manualshive.com logo in svg

Juniper EX9200 Series, Features Manual

The Juniper EX9200 Series product offers a comprehensive and high-performance switching solution. Seamlessly integrating into your network infrastructure, this advanced device is backed by a comprehensive "Features Manual" available for "free download" on our website. Explore the power of this product and get your manual from manualshive.com.

Share
Download
background image

Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP
Floods

This example shows how to create a stateless firewall filter that protects against TCP
and ICMP denial-of-service attacks.

Requirements on page 86

Overview on page 86

Configuration on page 87

Verification on page 92

Requirements

No special configuration beyond device initialization is required before configuring stateless
firewall filters.

Overview

In this example we create a stateless firewall filter called

protect-RE

to police TCP and

ICMP packets. It uses the policers described here:

tcp-connection-policer

—This policer limits TCP traffic to 1,000,000 bits per second

(bps) with a maximum burst size of 15,000 bytes. Traffic exceeding either limit is
discarded.

icmp-policer

—This policer limits ICMP traffic to 1,000,000 bps with a maximum burst

size of 15,000 bytes. Traffic exceeding either limit is discarded.

When specifying limits, the bandwidth limit can be from 32,000 bps to 32,000,000,000
bps and the burst-size limit can be from 1,500 bytes through 100,000,000 bytes. Use
the following abbreviations when specifying limits: k (1,000), m (1,000,000), and g
(1,000,000,000).

Each policer is incorporated into the action of a filter term. This example includes the
following terms:

tcp-connection-term

—Polices certain TCP packets with a source address of

192.168.0.0/24 or 10.0.0.0/24. These addresses are defined in the

trusted-addresses

prefix list.

Filtered packets include

tcp-established

packets The

tcp-established

match condition

is an alias for the bit-field match condition

tcp-flags “(ack | rst)”

, which indicates an

established TCP session, but not the first packet of a TCP connection.

icmp-term

—Polices ICMP packets. All ICMP packets are counted in the

icmp-counter

counter.

NOTE:

You can move terms within the firewall filter by using the

insert

command. See insert in the CLI User Guide.

Copyright © 2016, Juniper Networks, Inc.

86

Traffic Policers Feature Guide for EX9200 Switches

Summary of Contents for EX9200 Series

Page 1: ...Traffic Policers Feature Guide for EX9200 Switches Release 16 2 Modified 2016 11 02 Copyright 2016 Juniper Networks Inc ...

Page 2: ...ic Policers Feature Guide for EX9200 Switches 16 2 Copyright 2016 Juniper Networks Inc All rights reserved The information in this document is current as of the date on the title page YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant Junos OS has no known time related limitations through the year 2038 However the NTP application is known to have some difficul...

Page 3: ...es and PLP Levels 6 Policer Application to Traffic 7 Traffic Policer Types 8 Single Rate Two Color Policers 8 Basic Single Rate Two Color Policer 8 Bandwidth Policer 8 Logical Bandwidth Policer 9 Three Color Policers 9 Single Rate Three Color Policers 9 Two Rate Three Color Policers 9 Two Color and Three Color Policer Options 9 Logical Interface Aggregate Policers 10 Physical Interface Policers 10...

Page 4: ...ss 31 Burst Size Limit That Depletes All Accumulated Tokens 31 Two Methods for Calculating Burst Size Limit 32 Calculation Based on Interface Bandwidth and Allowable Burst Time 32 Calculation Based on Interface Traffic MTU 32 Comparison of the Two Methods 32 10 x MTU Method for Selecting Initial Burst Size for Gigabit Ethernet with 100 Kbps Bandwidth 33 5 ms Method for Selecting Initial Burst Size...

Page 5: ...ing and Policing Actions 97 Prefix Specific Counting and Policing Overview 97 Separate Counting and Policing for Each IPv4 Address Range 97 Prefix Specific Action Configuration 98 Counter and Policer Set Size and Indexing 99 Filter Specific Counter and Policer Set Overview 100 Example Configuring Prefix Specific Counting and Policing 100 Prefix Specific Counting and Policing Configuration Scenario...

Page 6: ...ingle Rate Three Color Policer Overview 153 Example Configuring a Single Rate Three Color Policer 154 Chapter 15 Basic Two Rate Three Color Policers 161 Two Rate Three Color Policer Overview 161 Example Configuring a Two Rate Three Color Policer 162 Part 5 Configuring Logical and Physical Interface Traffic Policers at Layer 3 Chapter 16 Two Color and Three Color Logical Interface Policers 171 Logi...

Page 7: ...st size 227 peak information rate 229 physical interface filter 230 physical interface policer 231 policer Applying to a Logical Interface 232 policer Configuring 233 policer Firewall Filter Action 234 prefix action Configuring 235 prefix action Firewall Filter Action 236 single rate 237 three color policer Applying 238 three color policer Configuring 239 two rate 240 Chapter 19 Firewall Filter an...

Page 8: ...Copyright 2016 Juniper Networks Inc viii Traffic Policers Feature Guide for EX9200 Switches ...

Page 9: ...ured Burst Size Excessive Unused Bandwidth 31 Figure 8 Bursty Traffic with Configured Burst Size Less Unused Bandwidth 31 Figure 9 Comparing Burst Size Calculation Methods 33 Part 3 Configuring Two Color Traffic Policers at Layer 3 Chapter 7 Basic Single Rate Two Color Policers 55 Figure 10 Single Rate Two Color Policer Scenario 58 Figure 11 Traffic Limiting in a Single Rate Two Color Policer Scen...

Page 10: ...Copyright 2016 Juniper Networks Inc x Traffic Policers Feature Guide for EX9200 Switches ...

Page 11: ...of Counter and Policer Set Size and Indexing 99 Table 9 Summary of Prefix Specific Action Scenarios 107 Part 4 Configuring Three Color Traffic Policers at Layer 3 Table 10 Three Color Policer Configuration and Application Overview 145 Chapter 13 Three Color Policer Configuration Guidelines 149 Table 11 Recommended Naming Convention for Policers 152 Part 6 Configuration Statements and Operational C...

Page 12: ...Copyright 2016 Juniper Networks Inc xii Traffic Policers Feature Guide for EX9200 Switches ...

Page 13: ...gineers and subject matter experts These books go beyond the technical documentation to explore the nuances of network architecture deployment and administration The current list can be viewed at http www juniper net books Supported Platforms For the features described in this document the following platforms are supported EX Series Using the Examples in This Manual If you want to use the examples...

Page 14: ...le unit 0 family inet address 10 0 0 1 24 2 Merge the contents of the file into your routing platform configuration by issuing the load merge configuration mode command edit user host load merge var tmp ex script conf load complete Merging a Snippet To merge a snippet follow these steps 1 From the HTML or PDF version of the manual copy a configuration snippet into a text file save the file with a ...

Page 15: ...ortant features or instructions Informational note Indicates a situation that might result in loss of data or hardware damage Caution Alerts you to the risk of personal injury or death Warning Alerts you to the risk of personal injury from a laser Laser warning Indicates helpful information Tip Alerts you to a recommended use or implementation Best practice Table 2 on page xv defines the text and ...

Page 16: ...chy levels or labels on routing platform components Text like this stub default metric metric Encloses optional keywords or variables angle brackets broadcast multicast string1 string2 string3 Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol The set of choices is often enclosed in parentheses for clarity pipe symbol rsvp Required for dynamic MPLS...

Page 17: ...ks Technical Assistance Center JTAC If you are a customer with an active J Care or Partner Support Service support contract or are covered under warranty and need post sales technical support you can access our tools and resources online or open a case with JTAC JTAC policies For a complete understanding of our JTAC procedures and policies review the JTAC User Guide located at http www juniper net...

Page 18: ...erify service entitlement by product serial number use our Serial Number Entitlement SNE Tool https tools juniper net SerialNumberEntitlementSearch Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone Use the Case Management tool in the CSC at http www juniper net cm Call 1 888 314 JTAC 1 888 314 5822 toll free in the USA Canada and Mexico For international or direct d...

Page 19: ...PART 1 Overview Understanding Traffic Policers on page 3 Traffic Policing Standards on page 13 Introduction to Configuring Policers on page 15 1 Copyright 2016 Juniper Networks Inc ...

Page 20: ...Copyright 2016 Juniper Networks Inc 2 Traffic Policers Feature Guide for EX9200 Switches ...

Page 21: ...o partition network traffic into multiple priority levels also known as classes of service A policer defines a set of traffic rate limits and sets consequences for traffic that does not conform to the configured limits Packets in a traffic flow that do not conform to traffic limits are either discarded or marked with a different forwarding class or packet loss priority PLP level With the exception...

Page 22: ...ed in for the ability to transmit or receive traffic at the interface When sufficient tokens are present in the bucket a traffic flow continues unrestricted Otherwise packets might be dropped or else re marked with a lower forwarding class a higher packet loss priority PLP level or both The rate at which tokens are added to the bucket represents the highest average transmit or receive rate in bits...

Page 23: ...egories of packet loss priority PLP according to a configured bandwidth and burst size limit You can mark packets that exceed the bandwidth and burst size limit in some way or simply discard them A policer is most useful for metering traffic at the port physical interface level Single rate three color This type of policer is defined in RFC 2697 A Single Rate Three Color Marker as part of an assure...

Page 24: ...platforms you can assign medium low or medium high loss priority None Red Nonconforming None Assign low loss priority Green Conforming Single rate three color None Assign medium high loss priority Yellow Above the CIR and CBS Discard Assign high loss priority Red Above the EBS None Assign low loss priority Green Conforming Two rate three color None Assign medium high loss priority Yellow Above the...

Page 25: ... a policer it is stored as a template You can later use the same policer name to provide the same policer configuration each time you want to use it This eliminates the need to define the same policer values more than once You can apply a policer to a traffic flow in either of two ways You can configure a standard stateless firewall filter that specifies the policer policer name nonterminating act...

Page 26: ... or both or they can be discarded A single rate two color policer is most useful for metering traffic at the port physical interface level Basic Single Rate Two Color Policer You can apply a basic single rate two color policer to Layer 3 traffic in either of two ways as an interface policer or as a firewall filter policer You can apply the policer as an interface policer meaning that you apply the...

Page 27: ... green yellow and red A single rate three color policer defines a committed bandwidth limit and burst size limit plus an excess burst size limit Traffic that conforms to the committed traffic limits is categorized as green conforming Traffic that conforms to the bandwidth limit while allowing bursts of traffic as controlled by the excess burst size limit is categorized as yellow All other traffic ...

Page 28: ...ing Policies Firewall Filters and Traffic Policers Feature Guide Physical Interface Policers A physical interface policer can be a two color or three color policer When you apply physical interface policer to different protocol families on the same logical interface the protocol families share the same policer instance This means that rate limiting is performed aggregately for the protocol familie...

Page 29: ...ields and associates matched packets with a forwarding class a loss priority or both The forwarding class or loss priority can be set by a firewall filter action or by a policer referenced as a firewall filter action Related Documentation Controlling Network Access Using Traffic Policing Overview on page 3 Order of Policer and Firewall Filter Operations on page 11 Two Color Policer Configuration O...

Page 30: ...sidered when you use a traffic policer Table 4 Packet Lengths Considered for Traffic Policers Policing Packet Lengths Protocol L3 frame including header Any L3 frame including header IPv4 L3 frame including header IPv6 L3 frame including header MPLS L2 frame including header FCS VPLS L2 frame including header FCS Bridge L2 frame including header FCS CCC Related Documentation Policer Overhead to Ac...

Page 31: ...ld in the IPv4 and IPv6 Headers RFC 2475 An Architecture for Differentiated Service RFC 2597 Assured Forwarding PHB Group RFC 2598 An Expedited Forwarding PHB RFC 2698 A Two Rate Three Color Marker In a DiffServ environment the most significant 6 bits of the type of service ToS octet in the IP header contain a value called the Differentiated Services code point DSCP Within the DSCP field the most ...

