Juniper EX9200 Features Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Network Router
  5. EX9200 Series
  6. Features manual

Juniper EX9200 Features Manual

Traffic policers feature guide ex series
Hide thumbs Also See for EX9200:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Feature Manual
Traffic Policers Feature Guide for EX9200
Switches
Release
16.2
Modified: 2016-11-02
Copyright © 2016, Juniper Networks, Inc.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the EX9200 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper EX9200

Summary of Contents for Juniper EX9200

  • Page 1 Traffic Policers Feature Guide for EX9200 Switches Release 16.2 Modified: 2016-11-02 Copyright © 2016, Juniper Networks, Inc.
  • Page 2 END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html.

  • Page 3: Table Of Contents

    Guidelines for Applying Traffic Policers ........15 Copyright © 2016, Juniper Networks, Inc.
  • Page 4 Traffic Policers Feature Guide for EX9200 Switches Chapter 4 Configuring Policer Rate Limits and Actions ......17 Policer Bandwidth and Burst-Size Limits .
  • Page 5 Restrictions ........... . 118 Copyright © 2016, Juniper Networks, Inc.
  • Page 6 Traffic Policers Feature Guide for EX9200 Switches Multifield Classification Limitations on M Series Routers ....119 Problem: Output-Filter Matching on Input-Filter Classification ... 119 Workaround: Configure All Actions in the Ingress Filter .
  • Page 7 ............257 Copyright © 2016, Juniper Networks, Inc.
  • Page 8 Traffic Policers Feature Guide for EX9200 Switches viii Copyright © 2016, Juniper Networks, Inc.

  • Page 9: List Of Figures

    Figure 14: Multifield Classifier Scenario ....... . . 129 Copyright © 2016, Juniper Networks, Inc.
  • Page 10 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 11: List Of Tables

    Table 17: show policer Output Fields ........257 Copyright © 2016, Juniper Networks, Inc.
  • Page 12 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 13: About The Documentation

    ® To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

  • Page 14: Merging A Full Example

    Traffic Policers Feature Guide for EX9200 Switches If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In this case, use the command. These procedures are load merge relative described in the following sections.

  • Page 15: Documentation Conventions

    Table 2: Text and Syntax Conventions Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Copyright © 2016, Juniper Networks, Inc.
  • Page 16 Traffic Policers Feature Guide for EX9200 Switches Table 2: Text and Syntax Conventions (continued) Convention Description Examples Fixed-width text like this Represents output that appears on the user@host> show chassis alarms terminal screen. No alarms currently active Italic text like this...

  • Page 17: Documentation Feedback

    We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system—On any page of the Juniper Networks TechLibrary site , simply click the stars to rate the content, http://www.juniper.net/techpubs/index.html and use the pop-up form to provide us with information about your experience.

  • Page 18: Opening A Case With Jtac

    Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/ Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/...

  • Page 19: Overview

    PART 1 Overview Understanding Traffic Policers on page 3 Traffic Policing Standards on page 13 Introduction to Configuring Policers on page 15 Copyright © 2016, Juniper Networks, Inc.
  • Page 20 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 21: Understanding Traffic Policers

    You can apply a policer to inbound or outbound interface traffic. Policers applied to inbound traffic help to conserve resources by dropping traffic that does not need to be Copyright © 2016, Juniper Networks, Inc.

  • Page 22: Traffic Limits

    Traffic Policers Feature Guide for EX9200 Switches routed through a network. Dropping inbound traffic also helps to thwart denial-of-service (DoS) attacks. Policers applied to outbound traffic control the bandwidth used. NOTE: Traffic policers are instantiated on a per-PIC basis. Traffic policing does not work when the traffic for one local policy decision function (L-PDF) subscriber is distributed over multiple Multiservices PICs in an AMS group.

  • Page 23: Traffic Color Marking

    Color Marker, as part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. This type of policer meters traffic based on the configured CIR and peak information rate (PIR), Copyright © 2016, Juniper Networks, Inc.

  • Page 24: Forwarding Classes And Plp Levels

    Traffic Policers Feature Guide for EX9200 Switches along with their associated burst sizes, the CBS and peak burst size (PBS). Traffic is marked as belonging to one of three categories (green, yellow, or red) based on whether the packets arriving are below the CIR (green), exceed the CIR (yellow) but not the PIR, or exceed the PIR (red).

  • Page 25: Policer Application To Traffic

    You can configure policers at the queue, logical interface, or Layer 2 (MAC) level. Only a single policer is applied to a packet at the egress queue, and the search for policers occurs in this order: Queue level Logical interface level Layer 2 (MAC) level Copyright © 2016, Juniper Networks, Inc.

  • Page 26: Traffic Policer Types

    Traffic Policers Feature Guide for EX9200 Switches Related Stateless Firewall Filter Overview. Documentation Traffic Policer Types Order of Policer and Firewall Filter Operations on page 11 Packet Flow Through the Junos OS CoS Process Overview Traffic Policer Types This topic covers the following information:...

  • Page 27: Logical Bandwidth Policer

    Two-Color and Three-Color Policer Options Both two-color and three-color policers can be configured with the following options: Logical Interface (Aggregate) Policers on page 10 Physical Interface Policers on page 10 Copyright © 2016, Juniper Networks, Inc.

  • Page 28: Logical Interface (Aggregate) Policers

    Traffic Policers Feature Guide for EX9200 Switches Policers Applied to Layer 2 Traffic on page 10 Multifield Classification on page 11 Logical Interface (Aggregate) Policers A logical interface policer can be a two-color policer, not a three-color policer. When you...

  • Page 29: Multifield Classification

    If an output firewall filter is configured on the same logical interface as a policer, the firewall filter is executed first. Figure 2 on page 12 illustrates the order of policer and firewall filter processing at the same interface. Copyright © 2016, Juniper Networks, Inc.

  • Page 30: Understanding The Frame Length For Policing Packets

    Traffic Policers Feature Guide for EX9200 Switches Figure 2: Incoming and Outgoing Policers and Firewall Filters Related Two-Color Policer Configuration Overview on page 49 Documentation Three-Color Policer Configuration Overview on page 145 Hierarchical Policer Configuration Overview Understanding the Frame Length for Policing Packets...

  • Page 31: Traffic Policing Standards

    IP header contain a value called the Differentiated Services code point (DSCP). Within the DSCP field, the most significant 3 bits are interpreted as the IP precedence field, which can be used to select different per-hop forwarding treatments for the packet. Copyright © 2016, Juniper Networks, Inc.
  • Page 32 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 33: Introduction To Configuring Policers

    Policers can be applied to unicast packets only. For information about configuring a filter for flooded traffic, see Applying Forwarding Table Filters. Related Two-Color Policer Configuration Overview on page 49 Documentation Three-Color Policer Configuration Overview on page 145 Hierarchical Policer Configuration Overview Copyright © 2016, Juniper Networks, Inc.
  • Page 34 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 35: Configuring Policer Rate Limits And Actions

    Also defines a second, larger burst size. This second 1500..100000000000 1500..100000000000 burst size is used to differentiate between two categories of nonconforming traffic (yellow or red). excess-burst-size bytes M, MX, T Series routers, and EX Series switches: 1500..100000000000 Copyright © 2016, Juniper Networks, Inc.

  • Page 36: Policer Color-Marking And Actions

    Traffic Policers Feature Guide for EX9200 Switches Table 5: Policer Bandwidth Limits and Burst-Size Limits (continued) Policer Type Bandwidth Limits Burst-Size Limits Two-Rate Three-Color Policer Defines a committed rate limit: a bandwidth limit and committed-information-rate bps committed-burst-size bytes an allowed burst size for conforming traffic.
  • Page 37 – Discard the packet. Exceeds rate limits Assign to a forwarding class. Set PLP to high On some platforms, you can also set the PLP to medium-low medium-high Premium policer Bandwidth limit Burst size Copyright © 2016, Juniper Networks, Inc.

  • Page 38: Single Token Bucket Algorithm

    Traffic Policers Feature Guide for EX9200 Switches Table 6: Implicit and Configurable Policer Actions Based on Color Marking (continued) Policer Rate Limits and Color Marking Implicit Action Configurable Actions Green Set PLP to – Conforms to rate limits – Discard the packet.

  • Page 39: Conformance Measurement For Two-Color Marking

    Two-Color Policer Configuration Overview on page 49 Documentation Hierarchical Policer Configuration Overview Policer Color-Marking and Actions on page 18 bandwidth-limit (Hierarchical Policer) bandwidth-limit (Policer) on page 199 bandwidth-percent on page 201 burst-size-limit (Hierarchical Policer) burst-size-limit (Policer) on page 203 Copyright © 2016, Juniper Networks, Inc.

  • Page 40: Dual Token Bucket Algorithms

    Traffic Policers Feature Guide for EX9200 Switches Dual Token Bucket Algorithms This topic covers the following information: Token Bucket Concepts on page 22 Guaranteed Bandwidth for Three-Color Marking on page 22 Nonconformance Measurement for Single-Rate Three-Color Marking on page 22...

  • Page 41: Nonconformance Measurement For Two-Rate Three-Color Marking

    Three-Color Policer Configuration Overview on page 145 Documentation Policer Color-Marking and Actions on page 18 committed-burst-size on page 208 committed-information-rate on page 210 excess-burst-size on page 212 peak-burst-size on page 227 peak-information-rate on page 229 Copyright © 2016, Juniper Networks, Inc.
  • Page 42 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 43: Implementing Traffic Policers On Ex 9200 Switches

    (The remainder of this topic discusses the single token bucket algorithm.) To configure a policer, you need to set two parameters: Bandwidth limit configured in bps (using the bandwidth-limit statement) Burst size configured in bytes (using the burst-size-limit statement) Copyright © 2016, Juniper Networks, Inc.
  • Page 44 Traffic Policers Feature Guide for EX9200 Switches NOTE: For single-rate two-color policers only, you can also specify the bandwidth limit as a percentage of either the physical interface port speed or the configured logical interface shaping rate by using the bandwidth-percent percentage statement.

