out_map[edit dynamic-profiles basic-profile] user@host# set interfaces ge-1/2/0 unit 0
When you apply a policer to Layer 2 traffic at a logical interface, you must define at least one protocol family for the logical interface.
Apply the policer to the logical interface.
content_copy zoom_out_map[edit dynamic-profiles basic-profile interfaces ge-1/2/0 unit 0] user@host# set layer2-policer input-hierarchical-policer policer-agg-prem
Alternatively, to hierarchically rate-limit Layer 2 ingress traffic for all protocol families and for all logical interfaces configured on physical interface ge-1/2/0, reference the policer from the physical interface configuration.
Results
Confirm the configuration of the hierarchical policer by entering the show dynamic-profiles basic-profile interfaces configuration command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show dynamic-profiles basic-profile interfaces
ge-1/2/0 {
unit 0 {
layer2-policer {
input-hierarchical-policer policer-agg-prem;
}
family inet {
address 203.0.113.80/31;
}
}
}
Verification
Confirm that the configuration is working properly.
- Displaying Traffic Statistics for the Interface
- Displaying Number of Packets Policed by the Specified Policer
Displaying Traffic Statistics for the Interface
Purpose
Verify the traffic flow through the physical interface.
Action
Use the show interfaces operational mode command for physical interface ge-1/2/0, and include the detail or extensive option.
user@host> show interfaces ge-1/2/0 extensive
Physical interface: ge-1/2/0, Enabled, Physical link is Down
Interface index: 156, SNMP ifIndex: 630, Generation: 159
Link-level type: Ethernet, MTU: 1514, MRU: 1522, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Pad to minimum frame size: Disabled
Device flags : Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Schedulers : 0
Hold-times : Up 0 ms, Down 0 ms
Current address: 00:00:5E:00:53:4c, Hardware address: 00:00:5E:00:53:4c
Last flapped : 2014-11-10 13:36:25 EST (01:26:30 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes : 0 0 bps
Output bytes : 42 0 bps
Input packets: 0 0 pps
Output packets: 1 0 pps
IPv6 transit statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Dropped traffic statistics due to STP State:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0,
FIFO errors: 0, Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0,
Resource errors: 0
Egress queues: 8 supported, 8 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 0 0 0
1 0 0 0
2 0 0 0
3 0 0 0
4 0 0 0
5 0 0 0
6 0 0 0
7 0 0 0
Queue number: Mapped forwarding classes
0 best-effort
1 expedited-forwarding
2 assured-forwarding
3 network-control
4 be1
5 ef1
6 af1
7 nc1
Active alarms : LINK
Active defects : LINK
MAC statistics: Receive Transmit
Total octets 0 0
Total packets 0 0
Unicast packets 0 0
Broadcast packets 0 0
Multicast packets 0 0
CRC/Align errors 0 0
FIFO errors 0 0
MAC control frames 0 0
MAC pause frames 0 0
Oversized frames 0
Jabber frames 0
Fragment frames 0
VLAN tagged frames 0
Code violations 0
Total errors 0 0
Filter statistics:
Input packet count 0
Input packet rejects 0
Input DA rejects 0
Input SA rejects 0
Output packet count 0
Output packet pad count 0
Output packet error count 0
CAM destination filters: 0, CAM source filters: 0
Autonegotiation information:
Negotiation status: Incomplete
Packet Forwarding Engine configuration:
Destination slot: 0 (0x00)
CoS information:
Direction : Output
CoS transmit queue Bandwidth Buffer Priority Limit
% bps % usec
0 best-effort 95 950000000 95 0 low none
3 network-control 5 50000000 5 0 low none
Interface transmit statistics: Disabled
Meaning
The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the interface.
Displaying Number of Packets Policed by the Specified Policer
Purpose
Verify the number of packets evaluated by the policer. Premium policer counters are not supported.
Action
Use the show policer operational mode command and optionally specify the name of the policer policer-agg-prem. The command output displays the number of packets evaluated by the specified policer in each direction.
user@host> show policer policer-agg-prem Policers: Name Bytes Packets policer-agg-prem-ge-1/2/0.0-inet-i 10372300 103723
The -inet-i suffix denotes a policer applied to IPv4 input traffic. In this example, the policer is applied to input traffic only.
Meaning
The command output displays the number of packets evaluated by the specified policer in each direction.