Page 32: ...Copyright 2016 Juniper Networks Inc 14 Traffic Policers Feature Guide for EX9200 Switches ...

Page 33: ...eaders is applied to the logical interface The policer should be independent of BA classification Without BA classification all traffic on an interface is treated either as expedited forwarding EF or non EF based on the configuration With BA classification a physical or logical interface can support up to 64 policers The interface might be a physical interface or logical interface With BA classifi...

Page 34: ...Copyright 2016 Juniper Networks Inc 16 Traffic Policers Feature Guide for EX9200 Switches ...

Page 35: ...Series routers and EX Series switches 8000 50000000000 For a single rate two color policer only you can specify the bandwidth limit as a percentage value from 1 through 100 instead of as an absolute number bandwidth percent of bits per second The effective bandwidth limit is calculated as a percentage of either the physical 1 100 percent interface media rate or the logical interface configured sha...

Page 36: ...n Policer Color Marking and Actions on page 18 Determining Proper Burst Size for Traffic Policers on page 30 Policer Color Marking and Actions Table 6 on page 18 lists each of the Junos OS policer types supported For each policer type the table summarizes the color marking criteria used to categorize a traffic flow and for each color the actions taken on packets in that type of traffic flow Table ...

Page 37: ...ation rate PIR Peak burst size PBS Set PLP to low Green Conforms to the CIR and CBS Set PLP to medium high Yellow Exceeds the CIR and CBS but conforms to the PIR Discard the packet Set PLP to high Red Exceeds the PIR and PBS Hierarchical Policer Aggregate policer Bandwidth limit Burst size Set PLP to low Green Conforms to rate limits Discard the packet Assign to a forwarding class Set PLP to low o...

Page 38: ...gle token bucket allows burst of traffic for short periods whereas an algorithm based dual token buckets allows more sustained bursts of traffic Single Token Bucket Algorithm A single rate two color policer limits traffic throughput at an interface based on how the traffic conforms to rate limit values specified in the policer configuration Similarly a hierarchical policer limits traffic throughpu...

Page 39: ...If the bucket does not contain sufficient tokens the flow is considered non conforming traffic Packets in a non conforming traffic flow categorized as red traffic are handled according to policing actions Depending on the configuration of the two color policer packets might be implicitly discarded or the packets might be re marked with a specified forwarding class a specified PLP or both and then ...

Page 40: ...departs from the interface at average rates below the CIR any unused bandwidth capacity accumulates in the first token bucket but only up to a configured number of bytes If any unused bandwidth capacity overflows the first bucket the excess accumulates in a second token bucket The committed burst size CBS defines the maximum number of bytes for which unused amounts of the guaranteed bandwidth can ...

Page 41: ...umber of bytes specified by the PBS A traffic flow is categorized yellow if it exceeds the CIR and the available committed bandwidth capacity accumulated in the first token bucket but conforms to the PIR Packets in a yellow flow are implicitly marked with medium high PLP and then passed through the interface A traffic flow is categorized red if it exceeds the PIR and the available peak bandwidth c...

Page 42: ...Copyright 2016 Juniper Networks Inc 24 Traffic Policers Feature Guide for EX9200 Switches ...

Page 43: ... Two rate means there is an upper bandwidth limit and associated burst size as well as a peak information rate PIR and a peak burst rate PBS There are two types of token bucket algorithms that can be used depending on the type of policer that is applied to network traffic Single rate two color policers use the single token bucket algorithm to measure traffic flow conformance to a two color policer...

Page 44: ...an be programmed in the hardware The policer bandwidth limit configuration in the hardware is represented by two values the credit update frequency and the credit size The credit update frequency is used by the hardware to determine how frequently tokens bits of unused bandwidth are added to the token bucket The credit size is based on the number of tokens that can fit in the token bucket The MX S...

Page 45: ...pacity and arriving tokens overflow the bucket and are lost The token bucket depth represents the single user configured burst size for the policer If there are tokens in the token bucket and the incoming traffic rate is higher than the token rate the configured policer rate bandwidth limit the traffic can use the tokens until the bucket is empty The token consumption rate can be as high as the in...

Page 46: ...s required Related Documentation Understanding the Benefits of Policers and Token Bucket Algorithms on page 28 Determining Proper Burst Size for Traffic Policers on page 30 Understanding the Benefits of Policers and Token Bucket Algorithms This topic describes some scenarios that demonstrate how difficult it is to control traffic that comes into your network without the help of policers and the to...

Page 47: ...based traffic there is less unused bandwidth as depicted in Figure 6 on page 29 However the same issue of unused bandwidth still exists if all the TCP connections experience a drop when the aggregated traffic rate exceeds the configured bandwidth limit Figure 6 Policer Behavior with Background Traffic Multiple TCP Connections Traffic Volume Bandwidth Limit Time Background Traffic g041263 Unused Ba...

Page 48: ...w too many packets will be subjected to rate limiting If you set the burst size limit too high too few packets will be rate limited Consider these two main factors when determining the burst size to use The allowed duration of a blast of traffic on the line The burst size is large enough to handle the maximum transmission unit MTU size of the packets The following general guidelines apply to choos...

Page 49: ...e 8 on page 31 depicts how bandwidth usage changes when a large burst size is configured to handle bursty traffic The large burst size minimizes the amount of unused bandwidth because tokens are being allocated in between the bursts of traffic that can be used during traffic peaks The burst size determines the depth of the token bucket Figure 8 Bursty Traffic with Configured Burst Size Less Unused...

Page 50: ... next two sections Calculation Based on Interface Bandwidth and Allowable Burst Time If the bandwidth of the policed interface is known the preferred method for calculating the policer burst size limit is based on the following values bandwidth Line rate of the policed interface in bps units burst period Allowable traffic burst time 5 ms or longer To calculate policer bandwidth in bytes bandwidth ...

Page 51: ...ed with a 100 Kbps bandwidth limit 1 If you configure a 100 ms burst size limit the maximum amount of traffic allowed to pass through the interface unrestricted is 1250 bytes calculated as follows 100 000 bps x 0 1 s 100 Kbps x 100 ms 1250 bytes 8 bits per byte 2 In theory a 10 x MTU burst size would allow up to 15 000 bytes to pass unrestricted However the maximum configurable burst size limit fo...

Page 52: ... interface a configured burst size limit of 5 ms creates a burst duration of 1 ms at Gigabit Ethernet line rate calculated as follows 125 000 bytes 1 000 000 bits 0 001 s 10 ms 1 Gbps 1 000 000 000 bps The average bandwidth rate in 1 second becomes 200 Mbps 1 Mbps 201 Mbps which is a minimal increase over the configured bandwidth limit at 200 Mbps 2 If you configure a 600 ms burst size limit the m...

Page 53: ...t 600 ms with the bandwidth limit configured at 200 Mbps the calculation becomes 200 Mbps x 600 ms 15 Mbytes This creates a burst duration of 120 ms at the Gigabit Ethernet line rate The average bandwidth rate in 1 second becomes 200 Mbps 15 Mbytes 320 Mbps which is much higher than the configured bandwidth limit at 200 Mbps This example shows that a larger burst size can affect the measured bandw...

Page 54: ...Copyright 2016 Juniper Networks Inc 36 Traffic Policers Feature Guide for EX9200 Switches ...

Page 55: ...PART 2 Configuring Layer 2 Policers Two Color and Three Color Policers at Layer 2 on page 39 37 Copyright 2016 Juniper Networks Inc ...

Page 56: ...Copyright 2016 Juniper Networks Inc 38 Traffic Policers Feature Guide for EX9200 Switches ...

Page 57: ...egress Layer 2 traffic at a logical interface hosted on a Gigabit Ethernet interface ge or a 10 Gigabit Ethernet interface xe only A single logical interface supports Layer 2 policing in both directions You can apply a two color policer to Layer 2 traffic as a logical interface policer only You cannot apply a two color policer to Layer 2 traffic as a stateless firewall filter action You can apply ...

Page 58: ...2 policer input policer policer name statement or the layer2 policer output policer policer name statement to a supported logical interface Use the input policer or output policer statements to apply a two color policer at Layer 2 interfaces ge fpc pic port xe fpc pic port unit unit number layer2 policer input policer policer name output policer policer name You can include the configuration at th...

Page 59: ...2 traffic by referencing the policer in the interface configuration at the logical unit level and not at the protocol level You can apply a color aware three color policer to Layer 2 traffic in the egress direction only but you apply a color blind three color policer to Layer 2 traffic in either direction For information about configuring two color policing of Layer 2 traffic see Two Color Policin...

Page 60: ...e color policer name You can include the configuration at the following hierarchy levels edit edit logical systems logical system name Related Documentation Example Configuring a Three Color Logical Interface Aggregate Policer on page 42 layer2 policer on page 220 logical interface policer on page 222 three color policer Configuring on page 239 Example Configuring a Three Color Logical Interface A...

Page 61: ...ogical interface at the logical unit level and not by referencing the policer in a stateless firewall filter and then applying the filter to the logical interface at the protocol family level Topology In this example you configure the two rate three color policer trTCM2 cb as a color blind logical interface policer and apply the policer to incoming Layer 2 traffic on logical interface ge 1 3 1 0 N...

Page 62: ...nterfaces ge 1 3 1 unit 0 family inet address 10 10 10 1 30 set interfaces ge 1 3 1 unit 1 vlan id 101 set interfaces ge 1 3 1 unit 1 family inet address 20 20 20 1 30 arp 20 20 20 2 mac 00 00 11 22 33 44 set firewall three color policer trTCM2 cb logical interface policer set firewall three color policer trTCM2 cb two rate color blind set firewall three color policer trTCM2 cb two rate committed ...

Page 63: ... color policer as a logical interface policer Enable configuration of a three color policer edit 1 user host edit firewall three color policer trTCM2 cb 2 Specify that the policer is a logical interface aggregate policer edit firewall three color policer trTCM2 cb user host set logical interface policer A logical interface policer rate limits traffic based on a percentage of the media rate of the ...

Page 64: ... action can increase the packet loss priority PLP level of a packet but never decrease it For example if a color aware three color policer meters a packet with a medium PLP marking it can raise the PLP level to high but cannot reduce the PLP level to low Results Confirm the configuration of the three color policer by entering the show firewall configuration mode command If the command output does ...

Page 65: ...rification Confirm that the configuration is working properly Displaying Traffic Statistics and Policers for the Logical Interface on page 47 Displaying Statistics for the Policer on page 48 Displaying Traffic Statistics and Policers for the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical int...

Page 66: ...int i trTCM2 cb e 1 3 1 0 log_int o The log_int i suffix denotes a logical interface policer applied to input traffic while the log_int o suffix denotes a logical interface policer applied to output traffic In this example the logical interface policer is applied to input traffic only Related Documentation Logical Interface Aggregate Policer Overview on page 171 Example Configuring a Two Color Log...

Page 67: ...Configuration and Application Overview Key Points Layer 3 Application Policer Configuration Single Rate Two Color Policer Defines traffic rate limiting that you can apply to Layer 3 protocol specific traffic at a logical interface Can be applied as an interface policer or as a firewall filter policer Policer configuration Method A Apply as an interface policer at the protocol family level edit int...

Page 68: ...licer operational mode command family family name filter filter name interface specific Firewall filter policer verification from match conditions Use the show interfaces detail extensive operational mode command then policer policer name Use the show firewall filter filter name operational mode command edit interfaces interface name unit unit number family family name filter input filter name out...

Page 69: ...t policer name burst size limit bytes then based on a percentage of the physical interface media rate output policer name discard forwarding class class name To rate limit traffic based on a percentage of the logical loss priority supported value interface configured shaping rate also include the logical bandwidth policer statement Method B Apply as a firewall filter policer at the protocol family...

Page 70: ...ls policer policer name logical interface policer if exceeding Two options for interface policer application input policer name output policer name bandwidth limit bps burst size limit bytes To rate limit all traffic types regardless of the protocol family family name policer One protocol then discard family apply the logical input policer name forwarding class class name interface policer at the ...