  • Page 45: Implementing Traffic Policers On Ex 9200 Switches

    Figure 4 on page Figure 4: Traffic Behavior Using Policer and Burst Size Traffic Volume Bandwidth Limit Unused Unused Unused Bursts use Tokens Tokens Tokens unused tokens Time Copyright © 2016, Juniper Networks, Inc.

  • Page 46: Understanding The Benefits Of Policers And Token Bucket Algorithms

    Traffic Policers Feature Guide for EX9200 Switches NOTE: The measured length of a packet changes according to the family type that the policer applies to. If the policer is applied under the family inet hierarchy, the policer considers only the IPv4 packet length. If the policer is...

  • Page 47: Scenario 2: Multiple Tcp Connections

    To reduce the problem of unused bandwidth in your network, you can configure a burst size. Related Policer Implementation Overview on page 25 Documentation Determining Proper Burst Size for Traffic Policers on page 30 Copyright © 2016, Juniper Networks, Inc.

  • Page 48: Determining Proper Burst Size For Traffic Policers

    Traffic Policers Feature Guide for EX9200 Switches Determining Proper Burst Size for Traffic Policers This topic covers the following information: Policer Burst Size Limit Overview on page 30 Effect of Burst-Size Limit on page 31 Two Methods for Calculating Burst-Size Limit on page 32...

  • Page 49: Effect Of Burst-Size Limit

    Burst-Size Limit That Depletes All Accumulated Tokens Configuring a large burst size for the unused tokens creates another issue. If the burst size is set to a very large value, the burst of traffic can be transmitted from the interface Copyright © 2016, Juniper Networks, Inc.

  • Page 50: Two Methods For Calculating Burst-Size Limit

    Traffic Policers Feature Guide for EX9200 Switches at line rate until all the accumulated tokens in the token bucket are used up. This means that configuring a large burst size can allow too many packets to avoid rate limiting, which can lead to a traffic rate that exceeds the bandwidth limit for an extended period of time.

  • Page 51: 10 X Mtu Method For Selecting Initial Burst Size For Gigabit Ethernet With 100 Kbps Bandwidth

    On a Gigabit Ethernet interface, a configured burst-size limit of 600 ms creates a burst duration of 60 µs at Gigabit Ethernet line rate, calculated as follows: 7500 bytes 60,000 bits 0.00006 s 60 μs 1 Gbps 1,000,000,000 bps Copyright © 2016, Juniper Networks, Inc.

  • Page 52: Ms Method For Selecting Initial Burst Size For Gigabit Ethernet Interface

    Traffic Policers Feature Guide for EX9200 Switches If the downstream device is unable to handle the amount of bursty traffic allowed using the initial burst size configuration, reduce the burst-size limit until you achieve acceptable results. 5 ms Method for Selecting Initial Burst Size for Gigabit Ethernet Interface with...

  • Page 53: 200 Mbps Bandwidth Limit, 5 Ms Burst Duration

    200 Mbps. This example shows that a larger burst size can affect the measured bandwidth rate. Related Policer Implementation Overview on page 25 Documentation Understanding the Benefits of Policers and Token Bucket Algorithms on page 28 Copyright © 2016, Juniper Networks, Inc.
  • Page 54 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 55: Configuring Layer 2 Policers

    PART 2 Configuring Layer 2 Policers Two-Color and Three-Color Policers at Layer 2 on page 39 Copyright © 2016, Juniper Networks, Inc.
  • Page 56 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 57: Two-Color And Three-Color Policers At Layer 2

    Policing at Layer 2 Overview” on page Statement Hierarchy for Configuring a Two-Color Policer for Layer 2 Traffic To enable a single-rate two-color policer to rate-limit Layer 2 traffic, include the statement in the configuration. logical-interface-policer policer firewall { Copyright © 2016, Juniper Networks, Inc.

  • Page 58: Statement Hierarchy For Applying A Two-Color Policer To Layer 2 Traffic

    Traffic Policers Feature Guide for EX9200 Switches policer policer-name { logical-interface-policer; if-exceeding (bandwidth-limit bps | bandwidth-percent percentage); burst-size-limit bytes; then { discard; forwarding-class class-name; loss-priority (high | low | medium-high | medium-low); You can include the configuration at the following hierarchy levels:...

  • Page 59: Three-Color Policing At Layer 2 Overview

    { three-color-policer policer-name { action { loss-priority high then discard; logical-interface-policer; single-rate (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; excess-burst-size bytes; two-rate (color-aware | color-blind); committed-burst-size bytes; committed-information-rate bps; peak-burst-size bytes; peak-information-rate bps; Copyright © 2016, Juniper Networks, Inc.

  • Page 60: Traffic

    Traffic Policers Feature Guide for EX9200 Switches You can include the configuration at the following hierarchy levels: [edit] [edit logical-systems logical-system-name] Statement Hierarchy for Applying a Three-Color Policer to Layer 2 Traffic To apply a logical interface policer to Layer 2 traffic, include the...
  • Page 61 200 KB allowance for traffic bursting (based on the token-bucket formula) is categorized as yellow. The packets in a yellow traffic flow are implicitly set to a medium-high loss priority and then transmitted. Copyright © 2016, Juniper Networks, Inc.
  • Page 62 Traffic Policers Feature Guide for EX9200 Switches Nonconforming traffic that exceeds the peak traffic limits are categorized as red. The packets in a red traffic flow are implicitly set to a loss priority. In this example, the high optional policer action for red traffic (...
  • Page 63 [edit firewall three-color-policer trTCM2-cb] user@host# set two-rate color-blind A color-aware three-color policer takes into account any coloring markings that might have been set for a packet by another traffic policer configured at a previous Copyright © 2016, Juniper Networks, Inc.
  • Page 64 Traffic Policers Feature Guide for EX9200 Switches network node, and any preexisting color markings are used in determining the appropriate policing action for the packet. Because you are applying this three-color policer applied to input at Layer 2, you must configure the policer to be color-blind.
  • Page 65 Protocol inet section contains a Policer field that would list the policer trTCM2-cb as an input or output policer as follows: Input: trTCM2-cb-ge-1/3/1.0-log_int-i Copyright © 2016, Juniper Networks, Inc.
  • Page 66 Traffic Policers Feature Guide for EX9200 Switches Output: trTCM2-cb-ge-1/3/1.0-log_int-o The log_int-i suffix denotes a logical interface policer applied to input traffic, while the log_int-o suffix denotes a logical interface policer applied to output traffic. In this example, the logical interface policer is applied to in the input direction only.

  • Page 67: Two-Color Policer Configuration Overview

    { If applying to multiple policer { interfaces, include the then { input policer-name; statement interface-specific discard; output policer-name; to create unique policers and forwarding-class class-name; counters for each interface. loss-priority supported-value; Copyright © 2016, Juniper Networks, Inc.
  • Page 68 Traffic Policers Feature Guide for EX9200 Switches Table 7: Two-Color Policer Configuration and Application Overview (continued) Policer Configuration Layer 3 Application Key Points Interface policer verification: Method B—Apply as a firewall filter policer at the Use the show interfaces protocol family level: (detail | extensive) operational mode command.
  • Page 69 Firewall filter policer verification: family family-name { filter { Use the show interfaces input filter-name; (detail | extensive) output filter-name; operational mode command. Use the show firewall filter ... protocol-configuration ... filter-name operational mode command. Copyright © 2016, Juniper Networks, Inc.
  • Page 70 Traffic Policers Feature Guide for EX9200 Switches Table 7: Two-Color Policer Configuration and Application Overview (continued) Policer Configuration Layer 3 Application Key Points Logical Interface (Aggregate) Policer Defines traffic rate limiting that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer.
  • Page 71 Prefix-Specific Counting and Policing Actions on page 97 Multifield Classification on page 115 Policer Overhead to Account for Rate Shaping in the Traffic Manager on page 135 Two-Color and Three-Color Physical Interface Policers on page 185 Copyright © 2016, Juniper Networks, Inc.
  • Page 72 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 73: Basic Single-Rate Two-Color Policers

    The action might be to discard the packet, or the action might be to re-mark the packet with a specified forwarding class, a specified PLP, or both, and then transmit the packet. Copyright © 2016, Juniper Networks, Inc.

  • Page 74: Example: Limiting Inbound Traffic At Your Network Border By Configuring An Ingress Single-Rate Two-Color Policer

    Traffic Policers Feature Guide for EX9200 Switches To rate-limit Layer 3 traffic, you can apply a two-color policer in the following ways: Directly to a logical interface, at a specific protocol level. As the action of a standard stateless firewall filter that is applied to a logical interface, at a specific protocol level.
  • Page 75 You cannot apply a two-color policer to Layer 2 traffic through a firewall filter. CAUTION: You can choose either bandwidth-limit or bandwidth percent within the policer, as they are mutually exclusive. You cannot configure a Copyright © 2016, Juniper Networks, Inc.

  • Page 76: Figure 10: Single-Rate Two-Color Policer Scenario

    Traffic Policers Feature Guide for EX9200 Switches policer to use bandwidth percent for aggregate, tunnel, and software interfaces. In this example, the host is a traffic generator emulating a webserver. Devices R1 and R2 are owned by a service provider. The webserver is accessed by users on Device Host2.

  • Page 77: Figure 11: Traffic Limiting In A Single-Rate Two-Color Policer Scenario

    0 description looback-interface set interfaces lo0 unit 0 family inet address 192.168.14.1/32 set protocols ospf area 0.0.0.0 interface ge-2/0/7.0 passive set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface ge-2/0/8.0 Copyright © 2016, Juniper Networks, Inc.
  • Page 78 Traffic Policers Feature Guide for EX9200 Switches Step-by-Step The following example requires you to navigate various levels in the configuration Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
  • Page 79 0 { family inet { address 10.50.0.1/30; lo0 { unit 0 { description looback-interface; family inet { address 192.168.13.1/32; user@R1# show firewall family inet { filter mf-classifier { term t1 { Copyright © 2016, Juniper Networks, Inc.
  • Page 80 Traffic Policers Feature Guide for EX9200 Switches from { protocol tcp; port 80; then policer discard; term t2 { then accept; policer discard { if-exceeding { bandwidth-limit 700m; burst-size-limit 15k; then discard; user@R1# show protocols ospf area 0.0.0.0 { interface ge-2/0/5.0 { passive;...
  • Page 81 In this example the policer numbers are reduced to a bandwidth limit of 8 Kbps and a burst size limit of 1500 KBps to ensure that some packets are dropped during this test. [root@host]# hping 172.16.80.1 -c 10 -s 80 -k -d 300 Copyright © 2016, Juniper Networks, Inc.

