Classifier Groups - Juniper E320 Configuration Manual

JUNOSe 7.2.x Policy Management Configuration Guide
Shared rate limits in the hierarchy keep the combined traffic below a configured
maximum without dropping preferred packets. Preferred packets always reduce
tokens on these rate limits, making their token counts negative, if necessary. Later
non-preferred packets are then dropped in greater volume, bringing the total traffic
through the shared rate limit below its configured maximum.
Every packet passing through a rate limit hierarchy has an owner, which is the last
rate limit that can modify the packet; for example, by changing its color or dropping
it. Preferred packets are owned by their individual preferred rate limits, which do
not transfer ownership of the packet while the packet traverses the hierarchy.
Ownership of non-preferred packets is transferred while they move from one
rate-limit to the next in the hierarchy, so shared rate limits can change the packet
color or drop them.

Classifier Groups

Rate-limit hierarchies can be intra-interface, where different flows from classifier
groups are in one policy attachment on an interface. Each time the policy is
attached to another interface the rate-limit hierarchy is replicated, with no rate
limits shared between attachments. Hierarchical rate-limits are only applied at
forwarding interfaces because they provide the most accurate classification of
packets.
You can configure rate-limit hierarchies by defining a hierarchy of policy classifier
and parent groups, each with a rate limit. This hierarchy applies to the packet flow
on one interface attachment for the policy. Each policy attachment creates its own
copy of the rate-limit hierarchy. There are no shared rate limits across interface
attachments.
A policy-based rate-limit hierarchy consists of classifier groups with an aggregate
node policy object. Aggregate nodes create the interior nodes of a policy-based
hierarchy; they are not classifier groups and the only policy rule applicable to them
is the rate limit rule. Every classifier group or aggregate node can select another
aggregate node as its parent. The policy manager ensures that these choices always
result in a hierarchy. Not every classifier group with a parent aggregate node must
have a rate limit rule; multiple classifier groups can share a common parent group,
which may have a rate limit rule.
A policy imposes a limit of three parent groups that can be traversed from any
classifier group. However, the total number of parent groups in one policy can be up
to 512, but every packet must pass through no more than three parent groups at
any point.
In a hierarchy of rate limits, a rate limit can be color-blind or color-aware; color-blind
rate limits run the same algorithm for all packets, regardless of their color.
Color-aware rate limits can change the algorithm used, depending on the color of
the incoming packet (possibly set in the previous rate limit or an earlier policy, such
as a VLAN policy on ingress or an IP policy). The color mark profile action changes
the ToS field for the packet, depending on packet type (EXP for MPLS, DSCP or ToS
for IPv4), and transmits the packet. If the mark action uses a color-mark profile, the
ToS values marked can depend on the color of the packet.
78 !
Hierarchical Rate Limits