Page 71: ...ical interface filter Include the physical interface filter statement then discard from match conditions forwarding class class name then Application loss priority supported value policer policer name Apply the filter to the input or output of a logical interface at the protocol family level edit interfaces Firewall filter policer verification interface name Use the show interfaces detail extensiv...

Page 72: ...Copyright 2016 Juniper Networks Inc 54 Traffic Policers Feature Guide for EX9200 Switches ...

Page 73: ...ercentage value from 1 through 100 If a percentage value is specified the effective bandwidth limit is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate Packets per second pps limit MX Series with MPC only The average number of packets per second permitted for packets received or transmitted at the interface You specify the pps ...

Page 74: ...e rate two color policer to incoming packets outgoing packets or both This example applies the policer as an input ingress policer The goal of this topic is to provide you with an introduction to policing by using a example that shows traffic policing in action Policers use a concept known as a token bucket to allocate system resources based on the parameters defined for the policer A thorough exp...

Page 75: ...e for Traffic Policers on page 30 NOTE There is a finite buffer space for an interface In general the estimated total buffer depth for an interface is about 125 ms For a traffic flow that conforms to the configured limits categorized as green traffic packets are implicitly marked with a packet loss priority PLP level of low and are allowed to pass through the interface unrestricted For a traffic f...

Page 76: ...R2 the policer will limit the HTTP port 80 traffic originating from Device Host1 to using 700 Mbps 70 percent of the available bandwidth with an allowable burst rate of 10 x the MTU size of the gigabit Ethernet interface between the host Device Host1 and Device R1 NOTE In a real world scenario you would probably also rate limit traffic for a variety of other ports such as FTP SFTP SSH TELNET SMTP ...

Page 77: ...mit 15k set firewall policer discard then discard set firewall family inet filter mf classifier term t1 from protocol tcp set firewall family inet filter mf classifier term t1 from port 80 set firewall family inet filter mf classifier term t1 then policer discard set firewall family inet filter mf classifier term t2 then accept set protocols ospf area 0 0 0 0 interface ge 2 0 5 0 passive set proto...

Page 78: ...xceeding bandwidth limit 700m user R1 set if exceeding burst size limit 15k 4 Configure the policer to discard packets in the red traffic flow edit firewall policer discard user R1 set then discard 5 Configure the two conditions of the firewall to accept all TCP traffic to port HTTP port 80 edit firewall family inet filter mf classifier user R1 set term t1 from protocol tcp user R1 set term t1 fro...

Page 79: ...lo0 0 passive user R1 set area 0 0 0 0 interface ge 2 0 8 0 Results From configuration mode confirm your configuration by entering the show interfaces show firewall and show protocols ospf commands If the output does not display the intended configuration repeat the instructions in this example to correct the configuration user R1 show interfaces ge 2 0 5 description to Host unit 0 family inet fil...

Page 80: ... 0 passive interface ge 2 0 8 0 If you are done configuring Device R1 enter commit from configuration mode user R2 show interfaces ge 2 0 7 description to Host unit 0 family inet address 172 16 80 2 30 ge 2 0 8 description to R1 unit 0 family inet address 10 50 0 2 30 lo0 unit 0 description looback interface family inet address 192 168 14 1 32 Copyright 2016 Juniper Networks Inc 62 Traffic Policer...

Page 81: ...2 0 5 Action Use a traffic generator to send 10 TCP packets with a source port of 80 1 The s flag sets the source port The k flag causes the source port to remain steady at 80 instead of incrementing The c flag sets the number of packets to 10 The d flag sets the packet size The destination IP address of 172 16 80 1 belongs to Device Host 2 that is connected to Device R2 The user on Device Host 2 ...

Page 82: ...that the 1500 KBps burst option for red out of contract HTTP port 80 traffic was exceeded Related Documentation Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Example Configuring Interface and Firewall Filter Policers at the Same Interface This example shows how to configure three single rate two color policers and apply the policers to the IPv4 input traffic at t...

Page 83: ... A policer that you configure with a bandwidth limit expressed as a percentage value rather than as an absolute bandwidth value is called a bandwidth policer Only single rate two color policers can be configured with a percentage bandwidth specification By default a bandwidth policer rate limits traffic to the specified percentage of the line rate of the physical interface underlying the target lo...

Page 84: ... if exceeding burst size limit 500k set firewall policer p ftp 10p 500k discard then discard set firewall policer p icmp 500k 500k discard if exceeding bandwidth limit 500k set firewall policer p icmp 500k 500k discard if exceeding burst size limit 500k set firewall policer p icmp 500k 500k discard then discard set firewall family inet filter filter ipv4 with limits interface specific set firewall...

Page 85: ... repeat the instructions in this procedure to correct the configuration edit user host show interfaces fe 0 1 1 vlan tagging unit 0 vlan id 100 family inet address 10 20 15 1 24 unit 1 vlan id 101 family inet address 10 20 240 1 24 Configuring the Three Policers Step by Step Procedure To configure the three policers Enable configuration of a two color policer that discards packets that do not conf...

Page 86: ...user host set then discard Because the bandwidth limit is specified as a percentage the firewall filter that references this policer must be configured as an interface specific filter NOTE If you wanted this policer to rate limit to 10 percent of the logical interface configured shaping rate rather than to 10 percent of the physical interface media rate you would need to include the logical bandwi...

Page 87: ...le configuration of the IPv4 firewall filter edit 1 user host edit firewall family inet filter filter ipv4 with limits 2 Configure the firewall filter as interface specific edit firewall family inet filter filter ipv4 with limits user host set interface specific The firewall filter must be interface specific because one of the policers referenced is configured with a bandwidth limit expressed as a...

Page 88: ... policing edit firewall family inet filter filter ipv4 with limits term t icmp user host up edit firewall family inet filter filter ipv4 with limits user host set term catch all then accept Results Confirm the configuration of the firewall filter by entering the show firewall configuration mode command If the command output does not display the intended configuration repeat the instructions in thi...

Page 89: ...ilter ipv4 with limits 3 Apply the interface policer to the interface edit interfaces fe 0 1 1 unit 1 family inet user host set policer input p all 1m 5k discard Input packets at fe 0 1 1 0 are evaluated against the interface policer before they are evaluated against the firewall filter policers For more information see Order of Policer and Firewall Filter Operations on page 11 Results Confirm the...

Page 90: ...gical interface fe 0 1 1 1 The command output section for the Proto column and Input Policer column shows that the policer p all 1m 5k discard is evaluated when packets are received on the logical interface user host show interfaces policers fe 0 1 1 1 Interface Admin Link Proto Input Policer Output Policer fe 0 1 1 1 up up inet p all 1m 5k discard fe 0 1 1 1 inet i In this example the interface p...

Page 91: ... packets 1 Local statistics Input bytes 0 Output bytes 46 Input packets 0 Output packets 1 Transit statistics Input bytes 0 0 bps Output bytes 0 0 bps Input packets 0 0 pps Output packets 0 0 pps Protocol inet MTU 1500 Generation 176 Route table 0 Flags Sendbcast pkt to re Input Filters filter ipv4 with limits fe 0 1 1 1 i Policer Input p all 1m 5k discard fe 0 1 1 1 inet i Addresses Flags Is Pref...

Page 92: ...ec packet counts not all packets policed by the policer Related Documentation Order of Policer and Firewall Filter Operations on page 11 Two Color Policer Configuration Overview on page 49 Single Rate Two Color Policer Overview on page 55 Example Limiting Inbound Traffic at Your Network Border by Configuring an Ingress Single Rate Two Color Policer on page 56 Related Documentation Order of Policer...

Page 93: ...the physical interface port speed To configure a bandwidth policer to calculate the percentage bandwidth limit based on the configured logical interface shaping rate instead include the logical bandwidth policer statement at the edit firewall policer policer name hierarchy level This type of bandwidth policer is called a logical bandwidth policer You can configure a logical interface shaping rate ...

Page 94: ...l bandwidth policer from a firewall filter you must include the interface specific statement in the firewall filter configuration You cannot use a bandwidth policer for forwarding table filters You cannot apply a bandwidth policer to an aggregate interface a tunnel interface or a software interface Related Documentation Two Color Policer Configuration Overview on page 49 Example Configuring a Logi...

Page 95: ...r directly to the logical interface at the protocol family level or if you only need to rate limit filtered packets you can reference the policer from a stateless firewall filter configured to operate in interface specific mode Topology In this example you configure two logical interfaces on a single Gigabit Ethernet interface and configure a shaping rate on each logical interface On logical inter...

Page 96: ...es ge 1 3 0 unit 1 family inet address 172 16 1 1 30 set class of service interfaces ge 1 3 0 unit 0 shaping rate 4m set class of service interfaces ge 1 3 0 unit 1 shaping rate 2m set firewall policer LB policer logical bandwidth policer set firewall policer LB policer if exceeding bandwidth percent 50 set firewall policer LB policer if exceeding burst size limit 125k set firewall policer LB poli...

Page 97: ... Step by Step Procedure To configure rate shaping by specifying the bandwidth to be allocated to the logical interface 1 Enable CoS configuration on the physical interface edit user host edit class of service interfaces ge 1 3 0 2 Configure rate shaping for the logical interfaces edit class of service interfaces ge 1 3 0 user host set unit 0 shaping rate 4m user host set unit 1 shaping rate 2m The...

Page 98: ...r host set if exceeding burst size limit 125k user host set then discard Results Confirm the configuration of the policer by entering the show firewall configuration mode command If the command output does not display the intended configuration repeat the instructions in this procedure to correct the configuration edit user host show firewall policer LB policer logical bandwidth policer if exceedi...

Page 99: ...mmand output does not display the intended configuration repeat the instructions in this procedure to correct the configuration edit user host show interfaces ge 1 3 0 per unit scheduler vlan tagging unit 0 vlan id 100 family inet policer input LB policer output LB policer address 172 16 1 1 30 unit 1 vlan id 200 family inet policer input LB policer output LB policer address 172 16 1 1 30 If you a...

Page 100: ...0 0 Index 80 SNMP ifIndex 154 Generation 150 Flags SNMP Traps 0x4000 VLAN Tag 0x8100 100 Encapsulation ENET2 Traffic statistics Input bytes 0 Output bytes 46 Input packets 0 Output packets 1 Local statistics Input bytes 0 Output bytes 46 Input packets 0 Output packets 1 Transit statistics Input bytes 0 0 bps Output bytes 0 0 bps Input packets 0 0 pps Output packets 0 0 pps Protocol inet MTU 1500 G...

Page 101: ...t policer names are displayed as follows LB policer ge 1 3 0 0 inet i LB policer ge 1 3 0 0 inet o LB policer ge 1 3 0 1 inet i LB policer ge 1 3 0 1 inet o The inet i suffix denotes a policer applied to logical interface input traffic while the inet o suffix denotes a policer applied to logical interface output traffic In this example the policer is applied to both input and output traffic on log...

Page 102: ...elines for Applying Traffic Policers on page 15 bandwidth percent on page 201 interface specific Firewall Filters logical bandwidth policer on page 221 shaping rate Applying to an Interface Copyright 2016 Juniper Networks Inc 84 Traffic Policers Feature Guide for EX9200 Switches ...

Page 103: ...e policer configuring the policer to operate in filter specific mode enables you to count and monitor the activity of the policer at the firewall filter level NOTE Term specific mode and filter specific mode also apply to prefix specific policer sets To enable a single rate two color policer to operate in filter specific mode you can include the filter specific statement at the following hierarchy...

Page 104: ...er limit is discarded When specifying limits the bandwidth limit can be from 32 000 bps to 32 000 000 000 bps and the burst size limit can be from 1 500 bytes through 100 000 000 bytes Use the following abbreviations when specifying limits k 1 000 m 1 000 000 and g 1 000 000 000 Each policer is incorporated into the action of a filter term This example includes the following terms tcp connection t...