  • Page 82: Example: Configuring Interface And Firewall Filter Policers At The Same

    Traffic Policers Feature Guide for EX9200 Switches [User@Host]# hping 172.16.80.1 -c 10 -s 80 -k -d 350 HPING 172.16.80.1 (eth1 172.16.80.1): NO FLAGS are set, 40 headers + 350 data bytes len=46 ip=172.16.80.1 ttl=62 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.5 ms --- 172.16.80.1 hping statistic ---...
  • Page 83 Thus, if this firewall filter were to be applied to multiple interfaces instead of just the Fast Ethernet interface in this example, unique policers and counters would be created for each interface to which the filter is applied. Copyright © 2016, Juniper Networks, Inc.
  • Page 84 Traffic Policers Feature Guide for EX9200 Switches Configuration The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode. To configure this example, perform the following tasks:...
  • Page 85 You apply this policer directly to all IPv4 input traffic at the single-tag VLAN logical interface, so the packets will not be filtered before being subjected to rate limiting. [edit] user@host# edit firewall policer p-all-1m-5k-discard Copyright © 2016, Juniper Networks, Inc.
  • Page 86 Traffic Policers Feature Guide for EX9200 Switches Configure the first policer. [edit firewall policer p-all-1m-5k-discard] user@host# set if-exceeding bandwidth-limit user@host# set if-exceeding burst-size-limit user@host# set then discard Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth specified as “10 percent”...
  • Page 87 [edit firewall family inet filter filter-ipv4-with-limits term t-ftp] user@host# set from protocol tcp user@host# set from port [ ftp ftp-data ] FTP messages are sent over TCP port 20 ( ) and received over TCP port 21 ( ftp-data Copyright © 2016, Juniper Networks, Inc.
  • Page 88 Traffic Policers Feature Guide for EX9200 Switches Configure the filter term to match FTP packets. [edit firewall family inet filter filter-ipv4-with-limits term t-ftp] user@host# set then policer p-ftp-10p-500k-discard Enable configuration of a filter term to rate-limit ICMP packets. [edit firewall family inet filter filter-ipv4-with-limits term t-ftp]...
  • Page 89 If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration. [edit] user@host# show interfaces fe-0/1/1 { vlan-tagging; unit 0 { vlan-id 100; family inet { address 10.20.15.1/24; unit 1 { Copyright © 2016, Juniper Networks, Inc.
  • Page 90 Traffic Policers Feature Guide for EX9200 Switches vlan-id 101; family inet { filter { input filter-ipv4-with-limits; policer input p-all-1m-5k-discard; address 10.20.240.1/24; If you are done configuring the device, enter commit from configuration mode. Verification Confirm that the configuration is working properly.
  • Page 91 Verify the number of packets evaluated by the firewall filter policers. Action Use the show firewall operational mode command for the filter you applied to the logical interface. [edit] user@host> show firewall filter filter-ipv4-with-limits-fe-0/1/1.1-i Filter: filter-ipv4-with-limits-fe-0/1/1.1-i Copyright © 2016, Juniper Networks, Inc.
  • Page 92 Traffic Policers Feature Guide for EX9200 Switches Policers: Name Bytes Packets p-ftp-10p-500k-discard-t-ftp-fe-0/1/1.1-i p-icmp-500k-500k-discard-t-icmp-fe-0/1/1.1-i The command output displays the names of the policers ( p-ftp-10p-500k-discard ), combined with the names of the filter terms ( p-icmp-500k-500k-discard t-ftp t-icmp , respectively) under which the policer action is specified. The policer-specific output lines display the number of packets that matched the filter term.

  • Page 93: Bandwidth Policers

    Copyright © 2016, Juniper Networks, Inc.

  • Page 94: Guidelines For Applying A Bandwidth Policer

    Traffic Policers Feature Guide for EX9200 Switches If you reference a bandwidth policer from a stateless firewall filter term, you must include the statement in the firewall filter configuration. interface-specific Guidelines for Applying a Bandwidth Policer The following guidelines pertain to applying a bandwidth policer to traffic:...
  • Page 95 50 percent bandwidth policer to input or output traffic at a Gigabit Ethernet logical interface without rate shaping, the policer applies a bandwidth limit of 500 Mbps (50 percent of 1000 Mbps). Copyright © 2016, Juniper Networks, Inc.
  • Page 96 Traffic Policers Feature Guide for EX9200 Switches Configuration The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode. To configure this example, perform the following tasks:...
  • Page 97 Confirm the configuration of the rate shaping by entering the show class-of-service configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration. [edit] user@host# show class-of-service interfaces { Copyright © 2016, Juniper Networks, Inc.
  • Page 98 Traffic Policers Feature Guide for EX9200 Switches ge-1/3/0 { unit 0 { shaping-rate 4m; unit 1 { shaping-rate 2m; Configuring the Logical Bandwidth Policer Step-by-Step To configure the logical bandwidth policer: Procedure Enable configuration of a single-rate two-color policer. [edit]...
  • Page 99 If you are done configuring the device, enter commit from configuration mode. Verification Confirm that the configuration is working properly. Displaying Traffic Statistics and Policers for the Logical Interface on page 82 Displaying Statistics for the Policer on page 83 Copyright © 2016, Juniper Networks, Inc.
  • Page 100 Traffic Policers Feature Guide for EX9200 Switches Displaying Traffic Statistics and Policers for the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface. Action...
  • Page 101 __default_arp_policer__ LB-policer-ge-1/3/0.0-inet-i LB-policer-ge-1/3/0.0-inet-o LB-policer-ge-1/3/0.1-inet-i LB-policer-ge-1/3/0.1-inet-o Related Two-Color Policer Configuration Overview on page 49 Documentation Bandwidth Policer Overview on page 75 bandwidth-percent on page 201 interface-specific logical-bandwidth-policer on page 221 shaping-rate (Applying to an Interface) Copyright © 2016, Juniper Networks, Inc.
  • Page 102 Traffic Policers Feature Guide for EX9200 Switches Related Two-Color Policer Configuration Overview on page 49 Documentation Guidelines for Applying Traffic Policers on page 15 bandwidth-percent on page 201 interface-specific (Firewall Filters) logical-bandwidth-policer on page 221 shaping-rate (Applying to an Interface)

  • Page 103: Filter-Specific Counters And Policers

    Related Two-Color Policer Configuration Overview on page 49 Documentation Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods on page 86 Filter-Specific Counter and Policer Set Overview on page 100 Copyright © 2016, Juniper Networks, Inc.

  • Page 104: Example: Configuring A Stateless Firewall Filter To Protect Against Tcp And Icmp Floods

    Traffic Policers Feature Guide for EX9200 Switches Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods This example shows how to create a stateless firewall filter that protects against TCP and ICMP denial-of-service attacks. Requirements on page 86...

  • Page 105: Figure 12: Firewall Filter To Protect Against Tcp And Icmp Floods

    0 family inet address 10.0.0.2/30 set interfaces lo0 unit 0 family inet filter input protect-RE set interfaces lo0 unit 0 family inet address 192.168.0.2/32 primary set interfaces lo0 unit 0 family inet address 172.16.0.2/32 Copyright © 2016, Juniper Networks, Inc.
  • Page 106 Traffic Policers Feature Guide for EX9200 Switches set protocols bgp group ext type external set protocols bgp group ext export send-direct set protocols bgp group ext neighbor 10.0.0.1 peer-as 100 set protocols ospf area 0.0.0.0 interface lo0.0 passive set protocols ospf area 0.0.0.0 interface fe-1/2/0.0 set policy-options prefix-list trusted-addresses 10.0.0.0/24...
  • Page 107 Apply the filter to the loopback interface. [edit interfaces lo0 unit 0] user@R2# set family inet filter input protect-RE Copyright © 2016, Juniper Networks, Inc.
  • Page 108 Traffic Policers Feature Guide for EX9200 Switches Results Confirm your configuration by entering the show interfaces show protocols show , and commands from configuration policy-options show routing-options show firewall mode. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
  • Page 109 { filter-specific; if-exceeding { bandwidth-limit 1m; burst-size-limit 15k; then discard; policer icmp-policer { filter-specific; if-exceeding { bandwidth-limit 1m; burst-size-limit 15k; then discard; If you are done configuring the device, enter from configuration mode. commit Copyright © 2016, Juniper Networks, Inc.
  • Page 110 Traffic Policers Feature Guide for EX9200 Switches Verification Confirm that the configuration is working properly. NOTE: To verify the TCP policer, you can use a packet generation tool. This task is not shown here. Displaying Stateless Firewall Filter That Are in Effect on page 92...
  • Page 111 From Device R1, telnet to Device R2 from an untrusted source address. user@R1> telnet 172.16.0.2 source 172.16.0.1 Trying 172.16.0.2... From Device R2, add 172.16/16 to the list of trusted prefixes. Copyright © 2016, Juniper Networks, Inc.
  • Page 112 Traffic Policers Feature Guide for EX9200 Switches [edit policy-options prefix-list trusted-addresses] user@R2# set 172.16.0.0/16 user@R2# commit From Device R1, try again to telnet to Device R2. user@R1> telnet 172.16.0.2 source 172.16.0.1 Trying 172.16.0.2... Connected to R2.example.net. Escape character is '^]'.
  • Page 113 From an untrusted source address on Device R1, send a ping request to Device R2’s loopback interface. user@R1> ping 172.16.0.2 source 172.16.0.1 PING 172.16.0.2 (172.16.0.2): 56 data bytes --- 172.16.0.2 ping statistics --- 14 packets transmitted, 0 packets received, 100% packet loss Meaning Verify the following information: Copyright © 2016, Juniper Networks, Inc.
  • Page 114 Traffic Policers Feature Guide for EX9200 Switches The ping output shows that 10% packet loss is occurring. The ICMP packet counter is incrementing, and the icmp-policer is incrementing. Device R2 does not send ICMP responses to the ping 172.16.0.2 source 172.16.0.1 command.

  • Page 115: Prefix-Specific Counting And Policing Actions

    2 or as many as 65,536 counter and policer instances. The position of the bits of the prefix range determines the indexing of filter-matched packets into the set of instances. Copyright © 2016, Juniper Networks, Inc.

  • Page 116: Prefix-Specific Action Configuration

    Traffic Policers Feature Guide for EX9200 Switches NOTE: A prefix-specific action is specific to a source or destination prefix range, but it is not specific to a particular source or destination address range, and it is not specific to a particular interface.

  • Page 117: Counter And Policer Set Size And Indexing

    Filter-Specific Counter and Policer Set Overview on page 100 Example: Configuring Prefix-Specific Counting and Policing on page 100 Prefix-Specific Counting and Policing Configuration Scenarios on page 107 prefix-action (Configuring) on page 235 prefix-action (Firewall Filter Action) on page 236 Copyright © 2016, Juniper Networks, Inc.

  • Page 118: Filter-Specific Counter And Policer Set Overview

    Traffic Policers Feature Guide for EX9200 Switches Filter-Specific Counter and Policer Set Overview By default, a prefix-specific policer set operates in term-specific mode so that, for a given firewall filter, the Junos OS creates a separate counter and policer set for every filter term that references the prefix-specific action.
  • Page 119 “Prefix-Specific Counting and Policing Configuration Scenarios” on page 107. Configuration The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode. Copyright © 2016, Juniper Networks, Inc.
  • Page 120 Traffic Policers Feature Guide for EX9200 Switches To configure this example, perform the following tasks: Configuring a Policer for Prefix-Specific Counting and Policing on page 102 Configuring a Prefix-Specific Action Based on the Policer on page 103 Configuring an IPv4 Filter That References the Prefix-Specific Action on page 104...
  • Page 121 If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration. [edit] user@host# show firewall policer 1Mbps-policer { if-exceeding { Copyright © 2016, Juniper Networks, Inc.
  • Page 122 Traffic Policers Feature Guide for EX9200 Switches bandwidth-limit 1m; burst-size-limit 63k; then discard; family inet { prefix-action psa-1Mbps-per-source-24-32-256 { policer 1Mbps-policer; subnet-prefix-length 24; source-prefix-length 32; Configuring an IPv4 Filter That References the Prefix-Specific Action Step-by-Step To configure an IPv4 standard firewall filter that references the prefix-specific action: Procedure Enable configuration of the IPv4 standard firewall filter.
  • Page 123 [edit] user@host# show interfaces so-0/0/2 { unit 0 { family inet { filter { input limit-source-one-24; address 10.39.1.1/16; If you are done configuring the device, enter from configuration mode. commit Copyright © 2016, Juniper Networks, Inc.
  • Page 124 Traffic Policers Feature Guide for EX9200 Switches Verification Confirm that the configuration is working properly. Displaying the Firewall Filters Applied to an Interface on page 106 Displaying Prefix-Specific Actions Statistics for the Firewall Filter on page 106 Displaying the Firewall Filters Applied to an Interface...

  • Page 125: Prefix-Specific Counting And Policing Configuration Scenarios

    Indexing of Instances Prefix-specific action scenario: “Example: Configuring Prefix-Specific Counting and Policing” on page 100 source-prefix-length = 32 source-address = 10.10.10.0/24 Instance 0 10.10.10.0 subnet-prefix-length = 24 Instance 1: 10.10.10.1 Set size: 2^8 = 256 Copyright © 2016, Juniper Networks, Inc.
  • Page 126 Traffic Policers Feature Guide for EX9200 Switches Table 9: Summary of Prefix-Specific Action Scenarios (continued) Counter and Policer Set Packet-Filtering Criteria Indexing of Instances Instance numbers: 0 - 255 Instance 255: 10.10.10.255 Prefix-specific action scenario: “Scenario 1: Firewall Filter Term Matches on Multiple Addresses” on page 109 source-prefix-length = 32 source-address = 10.10.10.0/24...

  • Page 127: Packets

    [edit] firewall { policer 1Mbps-policer { if-exceeding { bandwidth-limit 1m; burst-size-limit 63k; then discard; family inet { prefix-action psa-1Mbps-per-source-24-32-256 { policer 1Mbps-policer; subnet-prefix-length 24; source-prefix-length 32; filter limit-source-two-24-16 { term one { from { Copyright © 2016, Juniper Networks, Inc.

  • Page 128: Scenario 2: Subnet Prefix Is Longer Than The Prefix In The Filter Match Condition

    Traffic Policers Feature Guide for EX9200 Switches source-address { 10.10.10.0/24; 10.11.0.0/16; then prefix-action psa-1Mbps-per-source-24-32-256; interfaces { so-0/0/2 { unit 0 { family inet { filter { input limit-source-two-24-16; address 10.39.1.1/16; Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition The complete example, “Example: Configuring Prefix-Specific Counting and Policing”...

  • Page 129: Scenario 3: Subnet Prefix Is Shorter Than The Prefix In The Firewall Filter Match Condition

    In this case, the filter term matches on the subnet of the source address 10.10.10.0 Copyright © 2016, Juniper Networks, Inc.
  • Page 130 Traffic Policers Feature Guide for EX9200 Switches NOTE: The firewall filter passes the prefix-specific action only packets with source addresses that range from through , while the 10.10.10.0 10.10.10.127 prefix-specific action specifies a set of 256 counters and policers, numbered from 0 through 255.
  • Page 131 Filter-Specific Counter and Policer Set Overview on page 100 Example: Configuring Prefix-Specific Counting and Policing on page 100 Related Two-Color Policer Configuration Overview on page 49 Documentation Guidelines for Applying Traffic Policers on page 15 Copyright © 2016, Juniper Networks, Inc.
  • Page 132 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 133: Multifield Classification

    BA classification, or CoS value traffic classification, refers to a method of packet classification that uses a CoS configuration to set the forwarding class or PLP of a packet based on the CoS value in the IP packet header. The CoS value examined for Copyright © 2016, Juniper Networks, Inc.

  • Page 134: Multifield Classification Used In Conjunction With Policers

    Traffic Policers Feature Guide for EX9200 Switches BA classification purposes can be the Differentiated Services code point (DSCP) value, DSCP IPv6 value, IP precedence value, MPLS EXP bits, and IEEE 802.1p value. The default classifier is based on the IP precedence value.
  • Page 135 The Junos OS CoS Components Used to Manage Congestion and Control Service Levels Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic Understanding How Forwarding Classes Assign Classes to Output Queues Default Forwarding Classes Managing Congestion Using RED Drop Profiles and Packet Loss Priorities Copyright © 2016, Juniper Networks, Inc.

  • Page 136: Multifield Classification Requirements And Restrictions

    Traffic Policers Feature Guide for EX9200 Switches Multifield Classification Requirements and Restrictions This topic covers the following information: Supported Platforms on page 118 CoS Tricolor Marking Requirement on page 118 Restrictions on page 118 Supported Platforms loss-priority firewall filter action is supported on the following routing platforms only:...

  • Page 137: Multifield Classification Limitations On M Series Routers

    { term 1 { then { forwarding-class expedited-forwarding; accept; term 2 { then accept; filter egress { term 1 { from { forwarding-class expedited-forwarding; then count ef; term 2 { then accept; Copyright © 2016, Juniper Networks, Inc.

  • Page 138: Workaround: Configure All Actions In The Ingress Filter

    Traffic Policers Feature Guide for EX9200 Switches [edit] user@host# show interfaces ge-1/2/0 { unit 0 { family inet { filter { input ingress; output egress; Workaround: Configure All Actions in the Ingress Filter As a workaround, you can configure all of the actions in the ingress filter.

  • Page 139: Example: Configuring Multifield Classification

    Make sure that the following forwarding classes are assigned to output queues: expedited-forwarding assured-forwarding Forwarding-class assignments are configured at the [edit class-of-service hierarchy level. forwarding-classes queue queue-number] NOTE: You cannot commit a configuration that assigns the same forwarding class to two different queues. Copyright © 2016, Juniper Networks, Inc.
  • Page 140 Traffic Policers Feature Guide for EX9200 Switches b. Make sure that the output queues to which the forwarding classes are assigned are associated with schedulers. A scheduler defines the amount of interface bandwidth assigned to the queue, the size of the memory buffer allocated for storing packets, the priority of the queue, and the random early detection (RED) drop profiles associated with the queue.
  • Page 141 0 family inet filter input mfc-filter Configuring Policers to Rate-Limit Expedited-Forwarding and Assured-Forwarding Traffic Step-by-Step To configure policers to rate-limit expedited-forwarding and assured-forwarding traffic: Procedure Define traffic limits for expedited-forwarding traffic. [edit] Copyright © 2016, Juniper Networks, Inc.
  • Page 142 Traffic Policers Feature Guide for EX9200 Switches user@host# edit firewall policer ef-policer [edit firewall policer ef-policer] user@host# set if-exceeding bandwidth-limit 300k user@host# set if-exceeding burst-size-limit 50k user@host# set then loss-priority high user@host# set then forwarding-class expedited-forwarding Configure a policer for assured-forwarding traffic.
  • Page 143 { from { source-address 10.1.1.0/24; source-address 10.1.2.0/24; then { loss-priority low; forwarding-class expedited-forwarding; term isp2-customers { from { source-address 10.1.3.0/24; source-address 10.1.4.0/24; then { policer ef-policer; term other-customers { then { policer af-policer; Copyright © 2016, Juniper Networks, Inc.
  • Page 144 Traffic Policers Feature Guide for EX9200 Switches policer af-policer { if-exceeding { bandwidth-limit 300k; burst-size-limit 50k; then discard; policer ef-policer { if-exceeding { bandwidth-limit 200k; burst-size-limit 50k; then { loss-priority high; forwarding-class expedited-forwarding; Applying Multifield Classification Filtering and Policing to the Logical Interface...