Page 105: ...on To quickly configure the stateless firewall filter copy the following commands to a text file remove any line breaks and then paste the commands into the CLI Device R1 set interfaces fe 1 2 0 unit 0 family inet address 10 0 0 1 30 set interfaces lo0 unit 0 family inet address 192 168 0 1 32 primary set interfaces lo0 unit 0 family inet address 172 16 0 1 32 set protocols bgp group ext type exte...

Page 106: ...ct RE term icmp term then policer icmp policer set firewall family inet filter protect RE term icmp term then count icmp counter set firewall family inet filter protect RE term icmp term then accept set firewall policer tcp connection policer filter specific set firewall policer tcp connection policer if exceeding bandwidth limit 1m set firewall policer tcp connection policer if exceeding burst si...

Page 107: ...edit firewall policer icmp policer user R2 set filter specific user R2 set if exceeding bandwidth limit 1m user R2 set if exceeding burst size limit 15k user R2 set then discard 9 Configure the TCP filter rules edit firewall family inet filter protect RE term tcp connection term user R2 set from source prefix list trusted addresses user R2 set from protocol tcp user R2 set from tcp established use...

Page 108: ...0 family inet address 10 0 0 2 30 lo0 unit 0 family inet filter input protect RE address 192 168 0 2 32 primary address 172 16 0 2 32 user R2 show protocols bgp group ext type external export send direct neighbor 10 0 0 1 peer as 100 ospf area 0 0 0 0 interface lo0 0 passive interface fe 1 2 0 0 user R2 show policy options prefix list trusted addresses 10 0 0 0 24 192 168 0 0 24 policy statement s...

Page 109: ...om source prefix list trusted addresses protocol icmp then policer icmp policer count icmp counter accept policer tcp connection policer filter specific if exceeding bandwidth limit 1m burst size limit 15k then discard policer icmp policer filter specific if exceeding bandwidth limit 1m burst size limit 15k then discard If you are done configuring the device enter commit from configuration mode 91...

Page 110: ...mand user R2 show firewall Filter protect RE Counters Name Bytes Packets icmp counter 0 0 Policers Name Bytes Packets icmp policer 0 tcp connection policer 0 Meaning The output shows the filter the counter and the policers that are in effect on Device R2 Using telnet to Verify the tcp established Condition in the TCP Firewall Filter Purpose Make sure that telnet traffic works as expected Action Ve...

Page 111: ...Telnet uses TCP as the transport protocol so this result might be surprising The cause for the lack of telnet connectivity is the from tcp established match condition This match condition limits the type of TCP traffic that is accepted of Device R2 After this match condition is deactivated the telnet session is successful Using telnet to Verify the Trusted Prefixes Condition in the TCP Firewall Fi...

Page 112: ...the TCP Firewall Filter Purpose Make sure that OSPF traffic works as expected Action Verify that the device cannot establish OSPF connectivity 1 From Device R1 check the OSPF sessions user R1 show ospf neighbor Address Interface State ID Pri Dead 10 0 0 2 fe 1 2 0 0 Init 192 168 0 2 128 34 2 From Device R2 check the OSPF sessions user R2 show ospf neighbor 3 From Device R2 remove the from protocol...

Page 113: ...ted addresses user R2 delete 172 16 0 0 16 user R2 commit 2 From Device R1 ping the loopback interface on Device R2 user R1 ping 192 168 0 2 rapid count 600 size 2000 PING 192 168 0 2 192 168 0 2 2000 data bytes 192 168 0 2 ping statistics 600 packets transmitted 536 packets received 10 packet loss pinground trip min avg max stddev 2 976 3 405 42 380 2 293 ms 3 From Device R2 check the firewall st...

Page 114: ...ed Documentation Example Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources Two Color Policer Configuration Overview on page 49 Related Documentation Two Color Policer Configuration Overview on page 49 Guidelines for Applying Traffic Policers on page 15 Prefix Specific Counting and Policing Actions on page 97 Copyright 2016 Juniper Networks Inc 96 Traffic Policers Featu...

Page 115: ...tion address applies a single rate two color policer as the term action but associates the matched packet with a specific counter and policer instance based on the source or destination in the packet header You can implicitly create a separate counter or policer instance for a single address or for a group of addresses Prefix specific counting and policing uses a prefix specific action configurati...

Page 116: ...IPv4 standard firewall filter and then apply the filter at the aggregate level of the interface Counting option Option to include if you want to enable prefix specific counters Filter specific option Option to include if you want a single counter and policer set to be shared across all terms in the firewall filter A prefix specific action that operates in this way is said to operate in filter spec...

Page 117: ...subnet prefix length 16 x x 0 1 Instance 1 x x 255 255 Instance 65535 x x x 0 Instance 0 Size 2 32 24 2 8 256instances source prefix length 32 subnet prefix length 24 x x x 1 Instance 1 x x x 255 Instance 255 x x x 0 Instance 0 Size 2 32 25 2 7 128instances source prefix length 32 subnet prefix length 25 x x x 1 Instance 1 x x x 127 Instance 127 x x 0 x Instance 0 Size 2 24 20 2 4 16 instances sou...

Page 118: ...rate in filter specific mode you can include the filter specific statement at the following the hierarchy levels edit firewall family inet prefix action prefix action name edit logical systems logical system name firewall family inet prefix action prefix action name You can reference filter specific prefix specific policer sets from IPv4 family inet firewall filters only Related Documentation Two ...

Page 119: ... term that matches all packets from the 24 subnet of source address 10 10 10 0 passing these packets to the prefix specific action psa 1Mbps per source 24 32 256 Topology In this example because the filter term matches the 24 subnet of a single source address each counting and policing instance in the prefix specific set is used for only one source address Packets with a source address 10 10 10 0 ...

Page 120: ...4 32 256source prefix length 32 set firewall family inet filter limit source one 24 term one from source address 10 10 10 0 24 set firewall family inet filter limit source one 24 term one then prefix action psa 1Mbps per source 24 32 256 set interfaces so 0 0 2 unit 0 family inet filter input limit source one 24 set interfaces so 0 0 2 unit 0 family inet address 10 39 1 1 16 Configuring a Policer ...

Page 121: ...action psa 1Mbps per source 24 32 256 user host set policer 1Mbps policer user host set count NOTE For aggregated Ethernet interfaces you can configure a prefix specific action that references a logical interface policer also called an aggregate policer You can reference this type of prefix specific action from an IPv4 standard firewall filter and then apply the filter at the aggregate level of th...

Page 122: ...onfigure the filter term to reference the prefix specific action edit firewall family inet filter limit source one 24 user host set term one then prefix action psa 1Mbps per source 24 32 256 You could also use the next term action to configure all Hypertext Transfer Protocol HTTP traffic to each host to transmit at 500 Kbps and have the total HTTP traffic limited to 1 Mbps Results Confirm the conf...

Page 123: ...10 39 1 1 16 3 Apply the IPv4 standard stateless firewall filter edit interfaces so 0 0 2 unit 0 family inet user host set filter input limit source one 24 Results Confirm the configuration of the prefix specific action by entering the show interfaces configuration mode command If the command output does not display the intended configuration repeat the instructions in this procedure to correct th...

Page 124: ...55 255 Generation 163 Displaying Prefix Specific Actions Statistics for the Firewall Filter Purpose Verify the number of packets evaluated by the policer Action Use the show firewall prefix action stats filter filter name prefix action name operational mode command to display statistics about a prefix specific action configured on a firewall filter As an option you can use the from set index to se...

Page 125: ...ng and Policing Configuration Scenarios This topic covers the following information Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets on page 107 Scenario 1 Firewall Filter Term Matches on Multiple Addresses on page 109 Scenario 2 Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition on page 110 Scenario 3 Subnet Prefix Is Shorter Than the Prefix in the...

Page 126: ... Longer Than the Prefix in the Filter Match Condition on page 110 10 10 10 0 10 10 10 128 Instance 0 source address 10 10 10 0 24 source prefix length 32 subnet prefix length 25 Set size 2 7 128 Instance numbers 0 127 10 10 10 1 10 10 10 120 Instance 1 10 10 10 255 10 10 10 127 Instance 127 Prefix specific action scenario Scenario 3 Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter M...

Page 127: ...to the counter and policer set in such a way that the counting and policing instances are shared by packets that contain source addresses across the 10 10 10 0 24 and 10 11 0 0 16 subnets as follows The first counter and policer in the set are indexed by packets with source addresses 10 10 10 0 and 10 11 x 0 where x ranges from 0 through 255 The second counter and policer in the set are indexed by...

Page 128: ...et prefix value of 25 while the firewall filter matches on a source address in the 24 subnet NOTE The firewall filter passes the prefix specific action packets with source addresses that range from 10 10 10 0 through 10 10 10 255 while the prefix specific action specifies a set of only 128 counters and policers numbered from 0 through 127 The filter matched packets that are passed to the prefix sp...

Page 129: ...nput limit source one 24 address 10 39 1 1 16 Scenario 3 Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition The complete example Example Configuring Prefix Specific Counting and Policing on page 100 shows the simplest case of prefix specific actions in which the single term firewall filter matches on one address with a prefix length that is the same as the subnet prefi...

Page 130: ...0 127 The upper half of the set instances numbered from 128 through 255 are not indexed by packets passed to the prefix specific action from this particular firewall filter The following configuration shows the statements for configuring the single rate two color policer the prefix specific action that references the policer and the IPv4 standard stateless firewall filter that references the prefi...

Page 131: ...licing Overview on page 97 Filter Specific Counter and Policer Set Overview on page 100 Example Configuring Prefix Specific Counting and Policing on page 100 Related Documentation Two Color Policer Configuration Overview on page 49 Guidelines for Applying Traffic Policers on page 15 113 Copyright 2016 Juniper Networks Inc Chapter 10 Prefix Specific Counting and Policing Actions ...

Page 132: ...Copyright 2016 Juniper Networks Inc 114 Traffic Policers Feature Guide for EX9200 Switches ...

Page 133: ...s a packet loss priority PLP level or both Based on the associated forwarding class each packet is assigned to an output queue and the router services the output queues according to the associated scheduling you configure Based on the associated PLP each packet carries a lower or higher likelihood of being dropped if congestion occurs The CoS random early detection RED process uses the drop probab...

Page 134: ...kets though the use of the forwarding class class name or loss priority high medium high medium low low nonterminating actions in the term s then clause NOTE BA classification of a packet can be overridden by the stateless firewall filter actions forwarding class and loss priority Multifield Classification Used In Conjunction with Policers To configure multifield classification in conjunction with...

Page 135: ...lassification specified by the firewall filter is performed on input packets that have already been re marked once by policing actions Consequently any input packet that matches the conditions specified in a firewall filter term is then subject to a second re marking according to the forwarding class or loss priority nonterminating actions also specified in that term Related Documentation Firewall...

Page 136: ...or marking feature On all routing platforms that support the loss priority firewall filter action you cannot set the loss priority firewall filter action to medium low or medium high unless you enable the CoS tricolor marking feature To enable the CoS tricolor marking feature include the tri color statement at the edit class of service hierarchy level Restrictions You cannot configure the loss pri...

Page 137: ...ess classification that is set with an input filter applied to the same IPv4 logical interface For example in the following configuration the filter called ingress assigns all incoming IPv4 packets to the expedited forwarding class The filter called egress counts all packets that were assigned to the expedited forwarding class in the ingress filter This configuration does not work on most M Series...

Page 138: ...forwarding class expedited forwarding accept count ef term 2 then accept edit user host show interfaces ge 1 2 0 unit 0 family inet filter input ingress Related Documentation Two Color Policer Configuration Overview on page 49 Multifield Classification Overview on page 115 Multifield Classification Requirements and Restrictions on page 118 Example Configuring Multifield Classification on page 121 ...