  • Page 145: Example: Configuring And Applying A Firewall Filter For A Multifield Classifier

    This example shows how to configure a firewall filter to classify traffic using a multifield classifier. The classifier detects packets of interest to class of service (CoS) as they arrive on an interface. Multifield classifiers are used when a simple behavior aggregate (BA) Copyright © 2016, Juniper Networks, Inc.

  • Page 146: Figure 13: Multifield Classifier Based On Tcp Source Ports

    Traffic Policers Feature Guide for EX9200 Switches classifier is insufficient to classify a packet, when peering routers do not have CoS bits marked, or the peering router’s marking is untrusted. Requirements on page 128 Overview on page 128 Configuration on page 129...

  • Page 147: Figure 14: Multifield Classifier Scenario

    Figure 14 on page 129. The section “Step-by-Step Procedure” on page 130 describes the steps on Device R1. Classifiers are described in more detail in the following Juniper Networks Learning Byte video. Video: Class of Service Basics, Part 2: Classification Learning Byte Configuration...
  • Page 148 Traffic Policers Feature Guide for EX9200 Switches set firewall family inet filter mf-classifier term Premium-data then forwarding-class Premium-data set firewall family inet filter mf-classifier term accept-all-else then accept Device R2 set interfaces ge-1/0/2 description to-R1 set interfaces ge-1/0/2 unit 0 family inet address 10.30.0.2/30...
  • Page 149 80; then forwarding-class BE-data; term Premium-data { from { protocol tcp; port 12345; then forwarding-class Premium-data; term accept-all-else { then accept; If you are done configuring the device, enter commit from configuration mode. Copyright © 2016, Juniper Networks, Inc.
  • Page 150 Traffic Policers Feature Guide for EX9200 Switches Verification Confirm that the configuration is working properly. Checking the CoS Settings on page 132 Sending TCP Traffic into the Network and Monitoring the Queue Placement on page 132 Checking the CoS Settings Purpose Confirm that the forwarding classes are configured correctly.
  • Page 151 The Junos OS CoS Components Used to Manage Congestion and Control Service Levels Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic Understanding How Forwarding Classes Assign Classes to Output Queues Default Forwarding Classes Managing Congestion Using RED Drop Profiles and Packet Loss Priorities tri-color statement Copyright © 2016, Juniper Networks, Inc.
  • Page 152 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 153: Policer Overhead To Account For Rate Shaping In The Traffic Manager

    CLI Explorer Example: Configuring Policer Overhead to Account for Rate Shaping This example shows how to configure overhead values for policers when rate-shaping overhead is configured. Requirements on page 136 Overview on page 136 Copyright © 2016, Juniper Networks, Inc.
  • Page 154 Traffic Policers Feature Guide for EX9200 Switches Configuration on page 136 Verification on page 142 Requirements Before you begin, make sure that interface for which you are applying ingress or egress policer overhead is hosted on one of the following:...
  • Page 155 Enable configuration of the interface [edit] user@host# edit interfaces ge-1/3/1 Enable multiple queues for each logical interface (so that you can associate an output scheduler with each logical interface). [edit interfaces ge-1/3/1] user@host# set per-unit scheduler Copyright © 2016, Juniper Networks, Inc.
  • Page 156 Traffic Policers Feature Guide for EX9200 Switches user@host# set vlan-tagging NOTE: For Gigabit Ethernet IQ2 PICs only, use the shared-scheduler statement to enable shared schedulers and shapers on a physical interface. Configure logical interface ge-1/3/1.0 [edit interfaces ge-1/3/1] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 10.10.10.1/30...
  • Page 157 If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration. [edit] user@host# show class-of-service interfaces { ge-1/3/1 { unit 1 { Copyright © 2016, Juniper Networks, Inc.
  • Page 158 Traffic Policers Feature Guide for EX9200 Switches scheduler-map my-map; shaping-rate 100m; scheduler-maps { my-map { forwarding-class best-effort scheduler be; forwarding-class expedited-forwarding scheduler ef; forwarding-class network-control scheduler nc; forwarding-class assured-forwarding scheduler af; schedulers { be { transmit-rate percent 5; ef { transmit-rate percent 30;...
  • Page 159 If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration. [edit] user@host# show firewall policer 500Kbps { logical-interface-policer; if-exceeding { bandwidth-limit 500k; burst-size-limit 625k; then discard; Copyright © 2016, Juniper Networks, Inc.
  • Page 160 Traffic Policers Feature Guide for EX9200 Switches [edit] user@host# show interfaces ge-1/3/1 { per-unit-scheduler; vlan-tagging; unit 0 { vlan-id 100; layer2-policer { input-policer 500Kbps; family inet { address 10.10.10.1/30; unit 0 { vlan-id 101; family inet { address 20.20.20.1/30 { arp 20.20.20.2 mac 00:00:11:22:33:44;...
  • Page 161 Documentation “Configuring a Policer Overhead” in the CLI Explorer Related Two-Color Policer Configuration Overview on page 49 Documentation Guidelines for Applying Traffic Policers on page 15 “Configuring a Policer Overhead” in the CLI Explorer Copyright © 2016, Juniper Networks, Inc.
  • Page 162 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 163: Three-Color Policer Configuration Overview

    ... match-conditions ... action. excess-burst-size bytes; then { Applying the firewall filter to the action { three-color-policer logical interface: loss-priority high then discard; single-rate policer-name; Include the filter (input | output) filter-name statement. Copyright © 2016, Juniper Networks, Inc.
  • Page 164 Traffic Policers Feature Guide for EX9200 Switches Table 10: Three-Color Policer Configuration and Application Overview (continued) Policer Configuration Layer 3 Application Key Points Apply the filter to a logical interface at the protocol family level: [edit interfaces] interface-name { unit unit-number {...
  • Page 165 Verification To verify, use the show firewall filter filter-name [edit interfaces] operational mode command. interface-name { unit number { family family-name { filter { input filter-name; output filter-name; Copyright © 2016, Juniper Networks, Inc.
  • Page 166 Traffic Policers Feature Guide for EX9200 Switches Table 10: Three-Color Policer Configuration and Application Overview (continued) Policer Configuration Layer 3 Application Key Points Basic Two-Rate Three-Color Policer Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface. Can be applied as a firewall filter policer only.

  • Page 167: Three-Color Policer Configuration Guidelines

    Naming Conventions for Three-Color Policers on page 151 Platforms Supported for Three-Color Policers Three-color policers are supported on the following Juniper Networks routers: M120 Multiservice Edge Routers M320 Multiservice Edge Routers and T Series Core Routers with Enhanced II Flexible...

  • Page 168: Color Modes For Three-Color Policers

    Traffic Policers Feature Guide for EX9200 Switches Color Modes for Three-Color Policers Three-color policers—both single-rate and two-rate three-color policer schemes—can operate in either of two modes: Color-Blind Mode on page 150 Color-Aware Mode on page 150 Color-Blind Mode In color-blind mode, the three-color policer assumes that all packets examined have not been previously marked or metered.

  • Page 169: Naming Conventions For Three-Color Policers

    Three-color policer color mode—Where identifies a color-aware three-color policer identifies a color-blind three-color policer. NOTE: TCM stands for tricolor marking. Table 11 on page 152 describes a recommended naming convention for policers. Copyright © 2016, Juniper Networks, Inc.

  • Page 170: Table 11: Recommended Naming Convention For Policers

    Traffic Policers Feature Guide for EX9200 Switches Table 11: Recommended Naming Convention for Policers Three-Color Policer Type Naming Convention Example Names Single-rate three-color, color-aware srTCMnumber-ca srTCM1-ca srTCM2-ca srTCM3-ca Single-rate three-color, color-blind srTCMnumber-cb srTCM1-cb srTCM2-cb srTCM3-cb Two-rate three-color, color-aware trTCMnumber-ca trTCM1-ca...

  • Page 171: Basic Single-Rate Three-Color Policers

    Red—Traffic that exceeds the burst size for peak traffic (EBS), single-rate marks packets with an implicit loss priority of high and, optionally, discards the packets. If congestion occurs downstream, the packets with higher loss priority are more likely to be discarded. Copyright © 2016, Juniper Networks, Inc.

  • Page 172: Example: Configuring A Single-Rate Three-Color Policer

    Traffic Policers Feature Guide for EX9200 Switches NOTE: For both single-rate and two-rate three-color policers, the only configurable action is to discard packets in a red traffic flow. action for a tricolor marking policer for a firewall filter is supported on the...
  • Page 173 To configure a single-rate three-color policer: Procedure Enable configuration of a three-color policer. [edit] user@host# edit firewall three-color-policer srTCM1-ca Configure the color mode of the single-rate three-color policer. [edit firewall three-color-policer srTCM1-ca] user@host# set single-rate color-aware Copyright © 2016, Juniper Networks, Inc.
  • Page 174 Traffic Policers Feature Guide for EX9200 Switches Configure the single-rate guaranteed traffic limits. [edit firewall three-color-policer srTCM1-ca] user@host# set single-rate committed-information-rate user@host# set single-rate committed-burst-size 100k Configure the single-rate burst-size limit that is used to classify nonconforming traffic. [edit firewall three-color-policer srTCM1-ca]...
  • Page 175 The classifier name can be a configured classifier or one of the default classifiers. Enable configuration of the logical interface. [edit] user@host# edit interfaces ge-2/0/5 unit 0 family inet Configure an IP address. [edit interfaces ge-2/0/5 unit 0 family inet] user@host# set address 10.20.130.1/24 Copyright © 2016, Juniper Networks, Inc.
  • Page 176 Traffic Policers Feature Guide for EX9200 Switches Reference the filter as an input filter. [edit interfaces ge-2/0/5 unit 0 family inet] user@host# set filter input filter-srtcm1ca-all Results Confirm the configuration of the interface by entering the show class-of-service show configuration mode commands. If the command output does not display the...
  • Page 177 Policer: Input: __default_arp_policer__ Related Three-Color Policer Configuration Overview on page 145 Documentation Single-Rate Three-Color Policer Overview on page 153 Related Three-Color Policer Configuration Overview on page 145 Documentation Three-Color Policer Configuration Guidelines on page 149 Copyright © 2016, Juniper Networks, Inc.
  • Page 178 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 179: Basic Two-Rate Three-Color Policers

    Red—Traffic that exceeds the bandwidth limit and burst size for peak traffic (PIR and PBS). For a red traffic flow, two-rate TCM marks packets with an implicit loss priority and, optionally, discards the packets. high Copyright © 2016, Juniper Networks, Inc.

  • Page 180: Example: Configuring A Two-Rate Three-Color Policer

    Traffic Policers Feature Guide for EX9200 Switches If congestion occurs downstream, the packets with higher loss priority are more likely to be discarded. NOTE: For both single-rate and two-rate three-color policers, the only configurable action is to discard packets in a red traffic flow.
  • Page 181 1 then three-color-policer two-rate trTCM1-ca set interfaces ge-2/0/5 unit 0 family inet address 10.10.10.1/30 set interfaces ge-2/0/5 unit 0 family inet filter input filter-trtcm1ca-all set class-of-service interfaces ge-2/0/5 forwarding-class af Copyright © 2016, Juniper Networks, Inc.
  • Page 182 Traffic Policers Feature Guide for EX9200 Switches Configuring a Two-Rate Three-Color Policer Step-by-Step To configure a two-rate three-color policer: Procedure Enable configuration of a three-color policer. [edit] user@host# set firewall three-color-policer trTCM1-ca Configure the color mode of the two-rate three-color policer.
  • Page 183 { filter filter-trtcm1ca-all { term 1 { then { three-color-policer { two-rate trTCM1-ca; three-color-policer trTCM1-ca { action { loss-priority high then discard; two-rate { color-aware; committed-information-rate 40m; committed-burst-size 100k; peak-information-rate 60m; peak-burst-size 200k; Copyright © 2016, Juniper Networks, Inc.
  • Page 184 Traffic Policers Feature Guide for EX9200 Switches Applying the Filter to a Logical Interface at the Protocol Family Level Step-by-Step To apply the filter to the logical interface at the protocol family level: Procedure Enable configuration of an IPv4 firewall filter.
  • Page 185 Protocol multiservice, MTU: Unlimited, Generation: 243, Route table: 0 Policer: Input: __default_arp_policer__ Related Two-Rate Three-Color Policer Overview on page 161 Documentation Related Three-Color Policer Configuration Overview on page 145 Documentation Three-Color Policer Configuration Guidelines on page 149 Copyright © 2016, Juniper Networks, Inc.
  • Page 186 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 187: Part 5 Configuring Logical And Physical Interface Traffic Policers At Layer

    PART 5 Configuring Logical and Physical Interface Traffic Policers at Layer 3 Two-Color and Three-Color Logical Interface Policers on page 171 Two-Color and Three-Color Physical Interface Policers on page 185 Copyright © 2016, Juniper Networks, Inc.
  • Page 188 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 189: Two-Color And Three-Color Logical Interface Policers

    (to rate-limit traffic of a specific protocol family). It is OK to reference a logical interface policer from a stateless firewall filter term and then apply the filter to a logical interface. Copyright © 2016, Juniper Networks, Inc.

  • Page 190: Example: Configuring A Two-Color Logical Interface (Aggregate) Policer

    Traffic Policers Feature Guide for EX9200 Switches You can apply a logical interface policer to unicast traffic only. For information about configuring a stateless firewall filter for flooded traffic, see “Applying Forwarding Table Filters” in the “Traffic Sampling, Forwarding, and Monitoring” section of the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.
  • Page 191 0 vlan-id 100 user@host# set unit 0 family inet address 10.10.10.1/30 Configure logical interface ge-1/3/1.0 [edit interfaces ge-1/3/1] user@host# set unit 1 vlan-id 101 user@host# set unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44 Copyright © 2016, Juniper Networks, Inc.
  • Page 192 Traffic Policers Feature Guide for EX9200 Switches Results Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
  • Page 193 Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface Step-by-Step To apply the two-color logical interface policer to input IPv4 traffic a logical interface: Procedure Enable configuration of the logical interface. [edit] Copyright © 2016, Juniper Networks, Inc.
  • Page 194 Traffic Policers Feature Guide for EX9200 Switches user@host# edit interfaces ge-1/3/1 unit 0 Apply the policer to all traffic types or to a specific traffic type on the logical interface. To apply the policer to all traffic types, regardless of the protocol family, include...

  • Page 195: Example: Configuring A Three-Color Logical Interface (Aggregate) Policer

    This example shows how to configure a two-rate three-color color-blind policer as a logical interface (aggregate) policer and apply the policer directly to Layer 2 input traffic at a supported logical interface. Requirements on page 178 Overview on page 178 Copyright © 2016, Juniper Networks, Inc.
  • Page 196 Traffic Policers Feature Guide for EX9200 Switches Configuration on page 179 Verification on page 182 Requirements Before you begin, make sure that the logical interface to which you apply the three-color logical interface policer is hosted on a Gigabit Ethernet interface (...
  • Page 197 Configure single tagging. [edit interfaces ge-1/3/1] user@host# set vlan-tagging Configure logical interface ge-1/3/1.0 [edit interfaces ge-1/3/1] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 10.10.10.1/30 Copyright © 2016, Juniper Networks, Inc.
  • Page 198 Traffic Policers Feature Guide for EX9200 Switches Configure logical interface ge-1/3/1.0 [edit interfaces ge-1/3/1] user@host# set unit 1 vlan-id 101 user@host# set unit 1 family inet address 20.20.20.1/30 arp 20.20.20.2 mac 00:00:11:22:33:44 Results Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command.
  • Page 199 Applying the Three-Color Policer to the Layer 2 Input at the Logical Interface Step-by-Step To apply the three-color policer to the Layer 2 input at the logical interface: Procedure Enable application of Layer 2 logical interface policers. [edit] user@host# edit interfaces ge-1/3/1 unit 0 Copyright © 2016, Juniper Networks, Inc.
  • Page 200 Traffic Policers Feature Guide for EX9200 Switches Apply the three-color logical interface policer to a logical interface input. [edit interfaces ge-1/3/1 unit 0] user@host# set layer2-policerinput-three-color trTCM2-cb Results Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command.
  • Page 201 222 statement statement three-color-policer (Configuring) on page 239 Related Two-Color Policer Configuration Overview on page 49 Documentation Three-Color Policer Configuration Overview on page 145 Guidelines for Applying Traffic Policers on page 15 Copyright © 2016, Juniper Networks, Inc.
  • Page 202 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 203: Two-Color And Three-Color Physical Interface Policers

    To configure a single-rate two-color physical interface policer, include the physical-interface-policer statement at one of the following hierarchy levels: [edit firewall policer policer-name] [edit logical-system logical-system-name firewall policer policer-name] [edit routing-instances routing-instance-name firewall policer policer-name] [edit logical-systems logical-system-name routing-instances routing-instance-name firewall policer policer-name] Copyright © 2016, Juniper Networks, Inc.

  • Page 204: Example: Configuring A Physical Interface Policer For Aggregate Traffic At A

    Traffic Policers Feature Guide for EX9200 Switches To configure a single-rate or two-rate three-color physical interface policer, include the statement at one of the following hierarchy levels: physical-interface-policer [edit firewall three-color-policer policer-name] [edit logical-system logical-system-name firewall three-color-policer policer-name] [edit routing-instances routing-instance-name firewall...

  • Page 205: Physical Interface

    (0x40), or (0x20) immediate priority Packets received through TCP and with the IP precedence fields (0xc0) internet-control (0x00) routine You could also reference the policer from physical interface filters for other protocol families. Copyright © 2016, Juniper Networks, Inc.
  • Page 206 Traffic Policers Feature Guide for EX9200 Switches Configuration The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode. To configure this example, perform the following tasks:...
  • Page 207 If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration. [edit] user@host# show firewall policer shared-policer-A { physical-interface-policer; if-exceeding { bandwidth-limit 100m; burst-size-limit 500k; then discard; Copyright © 2016, Juniper Networks, Inc.
  • Page 208 Traffic Policers Feature Guide for EX9200 Switches Configuring an IPv4 Physical Interface Filter Step-by-Step To configure a physical interface policer as the action for terms in an IPv4 physical Procedure interface policer: Configure a standard stateless firewall filter under a specific protocol family.
  • Page 209 { unit 0 { family inet { filter { input ipv4-filter; address 192.168.1.1/24; family vpls; unit 1 { family mpls; If you are done configuring the device, enter commit from configuration mode. Copyright © 2016, Juniper Networks, Inc.
  • Page 210 Traffic Policers Feature Guide for EX9200 Switches Verification Confirm that the configuration is working properly. Displaying the Firewall Filters Applied to an Interface on page 192 Displaying the Number of Packets Processed by the Policer at the Logical Interface on page 192...
  • Page 211 Firewall Filter Match Conditions Based on Address Classes Two-Color Policer Configuration Overview on page 49 Three-Color Policer Configuration Overview on page 145 Guidelines for Applying Traffic Policers on page 15 physical-interface-filter on page 230 physical-interface-policer on page 231 Copyright © 2016, Juniper Networks, Inc.
  • Page 212 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 213: Configuration Statements And Operational Commands

    PART 6 Configuration Statements and Operational Commands Configuration Statements on page 197 Firewall Filter and Policer Operational Mode Commands on page 241 Copyright © 2016, Juniper Networks, Inc.
  • Page 214 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

  • Page 215: Configuration Statements

    (Three-Color Policer) on page 224 output-policer on page 225 output-three-color on page 226 peak-burst-size on page 227 peak-information-rate on page 229 physical-interface-filter on page 230 physical-interface-policer on page 231 policer (Applying to a Logical Interface) on page 232 Copyright © 2016, Juniper Networks, Inc.

  • Page 216: Action

    Traffic Policers Feature Guide for EX9200 Switches policer (Configuring) on page 233 policer (Firewall Filter Action) on page 234 prefix-action (Configuring) on page 235 prefix-action (Firewall Filter Action) on page 236 single-rate on page 237 three-color-policer (Applying) on page 238...