Page 139: ...with the Enhanced CFEB CFEB E T Series router with Enhanced II Flexible PIC Concentrator FPC b To be able to set a loss priority firewall filter action to medium low or medium high make sure that the CoS tricolor marking feature is enabled To enable the CoS tricolor marking feature include the tri color statement at the edit class of service hierarchy level 2 The expedited forwarding and assured f...

Page 140: ...the policers discards nonconforming traffic Packets in nonconforming flows are marked for a specific forwarding class expedited forwarding or assured forwarding set to a specific loss priority and then transmitted NOTE Single ratetwo colorpolicersalwaystransmitpacketsinaconforming traffic flow after implicitly setting a low loss priority Topology In this example you apply multifield classification...

Page 141: ...wall policer ef policer then forwarding class expedited forwarding set firewall policer af policer if exceeding bandwidth limit 300k set firewall policer af policer if exceeding burst size limit 50k set firewall policer af policer then loss priority high set firewall policer af policer then forwarding class assured forwarding set firewall family inet filter mfc filter term isp1 customers from sour...

Page 142: ...y entering the show firewall configuration mode command If the command output does not display the intended configuration repeat the instructions in this procedure to correct the configuration edit user host show firewall policer af policer if exceeding bandwidth limit 300k burst size limit 50k then loss priority high forwarding class assured forwarding policer ef policer if exceeding bandwidth li...

Page 143: ... customers then policer ef policer 4 Configure the third term to police all other packets to a different set of traffic limits and actions edit firewall family inet filter mfc filter user host set term other customers then policer af policer Results Confirm the configuration of the filter by entering the show firewall configuration mode command If the command output does not display the intended c...

Page 144: ...net user host set address 192 168 1 1 24 3 Apply the firewall filter to the logical interface input edit interfaces ge 1 2 0 unit 0 family inet user host set filter input mfc filter NOTE Because the policer is executed before the filter if an input policer is also configured on the logical interface it cannot use the forwarding class and PLP of a multifield classifier associated with the interface...

Page 145: ...ilter term NOTE The packet count includes the number of out of specification out of spec packet counts not all packets policed by the policer The policer name is displayed concatenated with the name of the firewall filter term in which the policer is referenced as an action Related Documentation Two Color Policer Configuration Overview on page 49 Multifield Classification Overview on page 115 Mult...

Page 146: ...ckets intelligently instead of dropping packets indiscriminately One common way to detect packets of interest is by source port number The TCP port numbers 80 and 12345 are used in this example but many other matching criteria for packet detection are available to multifield classifiers using firewall filter match conditions The configuration in this example specifies that TCP packets with source ...

Page 147: ...your network configuration copy and paste the commands into the CLI at the edit hierarchy level and then enter commit from the configuration mode Device R1 set interfaces ge 1 0 0 description to host set interfaces ge 1 0 0 unit 0 family inet filter input mf classifier set interfaces ge 1 0 0 unit 0 family inet address 172 16 50 2 30 set interfaces ge 1 0 2 description to R2 set interfaces ge 1 0 ...

Page 148: ...figure the firewall filter term that places TCP traffic with a source port of 80 HTTP traffic into the BE data forwarding class associated with queue 0 edit firewall family inet filter mf classifier user R1 set term BE data from protocol tcp user R1 set term BE data from port 80 user R1 set term BE data then forwarding class BE data 4 Configure the firewall filter term that places TCP traffic with...

Page 149: ...cription to R2 unit 0 family inet address 10 30 0 1 30 user R1 show class of service forwarding classes class BE data queue num 0 class Premium data queue num 1 class Voice queue num 2 class NC queue num 3 user R1 show firewall family inet filter mf classifier term BE data from protocol tcp port 80 then forwarding class BE data term Premium data from protocol tcp port 12345 then forwarding class P...

Page 150: ...put shows the configured custom classifier settings Sending TCP Traffic into the Network and Monitoring the Queue Placement Purpose Make sure that the traffic of interest is sent out the expected queue Action Clear the interface statistics on Device R1 s outgoing interface 1 user R1 clear interfaces statistics ge 1 0 2 2 Use a traffic generator to send 50 TCP port 80 packets to Device R2 or to som...

Page 151: ...ed Related Documentation Example Configuring a Two Rate Three Color Policer on page 162 Related Documentation Firewall Filter Nonterminating Actions Order of Policer and Firewall Filter Operations on page 11 Two Color Policer Configuration Overview on page 49 Guidelines for Applying Traffic Policers on page 15 The Junos OS CoS Components Used to Manage Congestion and Control Service Levels Underst...

Page 152: ...Copyright 2016 Juniper Networks Inc 134 Traffic Policers Feature Guide for EX9200 Switches ...

Page 153: ...comes back online For Gigabit Ethernet Intelligent Queuing 2 IQ2 and Enhanced IQ2 IQ2E PICs or interfaces on Dense Port Concentrators DPCs in MX Series routers you can control the rate of traffic that passes through all interfaces on the PIC or DPC by configuring a policer overhead You can configure a policer ingress overhead and a policer egress overhead each with values from 0 through 255 bytes ...

Page 154: ...vice scheduling includes 100 Mbps of traffic rate shaping overhead for the output traffic A policer egress overhead of 100 bytes is configured on the entire PIC so that for any policers applied to the output traffic 100 bytes are added to the final Ethernet frame length when determining ingress and egress policer actions NOTE Traffic rate shaping and corresponding policer overhead are configured s...

Page 155: ...t 35 set class of service scheduler maps my map forwarding class best effort scheduler be set class of service scheduler maps my map forwarding class expedited forwarding scheduler ef setclass of servicescheduler mapsmy mapforwarding classnetwork controlscheduler nc set class of service scheduler maps my map forwarding class assured forwarding scheduler af set class of service interfaces ge 1 3 1 ...

Page 156: ... the show interfaces configuration mode command If the command output does not display the intended configuration repeat the instructions in this procedure to correct the configuration edit user host show interfaces ge 1 3 1 per unit scheduler vlan tagging unit 0 vlan id 100 family inet address 10 10 10 1 30 unit 1 vlan id 101 family inet address 20 20 20 1 30 arp 20 20 20 2 mac 00 00 11 22 33 44 ...

Page 157: ... set forwarding class assured forwarding scheduler af c Associate the scheduler map with logical interface ge 1 3 1 0 edit class of service user host edit interfaces ge 1 3 1 unit 1 edit class of service interfaces ge 1 3 1 unit 1 user host set scheduler map my map 3 Configure 100 Mbps of traffic rate shaping overhead on logical interface ge 1 3 1 1 edit class of service interfaces ge 1 3 1 unit 1...

Page 158: ... configure policer overhead on the PIC or MPC that hosts the rate shaped logical interface 1 Enable configuration of the supported PIC or MPC edit user host set chassis fpc 1 pic 3 2 Configure 100 bytes of policer overhead on the supported PIC or MPC edit chassis fpc 1 pic 3 user host set ingress policer overhead 100 user host set egress policer overhead 100 NOTE These values are added to the leng...

Page 159: ...er host set if exceeding bandwidth limit 500k user host set if exceeding burst size limit 625k user host set then discard 2 Apply the policer to Layer 3 input on the IPv4 logical interface edit user host set interfaces ge 1 3 1 unit 0 family inet policer input 500Kbps NOTE The 100 Mbps policer overhead is added to the length of the finalEthernetframewhendeterminingingressandegresspoliceractions Re...

Page 160: ...is evaluated when packets are received on the logical interface Action Use the show interfaces operational mode command for logical interface ge 1 3 1 0 and include the detail or extensive option The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface and the Protocol inet section contains a Policer field that would ...

Page 161: ...og_int i suffix denotes a logical interface policer applied to input traffic while the log_int o suffix denotes a logical interface policer applied to output traffic In this example the logical interface policer is applied to input traffic only Related Documentation Policer Overhead to Account for Rate Shaping Overview on page 135 Configuring a Policer Overhead in the CLI Explorer Related Document...

Page 162: ...Copyright 2016 Juniper Networks Inc 144 Traffic Policers Feature Guide for EX9200 Switches ...

Page 163: ...hat you can apply to Layer 3 protocol specific traffic at a logical interface Can be applied as a firewall filter policer only Provides moderate allowances for short periods of traffic that exceed the committed burst size Policer configuration Reference the policer from a firewall filter and apply the filter to a protocol family on a logical interface edit firewall Basic single rate TCM policer co...

Page 164: ...lication Policer Configuration Apply the filter to a logical interface at the protocol family level edit interfaces interface name unit unit number family family name filter input filter name output filter name Copyright 2016 Juniper Networks Inc 146 Traffic Policers Feature Guide for EX9200 Switches ...

Page 165: ...lor policer policer name physical interface policer Include the physical interface policer statement family family name Firewall filter configuration single rate color aware color blind filter filter name physical interface filter Include the physical interface filter statement committed information rate bps committed burst size bytes term term name from match conditions excess burst size bytes Ap...

Page 166: ...ilter configuration color aware color blind committed information rate bps filter filter name term term name from Include the three color policer two rate policer name action committed burst size bytes match conditions peak information rate bps Applying the firewall filter to the logical interface peak burst size bytes action then three color policer two rate policer name Include the filter input ...

Page 167: ... Routers T640 Core Routers with Enhanced Scaling FPC4 T4000 Core Routers with FPC5 On MX Series and M120 routers you can apply three color policers to aggregated interfaces The discard action for a tricolor marking policer for a firewall filter is supported on the M120 routers M320 routers with Enhanced III FPCs M7i and M10i routers with the Enhanced CFEB CFEB E and MX Series routers with Trio MPC...

Page 168: ...configured any preexisting color markings are used in determining the appropriate policing action for the packet In color aware mode the three color policer can increase the packet loss priority PLP level of a packet but never decrease it For example if a color aware three color policer meters a packet with a medium PLP marking it can raise the PLP level to high but cannot reduce the PLP level to ...

Page 169: ...s applied Related Documentation Three Color Policer Configuration Overview on page 145 Platforms Supported for Three Color Policers on page 149 Naming Conventions for Three Color Policers on page 151 Naming Conventions for Three Color Policers Because policers can be numerous and must be applied correctly to work a simple naming convention makes it easier to apply the policers properly We recommen...

Page 170: ...a Two rate three color color aware trTCM1 cb trTCM2 cb trTCM3 cb trTCMnumber cb Two rate three color color blind Related Documentation Three Color Policer Configuration Overview on page 145 Platforms Supported for Three Color Policers on page 149 Color Modes for Three Color Policers on page 150 Related Documentation Three Color Policer Configuration Overview on page 145 Guidelines for Applying Tra...

Page 171: ...r peak traffic Single rate tricolor marking single rate TCM classifies traffic as belonging to one of three color categories and performs congestion control actions on the packets based on the color marking Green Traffic that conforms to either the bandwidth limit or the burst size for guaranteed traffic CIR or CBS For a green traffic flow single rate marks the packets with an implicit loss priori...

Page 172: ... traffic plus a second burst size limit for excess traffic Traffic that conforms to the limits for guaranteed traffic is categorized as green and nonconforming traffic falls into one of two categories Nonconforming traffic that does not exceed the burst size for excess traffic is categorized as yellow Nonconforming traffic that exceeds the burst size for excess traffic is categorized as red Each c...

Page 173: ...erface on page 157 CLI Quick Configuration To quickly configure this example copy the following configuration commands into a text file remove any line breaks and then paste the commands into the CLI at the edit hierarchy level set firewall three color policer srTCM1 ca single rate color aware set firewall three color policer srTCM1 ca single rate committed information rate 40m set firewall three ...

Page 174: ...st size 200k statement Because the optional action statement is included this example takes the more severe action of discarding packets in a red traffic flow Results Confirm the configuration of the hierarchical policer by entering the show firewall configuration command If the command output does not display the intended configuration repeat the instructions in this procedure to correct the conf...

Page 175: ...40m committed burst size 100k excess burst size 200k Applying the Filter to the Logical Interface Step by Step Procedure To apply the filter to the logical interface MX Series routers only Optional Reclassify all incoming packets on the logical interface ge 2 0 5 0 to assured forwarding regardless of any preexisting classification edit 1 user host set class of service interfaces ge 2 0 5 unit 0 fo...

Page 176: ...onfiguration is working properly Displaying the Firewall Filters Applied to the Logical Interface Purpose Verify that the firewall filter is applied to IPv4 input traffic at the logical interface Action Use the show interfaces operational mode command for the logical interface ge 2 0 5 0 and specify detail mode The Protocol inet section of the command output displays IPv4 information for the logic...

Page 177: ...estination 10 20 130 24 Local 10 20 130 1 Broadcast 10 20 130 255 Generation 171 Protocol multiservice MTU Unlimited Generation 243 Route table 0 Policer Input __default_arp_policer__ Related Documentation Three Color Policer Configuration Overview on page 145 Single Rate Three Color Policer Overview on page 153 Related Documentation Three Color Policer Configuration Overview on page 145 Three Col...

Page 178: ...Copyright 2016 Juniper Networks Inc 160 Traffic Policers Feature Guide for EX9200 Switches ...

Page 179: ...burst size PBS Maximum packet size permitted for bursts of data that exceed the PIR Two rate tricolor marking two rate TCM classifies traffic as belonging to one of three color categories and performs congestion control actions on the packets based on the color marking Green Traffic that conforms to the bandwidth limit and burst size for guaranteed traffic CIR and CBS For a green traffic flow two ...

Page 180: ...cer Requirements on page 162 Overview on page 162 Configuration on page 163 Verification on page 166 Requirements No special configuration beyond device initialization is required before configuring this example Overview A two rate three color policer meters a traffic flow against a bandwidth limit and burst size limit for guaranteed traffic plus a bandwidth limit and burst size limit for peak tra...

Page 181: ... various levels in the configuration hierarchy For information about navigating the CLI see Using the CLI Editor in Configuration Mode To configure this example perform the following tasks Configuring a Two Rate Three Color Policer on page 164 Configuring an IPv4 Stateless Firewall Filter That References the Policer on page 165 Applying the Filter to a Logical Interface at the Protocol Family Leve...

Page 182: ...limits is categorized as yellow Packets in a yellow flow are implicitly set to medium high loss priority and then transmitted Nonconforming traffic that exceeds both of these limits is categorized as red Packets in a red flow are implicitly set to high loss priority 5 Optional Configure the policer action for red traffic edit firewall three color policer trTCM1 ca user host set action loss priorit...

Page 183: ...rm does not specify any match conditions The firewall filter passes all packets to the policer Results Confirm the configuration of the firewall filter by entering the show firewall configuration mode command If the command output does not display the intended configuration repeat the instructions in this procedure to correct the configuration edit user host show firewall family inet filter filter...

Page 184: ... default classifiers Results Confirm the configuration of the interface by entering the show interfaces configuration mode command If the command output does not display the intended configuration repeat the instructions in this procedure to correct the configuration edit user host show interfaces ge 2 0 5 unit 0 family inet address 10 10 10 1 30 filter input filter trtcm1ca all If you are done co...

Page 185: ...ytes 0 0 bps Output bytes 0 0 bps Input packets 0 0 pps Output packets 0 0 pps Protocol inet MTU 1500 Generation 242 Route table 0 Flags Sendbcast pkt to re Input Filters filter trtcm1ca all Addresses Flags Dest route down Is Preferred Is Primary Destination 10 20 130 24 Local 10 20 130 1 Broadcast 10 20 130 255 Generation 171 Protocol multiservice MTU Unlimited Generation 243 Route table 0 Police...

Page 186: ...Copyright 2016 Juniper Networks Inc 168 Traffic Policers Feature Guide for EX9200 Switches ...

Page 187: ...cal and Physical Interface Traffic Policers at Layer 3 Two Color and Three Color Logical Interface Policers on page 171 Two Color and Three Color Physical Interface Policers on page 185 169 Copyright 2016 Juniper Networks Inc ...

Page 188: ...Copyright 2016 Juniper Networks Inc 170 Traffic Policers Feature Guide for EX9200 Switches ...

Page 189: ...it logical systems logical system name firewall policer policer name To configure a single rate or two rate three color logical interface policer include the logical interface policer statement at one of the following hierarchy levels edit firewall three color policer name edit logical systems logical system name firewall three color policer name NOTE A three color policer can be applied to Layer ...

Page 190: ...ic on a logical interface Requirements on page 172 Overview on page 172 Configuration on page 173 Verification on page 176 Requirements Before you begin make sure that the logical interface to which you apply the two color logical interface policer is hosted on a Gigabit Ethernet interface ge or a 10 Gigabit Ethernet interface xe Overview In this example you configure the single rate two color pol...

Page 191: ...0 20 1 30 arp 20 20 20 2 mac 00 00 11 22 33 44 set firewall policer policer_IFL logical interface policer set firewall policer policer_IFL if exceeding bandwidth percent 90 set firewall policer policer_IFL if exceeding burst size limit 300k set firewall policer policer_IFL then loss priority high set firewall policer policer_IFL then forwarding class best effort set interfaces ge 1 3 1 unit 0 fami...

Page 192: ...edit firewall policer policer_IFL 2 Specify that the policer is a logical interface aggregate policer edit firewall policer policer_IFL user host set logical interface policer A logical interface policer rate limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied The policer is applied directly to the interf...

Page 193: ...dited forwarding network control statement In this example the CLI commands and output are based on both setting the packet loss priority level and classifying the packet edit firewall policer policer_IFL user host set then loss priority high user host set then forwarding class best effort Results Confirm the configuration of the policer by entering the show firewall configuration mode command If ...

Page 194: ... are based on rate limiting the IPv4 input traffic at logical interface ge 1 3 1 0 edit interfaces ge 1 3 1 unit 0 user host set family inet policer input policer_IFL Results Confirm the configuration of the interface by entering the show interfaces configuration mode command If the command output does not display the intended configuration repeat the instructions in this procedure to correct the ...

Page 195: ...r of packets evaluated by the policer Action Use the show policer operational mode command and optionally specify the name of the policer The command output displays the number of packets evaluated by each configured policer or the specified policer in each direction For the policer policer_IFL the input and output policer names are displayed as follows policer_IFL ge 1 3 1 0 log_int i policer_IFL...

Page 196: ...face policer directly to a logical interface at the logical unit level and not by referencing the policer in a stateless firewall filter and then applying the filter to the logical interface at the protocol family level Topology In this example you configure the two rate three color policer trTCM2 cb as a color blind logical interface policer and apply the policer to incoming Layer 2 traffic on lo...

Page 197: ...aces ge 1 3 1 unit 0 family inet address 10 10 10 1 30 set interfaces ge 1 3 1 unit 1 vlan id 101 set interfaces ge 1 3 1 unit 1 family inet address 20 20 20 1 30 arp 20 20 20 2 mac 00 00 11 22 33 44 set firewall three color policer trTCM2 cb logical interface policer set firewall three color policer trTCM2 cb two rate color blind set firewall three color policer trTCM2 cb two rate committed infor...

Page 198: ...ee color policer as a logical interface policer Enable configuration of a three color policer edit 1 user host edit firewall three color policer trTCM2 cb 2 Specify that the policer is a logical interface aggregate policer edit firewall three color policer trTCM2 cb user host set logical interface policer A logical interface policer rate limits traffic based on a percentage of the media rate of th...

Page 199: ... can increase the packet loss priority PLP level of a packet but never decrease it For example if a color aware three color policer meters a packet with a medium PLP marking it can raise the PLP level to high but cannot reduce the PLP level to low Results Confirm the configuration of the three color policer by entering the show firewall configuration mode command If the command output does not dis...

Page 200: ...erification Confirm that the configuration is working properly Displaying Traffic Statistics and Policers for the Logical Interface on page 182 Displaying Statistics for the Policer on page 183 Displaying Traffic Statistics and Policers for the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical ...

Page 201: ...3 1 0 log_int i trTCM2 cb e 1 3 1 0 log_int o The log_int i suffix denotes a logical interface policer applied to input traffic while the log_int o suffix denotes a logical interface policer applied to output traffic In this example the logical interface policer is applied to input traffic only Related Documentation Logical Interface Aggregate Policer Overview on page 171 Example Configuring a Two...

Page 202: ...Copyright 2016 Juniper Networks Inc 184 Traffic Policers Feature Guide for EX9200 Switches ...

Page 203: ...umerous logical interfaces each corresponding to a different customer configured on the same link to a customer edge CE device Now suppose that a customer wants to apply one set of rate limits aggregately for certain types of traffic on a single physical interface To accomplish this you could apply a single physical interface policer to the physical interface which rate limits all the logical inte...

Page 204: ...requirements apply to a stateless firewall filter that references a physical interface policer You must configure the firewall filter for a specific supported protocol family ipv4 ipv6 mpls vpls or circuit cross connect ccc but not for family any You must configure the firewall filter as a physical interface filter by including the physical interface filter statement at the edit firewall family fa...

Page 205: ...at select the types of packets you want to rate limit and you specify the physical interface policer as the action to apply to matched packets Topology The physical interface policer in this example shared policer A rate limits to 10 000 000 bps and permits a maximum burst of traffic of 500 000 bytes You configure the policer to discard packets in nonconforming flows but you could instead configur...

Page 206: ...card set firewall family inet filter ipv4 filter physical interface filter set firewall family inet filter ipv4 filter term tcp police 1 from precedence critical ecp immediate priority set firewall family inet filter ipv4 filter term tcp police 1 from protocol tcp set firewall family inet filter ipv4 filter term tcp police 1 then policer shared policer A setfirewallfamilyinetfilteripv4 filtertermt...

Page 207: ...its and the action for packets in a nonconforming traffic flow edit firewall policer shared policer A user host set if exceeding bandwidth limit 100m burst size limit 500k user host set then discard For a physical interface filter the actions you can configure for packets in a nonconforming traffic flow are to discard the packets assign a forwarding class assign a PLP value or assign both a forwar...

Page 208: ...t term tcp police 1 from protocol tcp user host set term tcp police 1 then policer shared policer A 4 Configure the first term to match IPv4 packets received through TCP with the IP precedence fields internet control or routine and to apply the physical interface policer as a filter action edit firewall family inet filter ipv4 filter user host set term tcp police 2 from precedence internet control...

Page 209: ...e input direction edit interfaces so 1 0 0 unit 0 family inet user host set filter input ipv4 filter Results Confirm the configuration of the firewall filter by entering the showinterfaces configuration mode command If the command output does not display the intended configuration repeat the instructions in this procedure to correct the configuration edit user host show interfaces so 1 0 0 unit 0 ...

Page 210: ...Dest route down Is Preferred Is Primary Destination 10 39 16 Local 10 39 1 1 Broadcast 10 39 255 255 Generation 163 Displaying the Number of Packets Processed by the Policer at the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface Action Use the show firewall operational mode command ...

Page 211: ...Based on Bit Field Values Firewall Filter Match Conditions Based on Address Fields Firewall Filter Match Conditions Based on Address Classes Two Color Policer Configuration Overview on page 49 Three Color Policer Configuration Overview on page 145 Guidelines for Applying Traffic Policers on page 15 physical interface filter on page 230 physical interface policer on page 231 193 Copyright 2016 Juni...

Page 212: ...Copyright 2016 Juniper Networks Inc 194 Traffic Policers Feature Guide for EX9200 Switches ...

Page 213: ...PART 6 Configuration Statements and Operational Commands Configuration Statements on page 197 Firewall Filter and Policer Operational Mode Commands on page 241 195 Copyright 2016 Juniper Networks Inc ...

Page 214: ...Copyright 2016 Juniper Networks Inc 196 Traffic Policers Feature Guide for EX9200 Switches ...