  • Page 217: Bandwidth-Limit (Policer)

    Options —You can specify the number of bits per second either as a decimal number or as a decimal number followed by the abbreviation (1000), (1,000,000), or (1,000,000,000). Range: Copyright © 2016, Juniper Networks, Inc.
  • Page 218 Traffic Policers Feature Guide for EX9200 Switches (M Series and T Series routers) 8000 through 100,000,000,000 (Mx Series routers) 8000 through 18,446,744,073,709,551,615 NOTE: When you specify a numeric value beyond the supported bandwidth of the PFE, the router caps the bandwidth at the maximum supported bandwidth of the PFE.

  • Page 219: Bandwidth-Percent

    Single-rate two-color policing allows bursts of traffic for short periods, whereas single-rate and two-rate three-color policing allows more sustained bursts of traffic. Copyright © 2016, Juniper Networks, Inc.
  • Page 220 Traffic Policers Feature Guide for EX9200 Switches Hierarchical policing is a form of two-color policing that applies different policing actions based on whether the packets are classified for expedited forwarding (EF) or for a lower priority. You apply a hierarchical policer to ingress Layer 2 traffic to allows bursts of EF traffic for short period and bursts of non-EF traffic for short periods, with EF traffic always taking precedence over non-EF traffic.

  • Page 221: Burst-Size-Limit (Policer)

    You apply a hierarchical policer to ingress Layer 2 traffic to allows bursts of EF traffic for short period and bursts of non-EF traffic for short periods, with EF traffic always taking precedence over non-EF traffic. Copyright © 2016, Juniper Networks, Inc.

  • Page 222: Table 12: Bandwidth Limits And Token Rates

    Traffic Policers Feature Guide for EX9200 Switches Table 12 on page 204 summarizes the relationship between the and the bandwidth-limit token arrival rate. This information is useful in calculating the minimum burst-size-limit Table 12: Bandwidth Limits and Token Rates Bandwidth Limit...
  • Page 223 Policer Bandwidth and Burst-Size Limits Policer Color-Marking and Actions on page 18 Single Token Bucket Algorithm on page 20 Determining Proper Burst Size for Traffic Policers on page 30 bandwidth-limit (Policer) on page 199 bandwidth-percent on page 201 Copyright © 2016, Juniper Networks, Inc.

  • Page 224: Color-Aware

    Traffic Policers Feature Guide for EX9200 Switches color-aware Syntax color-aware; Hierarchy Level [edit dynamic-profiles profile-name firewall three-color-policer name single-rate], [edit dynamic-profiles profile-name firewall three-color-policer name two-rate], [edit firewall three-color-policer policer-name single-rate], [edit firewall three-color-policer policer-name two-rate] Release Information Statement introduced in Junos OS Release 7.4.

  • Page 225: Color-Blind

    Level firewall-control—To add this statement to the configuration. Related Three-Color Policer Configuration Overview on page 145 Documentation Color Modes for Three-Color Policers on page 150 color-aware on page 206 Copyright © 2016, Juniper Networks, Inc.

  • Page 226: Committed-Burst-Size

    Traffic Policers Feature Guide for EX9200 Switches committed-burst-size Syntax committed-burst-size bytes; Hierarchy Level [edit dynamic-profiles profile-name firewall three-color-policer name single-rate], [edit dynamic-profiles profile-name firewall three-color-policer name two-rate], [edit firewall three-color-policer policer-name single-rate], [edit firewall three-color-policer policer-name two-rate] Release Information Statement introduced in Junos OS Release 7.4.
  • Page 227 Policer Color-Marking and Actions on page 18 Dual Token Bucket Algorithms on page 22 Determining Proper Burst Size for Traffic Policers on page 30 committed-information-rate on page 210 excess-burst-size on page 212 peak-burst-size on page 227 peak-information-rate on page 229 Copyright © 2016, Juniper Networks, Inc.

  • Page 228: Committed-Information-Rate

    Traffic Policers Feature Guide for EX9200 Switches committed-information-rate Syntax committed-information-rate bps; Hierarchy Level [edit dynamic-profiles profile-name firewall three-color-policer name single-rate], [edit dynamic-profiles profile-name firewall three-color-policer name two-rate], [edit firewall three-color-policer policer-name single-rate], [edit firewall three-color-policer policer-name two-rate] Release Information Statement introduced in Junos OS Release 7.4.
  • Page 229 Policer Color-Marking and Actions on page 18 Dual Token Bucket Algorithms on page 22 Determining Proper Burst Size for Traffic Policers on page 30 committed-burst-size on page 208 excess-burst-size on page 212 peak-burst-size on page 227 peak-information-rate on page 229 Copyright © 2016, Juniper Networks, Inc.

  • Page 230: Excess-Burst-Size

    Traffic Policers Feature Guide for EX9200 Switches excess-burst-size Syntax excess-burst-size bytes; Hierarchy Level [edit dynamic-profiles profile-name firewall three-color-policer name single-rate], [edit firewall three-color-policer policer-name single-rate] Release Information Statement introduced in Junos OS Release 7.4. Support at the [edit dynamic-profiles ... single-rate] hierarchy level introduced in Junos Release OS 11.4.

  • Page 231: Filter-Specific

    Level interface-control—To add this statement to the configuration. Related Filter-Specific Policer Overview on page 85 Documentation Prefix-Specific Counting and Policing Overview on page 97 Filter-Specific Counter and Policer Set Overview on page 100 Copyright © 2016, Juniper Networks, Inc.

  • Page 232: Hierarchical-Policer

    Traffic Policers Feature Guide for EX9200 Switches hierarchical-policer List of Syntax Syntax (M Series, MX Series, T Series - Bandwidth-Based) on page 214 Syntax (MX Series - Packets-Per-Second (pps)-Based) on page 214 Syntax (M Series, MX hierarchical-policer hierarchical-policer-name | uid {...
  • Page 233 Related Hierarchical Policer Configuration Overview Documentation Hierarchical Policers aggregate (Hierarchical Policer) bandwidth-limit (Hierarchical Policer) burst-size-limit (Hierarchical Policer) pps-limit (Hierarchical Policer) packet-burst (Hierarchical Policer) if-exceeding (Hierarchical Policer) if-exceeding-pps (Hierarchical Policer) premium (Hierarchical Policer) Copyright © 2016, Juniper Networks, Inc.

  • Page 234: If-Exceeding (Policer)

    Traffic Policers Feature Guide for EX9200 Switches if-exceeding (Policer) Syntax if-exceeding { (bandwidth-limit bps | bandwidth-percent number); burst-size-limit bytes; Hierarchy Level [edit dynamic-profiles profile-name firewall policer policer-name], [edit firewall policer policer-name], [edit logical-systems logical-system-name firewall policer policer-name] Release Information Statement introduced before Junos OS Release 7.4.

  • Page 235: Input-Hierarchical-Policer

    Options —Name of the hierarchical policer. policer-name Required Privilege interface—To view this statement in the configuration. Level interface-control—To add this statement to the configuration. Related Hierarchical Policers Documentation layer2-policer (Hierarchical Policer) Copyright © 2016, Juniper Networks, Inc.

  • Page 236: Input-Policer

    Traffic Policers Feature Guide for EX9200 Switches input-policer Syntax input-policer policer-name; Hierarchy Level [edit interfaces interface-name unit logical-unit-number layer2-policer] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number layer2-policer] Release Information Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 12.3R2 for EX Series switches.

  • Page 237: Input-Three-Color

    Documentation Applying Layer 2 Policers to Gigabit Ethernet Interfaces Configuring a Gigabit Ethernet Policer input-policer on page 218 layer2-policer on page 220 logical-interface-policer on page 222 output-policer on page 225 output-three-color on page 226 Copyright © 2016, Juniper Networks, Inc.

  • Page 238: Layer2-Policer

    Traffic Policers Feature Guide for EX9200 Switches layer2-policer Syntax layer2-policer { input-policer policer-name; input-three-color policer-name; output-policer policer-name; output-three-color policer-name; Hierarchy Level [edit interfaces interface-name unit logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number], Release Information Statement introduced in Junos OS Release 8.2.

  • Page 239: Load-Balance-Group

    Level interface-control—To add this statement to the configuration. Related Bandwidth Policers on page 75 Documentation Configuring Policers Based on Logical Interface Bandwidth statement bandwidth-percent on page 201 interface-specific statement Copyright © 2016, Juniper Networks, Inc.

  • Page 240: Logical-Interface-Policer

    Traffic Policers Feature Guide for EX9200 Switches logical-interface-policer Syntax logical-interface-policer; Hierarchy Level [edit dynamic-profiles profile-name firewall policer policer-name], [edit dynamic-profiles profile-name firewall three-color-policer name], [edit firewall atm-policeratm-policer-name], [edit firewall policer policer-name], [edit firewall policer policer-template-name], [edit firewall three-color-policer policer-name], [edit logical-systems logical-system-name firewall...

  • Page 241: Loss-Priority (Firewall Filter Action)

    Level interface-control—To add this statement to the configuration. Related Firewall Filter Nonterminating Actions Documentation Policer Color-Marking and Actions on page 18 Multifield Classification Overview on page 115 Copyright © 2016, Juniper Networks, Inc.

  • Page 242: Loss-Priority High Then Discard (Three-Color Policer)

    Traffic Policers Feature Guide for EX9200 Switches loss-priority high then discard (Three-Color Policer) Syntax loss-priority high then discard; Hierarchy Level [edit dynamic-profiles profile-name firewall three-color-policer name action], [edit firewall three-color-policer policer-name action], [edit logical-systems logical-system-name firewall three-color-policer policer-name action] Release Information Statement introduced before Junos OS Release 8.2.

  • Page 243: Output-Policer

    Documentation Applying Layer 2 Policers to Gigabit Ethernet Interfaces Configuring a Gigabit Ethernet Policer input-policer on page 218 input-three-color on page 219 layer2-policer on page 220 logical-interface-policer on page 222 output-three-color on page 226 Copyright © 2016, Juniper Networks, Inc.