Page 215: ...hical policer on page 217 input policer on page 218 input three color on page 219 layer2 policer on page 220 load balance group on page 221 logical bandwidth policer on page 221 logical interface policer on page 222 loss priority Firewall Filter Action on page 223 loss priority high then discard Three Color Policer on page 224 output policer on page 225 output three color on page 226 peak burst si...

Page 216: ... level introduced in Junos OS Release 11 4 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description Discard traffic on a logical interface using tricolor marking policing NOTE This statement is supported only on IQ2 interfaces The remaining statement is explained separately Required Privilege Level firewall To view this statement in the configuration firewall control To a...

Page 217: ...epending on the configuration of the two color policer packets in a red traffic flow might be implicitly discarded or the packets might be re marked with a specified forwarding class a specified PLP or both and then passed through the interface NOTE This statement specifies the bandwidth limit as an absolute number of bits per second Alternatively for single rate two color policers only you can us...

Page 218: ...To view this statement in the configuration firewall control To add this statement to the configuration Related Documentation Two Color Policer Configuration Overview on page 49 Policer Bandwidth and Burst Size Limits Policer Color Marking and Actions on page 18 Single Token Bucket Algorithm on page 20 Determining Proper Burst Size for Traffic Policers on page 30 bandwidth percent on page 201 burs...

Page 219: ...d Depending on the configuration of the two color policer packets in a red traffic flow might be implicitly discarded or the packets might be re marked with a specified forwarding class a specified PLP or both and then passed through the interface NOTE This statement specifies the bandwidth limit as a percentage of either the physical interface port speed or the configured logical interface shapin...

Page 220: ...sed for forwarding table filters Bandwidth percentage policers can only be used for interface specific filters Bandwidth percentage policers applied on an aggregated Ethernet bundle or an aggregated SONET bundle do match the effective bandwidth and burst size to user configured values by default and do not require shared bandwidth policer configuration Range 0 through 100 Default None Required Pri...

Page 221: ... on the configuration of the two color policer packets in a red traffic flow might be implicitly discarded or the packets might be re marked with a specified forwarding class a specified PLP or both and then passed through the interface The burst size extends the function of the bandwidth limit configured using either the bandwidth limit bps statement or the bandwidth percent percentage statement ...

Page 222: ...s For a single rate two color policer on an MX Series router and on an EX Series switch the minimum supported burst size limit is equivalent to the amount of traffic allowed by the policer bandwidth limit in a time span of 1 millisecond For example for a policer configured with a bandwidth limit value of 1 Gbps the minimum supported value for burst size limit on an MX Series router is 125 KB If yo...

Page 223: ... Size Limits Policer Color Marking and Actions on page 18 Single Token Bucket Algorithm on page 20 Determining Proper Burst Size for Traffic Policers on page 30 bandwidth limit Policer on page 199 bandwidth percent on page 201 205 Copyright 2016 Juniper Networks Inc Chapter 18 Configuration Statements ...

Page 224: ...priority to a packet because the packet exceeded the committed information rate on the upstream router interface If the local router applies color aware policing to the packet the router cannot change the packet loss priority to low even if the packet conforms to the configured committed information route on the local router interface If the local router applies color blind policing to the packet ...

Page 225: ...acket loss priority to a packet because the packet exceeded the committed information rate on the upstream router interface If the local router applies color aware policing to the packet the router cannot change the packet loss priority to low even if the packet conforms to the configured committed information route on the local router interface NOTE A color aware policer cannot be applied to Laye...

Page 226: ...erage rate that conforms to the CIR is categorized green During periods of average traffic rates below the CIR any unused bandwidth capacity accumulates up to a maximum amount defined by the CBS Short periods of bursting traffic back to back traffic at averages rates that exceed the CIR are also categorized as green provided that unused bandwidth capacity is available Traffic that exceeds both the...

Page 227: ...on page 145 Policer Bandwidth and Burst Size Limits Policer Color Marking and Actions on page 18 Dual Token Bucket Algorithms on page 22 Determining Proper Burst Size for Traffic Policers on page 30 committed information rate on page 210 excess burst size on page 212 peak burst size on page 227 peak information rate on page 229 209 Copyright 2016 Juniper Networks Inc Chapter 18 Configuration State...

Page 228: ...e conditions A flow of traffic at an average rate that conforms to the CIR is categorized green During periods of average traffic rates below the CIR any unused bandwidth capacity accumulates up to a maximum amount defined by the committed burst size CBS Short periods of bursting traffic back to back traffic at averages rates that exceed the CIR are also categorized as green provided that unused b...

Page 229: ...olor Policer Configuration Overview on page 145 Policer Bandwidth and Burst Size Limits Policer Color Marking and Actions on page 18 Dual Token Bucket Algorithms on page 22 Determining Proper Burst Size for Traffic Policers on page 30 committed burst size on page 208 excess burst size on page 212 peak burst size on page 227 peak information rate on page 229 211 Copyright 2016 Juniper Networks Inc ...

Page 230: ...nt included in the policer configuration During periods of traffic that conforms to the CIR any unused portion of the guaranteed bandwidth capacity accumulates in the first token bucket up to the maximum number of bytes defined by the CBS If any accumulated bandwidth capacity overflows the first bucket the excess accumulates in a second token bucket up to the maximum number of bytes defined by the...

Page 231: ...se 9 3 Support at the edit dynamic profiles policer policer name hierarchy level introduced in Junos OS Release 11 4 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description Set the prefix specific action or policer to operate in filter specific mode meaning that a single policer and counter are shared by all filter terms that reference the prefix specific action or polic...

Page 232: ... Packets Per Second pps Based hierarchical policer hierarchical policer name uid aggregate if exceeding pps pps limit pps packet burst packets then discard premium if exceeding pps Hierarchical Policer pps limit Hierarchical Policer pps packet burst Hierarchical Policer packets then discard Hierarchy Level edit dynamic profiles profile name firewall edit firewall Release Information Statement intr...

Page 233: ...if exceeding and if exceeding pps statements are mutually exclusive and therefore cannot be applied at the same time Options hierarchical policer name Name that identifies the policer The name can contain letters numbers and hyphens and can be up to 255 characters long To include spaces in the name enclose the name in quotation marks uid When you configure a hierarchical policer at the edit dynami...

Page 234: ...witches Description Configure rate limits for a single rate two color policer The remaining statements are explained separately Required Privilege Level firewall To view this statement in the configuration firewall control To add this statement to the configuration Related Documentation Two Color Policer Configuration Overview on page 49 Hierarchical Policer Configuration Overview Basic Single Rat...

Page 235: ... 12 3R2 for EX Series switches Description Apply a hierarchical policer to the Layer 2 input traffic for all protocol families at the physical or logical interface Options policer name Name of the hierarchical policer Required Privilege Level interface To view this statement in the configuration interface control To add this statement to the configuration Related Documentation Hierarchical Policer...

Page 236: ...ve Options policer name Name of the single rate two color policer that you define at the edit firewall hierarchy level Usage Guidelines See Applying Layer 2 Policers to Gigabit Ethernet Interfaces Required Privilege Level interface To view this statement in the configuration interface control To add this statement to the configuration Related Documentation Two Color and Three Color Policers at Lay...

Page 237: ... policer statements are mutually exclusive Options policer name Name of the single rate or two rate three color policer Usage Guidelines See Applying Layer 2 Policers to Gigabit Ethernet Interfaces Required Privilege Level interface To view this statement in the configuration interface control To add this statement to the configuration Related Documentation Two Color and Three Color Policers at La...

Page 238: ...s are configured at the edit firewall hierarchy level Options input policer policer name Two color input policer to associate with the interface This statement is mutually exclusive with the input three color statement input three color policer name Tricolor input policer to associate with the interface This statement is mutually exclusive with the input policer statement output policer policer na...

Page 239: ...s logical system name firewall policer policer name Release Information Statement introduced in Junos OS Release 8 2 Logical systems support introduced in Junos OS Release 9 3 Support at the edit dynamic profiles policer policer name hierarchy level introduced in Junos OS Release 11 4 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description For a policer with a bandwidth ...

Page 240: ... dynamic profiles policer policer name and edit dynamic profiles three color policer name hierarchy levels introduced in Junos OS Release 11 4 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description Configure a logical interface policer NOTE Starting in Junos OS Release 12 2R2 on T Series Core Routers only you can configure an MPLS LSP policer for a specific LSP to be sh...

Page 241: ...unos OS Release 7 4 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description Set the loss priority of incoming packets Required Privilege Level interface To view this statement in the configuration interface control To add this statement to the configuration Related Documentation Firewall Filter Nonterminating Actions Policer Color Marking and Actions on page 18 Multifiel...

Page 242: ...kets that have high packet loss priority For single rate three color policers the Junos OS assigns high loss priority to packets that exceed the committed information rate and the excess burst size For two rate three color policers the Junos OS assigns high loss priority to packets that exceed the peak information rate and the peak burst size Required Privilege Level firewall To view this statemen...

Page 243: ...utput three color statements are mutually exclusive Options policer name Name of the single rate two color policer that you define at the edit firewall hierarchy level Required Privilege Level interface To view this statement in the configuration interface control To add this statement to the configuration Related Documentation Two Color and Three Color Policers at Layer 2 on page 39 Applying Laye...

Page 244: ... The output three color and output policer statements are mutually exclusive Options policer name Name of the single rate or two rate three color policer Required Privilege Level interface To view this statement in the configuration interface control To add this statement to the configuration Related Documentation Two Color and Three Color Policers at Layer 2 on page 39 Applying Layer 2 Policers t...

Page 245: ...thm to measure traffic against two rate limits A traffic flow is categorized green if it conforms to both the committed information rate CIR and the CBS bounded accumulation of available committed bandwidth capacity A traffic flow is categorized yellow if exceeds the CIR and CBS but conforms to the PIR Packets in a yellow flow are marked with medium high packet loss priority PLP and then passed th...

Page 246: ...Determining Proper Burst Size for Traffic Policers on page 30 committed burst size on page 208 committed information rate on page 210 excess burst size on page 212 peak information rate on page 229 Copyright 2016 Juniper Networks Inc 228 Traffic Policers Feature Guide for EX9200 Switches ...

Page 247: ...dual token bucket algorithm to measure traffic against two rate limits A traffic flow is categorized green if it conforms to both the CIR and the CBS bounded accumulation of available committed bandwidth capacity A traffic flow is categorized yellow if exceeds the CIR and CBS but conforms to the PIR Packets in a yellow flow are marked with medium high packet loss priority PLP and then passed throu...

Page 248: ...name firewall family family name filter filter name edit logical systems logical system name routing instances routing instance name firewall family family name filter filter name Release Information Statement introduced in Junos OS Release 9 6 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description Configure a physical interface filter Use this statement to reference a ...

Page 249: ...an aggregate policer for a physical interface A physical interface policer can be a two color or three color policer When you apply physical interface policer to different protocol families on the same logical interface the protocol families share the same policer instance This means that rate limiting is performed aggregately for the protocol families for which the policer is applied This feature...

Page 250: ...fic protocol family you can apply a basic two color policer a bandwidth policer or a logical interface policer at the protocol family level of a supported interface NOTE You cannot apply a physical interface policer as part of the interface configuration You can apply a physical interface policer by referencing the policer from a physical interface filter term Options input policer name Name of on...

Page 251: ... Release 11 4 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description Configure policer rate limits and actions When included at the edit firewall hierarchy level the policer statement creates a template and you do not have to configure a policer individually for every firewall filter or interface To activate a policer you must include the policer action modifier in the ...

Page 252: ... then edit logical systems logical system name firewall family family name filter filter name term term name then Release Information Statement introduced before Junos OS Release 7 4 Logical systems support introduced in Junos OS Release 9 3 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description For T Series routers and M320 routers with Enhanced II Flexible PIC Concent...

Page 253: ... Enable counter destination prefix length prefix length Destination prefix length Range 0 through 32 filter specific Create the prefix specific set of policers and counters as a filter specific set If this option is not specified the prefix specific set of policers and counters are created as term specific policer policer name Policer name source prefix length prefix length Source prefix length Ra...

Page 254: ...before Junos OS Release 7 4 Logical systems support introduced in Junos OS Release 9 3 Statement introduced in Junos OS Release 12 3R2 for EX Series switches Description Reference a prefix specific action Options prefix action name Name of a prefix specific action to use to rate limit traffic Related Documentation Firewall Filter Nonterminating Actions Prefix Specific Counting and Policing Actions...

Page 255: ...information rate CIR committed burst size CBS and excess burst size EBS Packets that conform to the CIR or the CBS are assigned low loss priority green Packets that exceed the CIR and the CBS but are within the EBS are assigned medium high loss priority yellow Packets that exceed the EBS are assigned high loss priority red Green and yellow packets are always forwarded this action is not configurab...

Page 256: ...ment introduced in Junos OS Release 12 3R2 for EX Series switches Description Apply a tricolor marking policer Options single rate Named tricolor policer is a single rate policer two rate Named tricolor policer is a two rate policer policer name Name of a tricolor policer Required Privilege Level firewall To view this statement in the configuration firewall control To add this statement to the con...

Page 257: ...nos OS Release 8 2 Logical systems support introduced in Junos OS Release 9 3 Support at the edit dynamic profiles firewall hierarchy level introduced in Junos OS Release 11 4 Description Configure a three color policer Options policer name Name of the three color policer Reference this name when you apply the policer to an interface uid When you configure a policer at the edit dynamic profiles hi...

Page 258: ...e 12 3R2 for EX Series switches Description Configure a two rate three color policer in which marking is based on the committed information rate CIR committed burst size CBS peak information rate PIR and peak burst size PBS Packets that conform to the CIR or the CBS are assigned low loss priority green Packets that exceed the CIR and the CBS but are within the PIR or the PBS are assigned medium hi...

Page 259: ...rewall Filter and Policer Operational Mode Commands clear firewall show firewall show firewall filter version show firewall log show firewall prefix action stats show policer 241 Copyright 2016 Juniper Networks Inc ...

Page 260: ...specifying which firewall statistics you want to clear NOTE Theclearfirewall commandcannotbeusedtocleartheRoutingEngine filter counters on a backup Routing Engine that is enabled for graceful Routing Engine switchover GRES If you clear statistics for firewall filters that are applied to Trio based DPCs and that also use the prefix action action on matched packets wait at least 5 seconds before you...

Page 261: ...43 clear firewall filter filter name on page 243 clear firewall policer counter all EX8200 Switch on page 243 clearfirewall policercountercounter idcounter index EX8200Switch onpage243 Sample Output clear firewall all user host clear firewall all clear firewall counter counter name user host clear firewall counter port filter counter clear firewall filter filter name user host clear firewall filte...

Page 262: ...d in Junos OS Release 14 1 for MX Series routers Option regex regular expression introduced in Junos OS Release 14 2 Description Display enhanced statistics and counters for all configured firewall filters Options none Optional Display statistics and counters for all configured firewall filters and counters For EX Series switches this command also displays statistics about all configured policers ...

Page 263: ...ter MX Series Router and EX Series Switch on page 248 show firewall filter non MX Series Router and EX Series Switch on page 248 show firewall filter Dynamic Input Filter on page 248 show firewall Logical Systems on page 248 show firewall counter counter name on page 249 show firewall log on page 249 show firewall policer counters EX8200 Switch on page 249 show firewall policer counters detail EX8...

Page 264: ...pecified NOTE On M and T Series routers firewall filters cannot count ip options packets on a per option type and per interface basis A limited work around is to use the show pfe statistics ip options command to see ip options statistics on a per Packet Forwarding Engine PFE basis See show pfe statistics ip for sample output Counters Display policer information Name Name of policer Bytes For two c...

Page 265: ... management counter Policer name OOS packet statistics for packets that are marked out of specification out of spec by the policer Changes to all packets that have out of spec actions such as discard color marking or forwarding class are included in this counter Offered packet statistics for traffic subjected to policing Transmitted packet statistics for traffic that is not discarded by the police...

Page 266: ...ynamic Input Filter user host show firewall filter dfwd ge 5 0 0 1 in Filter dfwd ge 5 0 0 1 in Counters Name Bytes Packets c1 ge 5 0 0 1 in 0 0 show firewall Logical Systems user host show firewall Filter __lr1 test Counters Name Bytes Packets icmp 420 5 Filter __default_bpdu_filter__ Filter __lr1 inet_filter1 Counters Name Bytes Packets inet_tcp_count 0 0 inet_udp_count 0 0 Filter __lr1 inet_fil...

Page 267: ... 5 192 168 3 4 08 00 48 pfe R ge 1 0 1 0 ICMP 192 168 3 5 192 168 3 4 08 00 47 pfe R ge 1 0 1 0 ICMP 192 168 3 5 192 168 3 4 show firewall policer counters EX8200 Switch user switch show firewall policer counters Policer Counter Index 0 Bytes Packets Green 73 15914 Yellow 9 1962 Discard 119 25942 Policer Counter Index 1 Bytes Packets Green 0 0 Yellow 0 0 Discard 0 0 Policer Counter Index 2 Bytes P...

Page 268: ...ow 9 1962 Discard 119 25942 show firewall policer counters counter id counter index detail EX8200 Switch user switch show firewall policer counters counter id 0 detail Policer Counter Index 0 Bytes Packets Green 73 15914 Yellow 9 1962 Discard 119 25942 Filter name Term name Policer name myfilter polcr term 1 myfilter polcr 1 inet filter ae ae snmp policer 1 inet filter ae ae ssh policer 2 show fir...

Page 269: ... is 4 294 967 295 When the version number reaches 4 294 967 295 this number is reset to 1 Required Privilege Level view List of Sample Output show firewall filter version on page 251 Output Fields Table 14 on page 251 lists the output fields for the show firewall filter version command Output fields are listed in the approximate order in which they appear Table 14 show firewall filter version Outp...

Page 270: ...il Optional Display detailed information extensive Optional Display hex dump of packet captured by log action interface interface name Optional Display log information about a specific interface logical system logical system name all Optional Perform this operation on all logical systems or on a particular system Required Privilege Level view List of Sample Output show firewall log on page 253 sho...

Page 271: ...egp gre icmp ipip ospf pim rsvp tcp or udp Name of protocol Length of the packet Packet length Packet s source address Source address Packet s destination address and port Destination address Sample Output show firewall log user host show firewall log Time Filter Action Interface Protocol Src Addr Dest Addr 13 10 12 pfe D rlsq0 902 ICMP 192 0 2 2 192 0 2 1 13 10 11 pfe D rlsq0 902 ICMP 192 0 2 2 1...

Page 272: ...h 49245 Source address 203 0 113 108 829 Destination address 192 168 70 66 513 show firewall log extensive user host show firewall log extensive Time of Log 2016 01 17 22 16 21 PST Filter pfe Filter action accept Name of interface xe 0 0 1 0 Name of protocol UDP Packet Length 98 Source address 203 0 113 1 Destination address 203 0 113 1 00 0F 00 01 03 ee ee ff 00 01 09 22 55 ee 81 00 02 58 10 1F 0...

Page 273: ...ion stats command A 5 second pause between issuing the clear firewall and show firewall prefix action stats commands avoids a possible timeout of the show firewall prefix action stats command By default policers operate in term specific mode See Filter Specific Policer Overview on page 85 for information about how to configure policers in filter specific mode Options filter filter name Name of a f...

Page 274: ...that there is a term named term1 configured in the firewall filter test show firewall prefix action stats user host show firewall prefix action stats filter test prefix action act1 term1 from 0 to 9 Filter test Counters Name Bytes Packets act1 0 0 0 act1 1 0 0 act1 2 0 0 act1 3 0 0 act1 4 0 0 act1 5 0 0 act1 6 0 0 act1 7 0 0 act1 8 0 0 act1 9 0 0 Policers Name Bytes Packets act1 0 0 0 act1 1 0 0 a...

Page 275: ...n MX Series Router on page 258 show policer Aggregate Policer non MX Series Router on page 258 show policer detail on page 259 Output Fields Table 17 on page 257 lists the output fields for the show policer command Output fields are listed in the approximate order in which they appear Table 17 show policer Output Fields Field Description Field Name Name of the policer Name For two color policers o...

Page 276: ...et i 10372300 103723 pol 2M ge 1 2 0 1 inet6 i 7727800 77278 pol 2M ge 1 2 0 1 mpls i 7070336 67984 pol 2M ge 1 2 0 1001 vpls i 65153700 651537 pol 2M ge 1 2 0 2001 vpls i 65180900 651809 pol 2M ge 1 2 0 3001 ccc i 62202144 647939 show policer non MX Series Router user host show policer Policers Name Bytes Packets __default_arp_policer__ NA 5242 pol 2M ge 1 2 0 1 inet i NA 103723 pol 2M ge 1 2 0 1...

Page 277: ...c3 NA 0 show policer detail user host show policer detail Policers Name Bytes Packets __default_arp_policer__ OOS 0 0 Offered 0 496 Transmitted 0 496 P1 xe 1 0 0 0 inet i OOS 0 11329 Offered 0 111188 Transmitted 0 99859 259 Copyright 2016 Juniper Networks Inc Chapter 19 Firewall Filter and Policer Operational Mode Commands ...

Page 278: ...Copyright 2016 Juniper Networks Inc 260 Traffic Policers Feature Guide for EX9200 Switches ...

Reviews:

No comments

Related manuals for EX9200 Series

D-Link DES-1228/ME User Manual preview
DES-1228/ME
Brand: D-Link Pages: 267
B+B SmartWorx UR5i v2 Libratum Start Manual preview
UR5i v2 Libratum
Brand: B+B SmartWorx Pages: 8
B+B SmartWorx ICR-1601 Start Manual preview
ICR-1601
Brand: B+B SmartWorx Pages: 8
Quatech DS-3000 User Manual preview
DS-3000
Brand: Quatech Pages: 27
Raritan DOMINION SX - Quick Setup Manual preview
DOMINION SX -
Brand: Raritan Pages: 4
IBM 8677 - BladeCenter Rack-mountable - Power... Planning And Installation Manual preview
8677 - BladeCenter Rack-mountable - Power...
Brand: IBM Pages: 126
Ruckus Wireless ZoneFlex 7731 Getting Started Manual preview
ZoneFlex 7731
Brand: Ruckus Wireless Pages: 56
Renesas RSKH836079 Quick Start Manual preview
RSKH836079
Brand: Renesas Pages: 6
Delta Electronics DTE-20T Instruction Sheet preview
DTE-20T
Brand: Delta Electronics Pages: 1
TRENDnet TW-100 Specifications preview
TW-100
Brand: TRENDnet Pages: 2
Weidmuller IE-SW-VL16-14TX-2SC Hardware Installation Manual preview
IE-SW-VL16-14TX-2SC
Brand: Weidmuller Pages: 17
Davey RainBank mkII Installation Instructions Manual preview
RainBank mkII
Brand: Davey Pages: 18
UfiSpace S9600-64X Hardware Installation Manual preview
S9600-64X
Brand: UfiSpace Pages: 35
Point of View SmartTV 210 User Manual preview
SmartTV 210
Brand: Point of View Pages: 13
HELVAR Imagine 920 Installation Manual preview
Imagine 920
Brand: HELVAR Pages: 2
VoiceLine InnoMedia MTA 3328-2R Getting Started Manual preview
InnoMedia MTA 3328-2R
Brand: VoiceLine Pages: 18
Multitech ISI608PC Owner'S Manual preview
ISI608PC
Brand: Multitech Pages: 81
Ubiquiti PowerBeam PBE-5AC-400-ISO Quick Start Manual preview
PowerBeam PBE-5AC-400-ISO
Brand: Ubiquiti Pages: 23

Brands by name

Popular brands

Load more brands