  • Page 244: Output-Three-Color

    Traffic Policers Feature Guide for EX9200 Switches output-three-color Syntax output-three-color policer-name; Hierarchy Level [edit interfaces interface-name unit logical-unit-number layer2-policer] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number layer2-policer] Release Information Statement introduced in Junos OS Release 8.2. Statement introduced in Junos OS Release 12.3R2 for EX Series switches.

  • Page 245: Peak-Burst-Size

    Range: 1500 through 100,000,000,000 bytes Required Privilege firewall—To view this statement in the configuration. Level firewall-control—To add this statement to the configuration. Related Three-Color Policer Configuration Overview on page 145 Documentation Policer Bandwidth and Burst-Size Limits Copyright © 2016, Juniper Networks, Inc.
  • Page 246 Traffic Policers Feature Guide for EX9200 Switches Policer Color-Marking and Actions on page 18 Dual Token Bucket Algorithms on page 22 Determining Proper Burst Size for Traffic Policers on page 30 committed-burst-size on page 208 committed-information-rate on page 210 excess-burst-size on page 212 peak-information-rate on page 229 Copyright ©...

  • Page 247: Peak-Information-Rate

    1500 through 100,000,000,000 bps on EX, M, and T Series routers 1500 through 18,446,744,073,709,551,615 bps on Mx Series routers Required Privilege firewall—To view this statement in the configuration. Level firewall-control—To add this statement to the configuration. Copyright © 2016, Juniper Networks, Inc.

  • Page 248: Physical-Interface-Filter

    Traffic Policers Feature Guide for EX9200 Switches Related Three-Color Policer Configuration Overview on page 145 Documentation Policer Bandwidth and Burst-Size Limits Policer Color-Marking and Actions on page 18 Dual Token Bucket Algorithms on page 22 Determining Proper Burst Size for Traffic Policers on page 30...

  • Page 249: Physical-Interface-Policer

    In contrast, with logical interface policers there are multiple separate policer instances. Required Privilege interface—To view this statement in the configuration. Level interface-control—To add this statement to the configuration. Related Two-Color and Three-Color Physical Interface Policers on page 185 Documentation physical-interface-filter on page 230 Copyright © 2016, Juniper Networks, Inc.

  • Page 250: Policer (Applying To A Logical Interface)

    Traffic Policers Feature Guide for EX9200 Switches policer (Applying to a Logical Interface) Syntax policer { input policer-name; output policer-name; Hierarchy Level [edit interfaces interface-name unit unit-number], [edit interfaces interface-name unit unit-number family family], [edit logical-systems logical-system-name interfaces interface-name unit unit-number],...

  • Page 251: Policer (Configuring)

    (-), and can be up to 255 characters long. To include spaces in the name, enclose it in quotation marks (“ ”). Policer names cannot begin with an underscore in the form __.* then —Actions to take on matching packets. Copyright © 2016, Juniper Networks, Inc.

  • Page 252: Policer (Firewall Filter Action)

    Traffic Policers Feature Guide for EX9200 Switches The remaining statements are explained separately. Required Privilege firewall—To view this statement in the configuration. Level firewall-control—To add this statement to the configuration. Related Bandwidth Policer Overview on page 75 Documentation Configuring Firewall Filters and Policers for VPLS...

  • Page 253: Prefix-Action (Configuring)

    —Subnet prefix length. subnet-prefix-length prefix-length Range: 0 through 32 Required Privilege firewall—To view this statement in the configuration. Level firewall-control—To add this statement to the configuration. Related Prefix-Specific Counting and Policing Actions on page 97 Documentation Copyright © 2016, Juniper Networks, Inc.

  • Page 254: Prefix-Action (Firewall Filter Action)

    Traffic Policers Feature Guide for EX9200 Switches prefix-action (Firewall Filter Action) Syntax prefix-action prefix-action-name; Hierarchy Level [edit firewall family inet filter filter-name term term-name then], [edit logical-systems logical-system-name firewall family inet filter filter-name term term-name then] Release Information Statement introduced before Junos OS Release 7.4.

  • Page 255: Single-Rate

    Level firewall-control—To add this statement to the configuration. Related Three-Color Policer Configuration Overview on page 145 Documentation color-aware on page 206 color-blind on page 207 two-rate on page 240 Copyright © 2016, Juniper Networks, Inc.

  • Page 256: Three-Color-Policer (Applying)

    Traffic Policers Feature Guide for EX9200 Switches three-color-policer (Applying) Syntax three-color-policer { (single-rate | two-rate) policer-name; Hierarchy Level [edit firewall family family-name filter filter-name term term-name then] [edit logical-systems logical-system-name firewall family family-name filter filter-name term term-name then] Release Information Statement introduced in Junos OS Release 7.4.

  • Page 257: Three-Color-Policer (Configuring)

    Level firewall-control—To add this statement to the configuration. Related Configuring and Applying Tricolor Marking Policers Documentation Three-Color Policer Configuration Guidelines on page 149 Basic Single-Rate Three-Color Policers on page 153 Copyright © 2016, Juniper Networks, Inc.

  • Page 258: Two-Rate

    Traffic Policers Feature Guide for EX9200 Switches Basic Two-Rate Three-Color Policers on page 161 Two-Color and Three-Color Logical Interface Policers on page 171 Two-Color and Three-Color Physical Interface Policers on page 185 Two-Color and Three-Color Policers at Layer 2 on page 39...

  • Page 259: Firewall Filter And Policer Operational Mode Commands

    CHAPTER 19 Firewall Filter and Policer Operational Mode Commands clear firewall show firewall show firewall filter version show firewall log show firewall prefix-action-stats show policer Copyright © 2016, Juniper Networks, Inc.

  • Page 260: Clear Firewall

    Traffic Policers Feature Guide for EX9200 Switches clear firewall List of Syntax Syntax on page 242 Syntax (EX Series Switches) on page 242 Syntax clear firewall (all | counter counter-name | filter filter-name | log (all | logical-system-name ) | logical-system logical-system-name)

  • Page 261: Firewall Filter And Policer Operational Mode Commands

    (filter filter-name) user@host> clear firewall filter ingress-port-filter clear firewall (policer counter all) (EX8200 Switch) user@switch> clear firewall policer counter all clear firewall (policer counter counter-id counter-index) (EX8200 Switch) user@switch> clear firewall policer counter counter-id 0 Copyright © 2016, Juniper Networks, Inc.

  • Page 262: Show Firewall

    Traffic Policers Feature Guide for EX9200 Switches show firewall List of Syntax Syntax on page 244 Syntax (EX Series Switches) on page 244 Syntax show firewall <counter counter-name> <detail> <filter (filter-name | regex regular-expression)> <log> <logical-system (all | logical-system-name)> <terse>...
  • Page 263 250 Output Fields Table 13 on page 246 lists the output fields for the command. Output fields show firewall are listed in the approximate order in which they appear. Copyright © 2016, Juniper Networks, Inc.

  • Page 264: Table 13: Show Firewall Output Fields

    Traffic Policers Feature Guide for EX9200 Switches Table 13: show firewall Output Fields Field Name Field Description Name of a filter that has been configured with the statement at the hierarchy Filter filter [edit firewall] level. Except on EX Series switches:...
  • Page 265 Transmitted packet statistics for traffic that is not discarded by the policer. When the policer action is discard, the statistics are the same as the in-spec statistics; when the policer action is non-discard (loss-priority or forwarding-class), the statistics are included in this counter. Copyright © 2016, Juniper Networks, Inc.
  • Page 266 Traffic Policers Feature Guide for EX9200 Switches Sample Output show firewall filter (MX Series Router and EX Series Switch) user@host> show firewall filter test Filter: test Counters: Name Bytes Packets Counter-1 Counter-2 Policers: Name Bytes Packets Policer-1 2770 show firewall filter (non MX Series Router and EX Series Switch) user@host>...
  • Page 267 Policer Counter Index 2: Bytes Packets Green: Yellow: Discard: show firewall policer counters (detail) (EX8200 Switch) user@switch> show firewall policer counters detail Policer Counter Index 0: Bytes Packets Green: 15914 Yellow: 1962 Discard: 25942 Copyright © 2016, Juniper Networks, Inc.
  • Page 268 Traffic Policers Feature Guide for EX9200 Switches Filter name Term name Policer name myfilter polcr-term-1 myfilter-polcr-1 inet-filter-ae ae-snmp policer-1 inet-filter-ae ae-ssh policer-2 Policer Counter Index 1: Bytes Packets Green: Yellow: Discard: Filter name Term name Policer name Policer Counter Index 2:...

  • Page 269: Show Firewall Filter Version

    Filter filter [edit firewall] Display the version number of the firewall filter. Version Sample Output show firewall filter version user@host> show firewall filter version Filter version information : Filter Version test Copyright © 2016, Juniper Networks, Inc.

  • Page 270: Show Firewall Log

    Traffic Policers Feature Guide for EX9200 Switches show firewall log List of Syntax Syntax on page 252 Syntax (EX Series Switches) on page 252 Syntax show firewall log <detail> <extensive> <interface interface-name> <logical-system (logical-system-name | all)> Syntax (EX Series show firewall log <detail>...
  • Page 271 Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of interface: fxp0.0 Name of protocol: TCP, Packet Length: 1020, Source address: 203.0.113.108:829, Destination address: 192.168.70.66:513 Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of Copyright © 2016, Juniper Networks, Inc.
  • Page 272 Traffic Policers Feature Guide for EX9200 Switches interface: fxp0.0 Name of protocol: TCP, Packet Length: 49245, Source address: 203.0.113.108:829, Destination address: 192.168.70.66:513 Time of Log: 2004-10-13 10:37:17 PDT, Filter: f, Filter action: accept, Name of interface: fxp0.0 Name of protocol: TCP, Packet Length: 49245, Source address: 203.0.113.108:829, Destination address: 192.168.70.66:513...

  • Page 273: Show Firewall Prefix-Action-Stats

    256 Output Fields Table 16 on page 256 lists the output fields for the show firewall prefix-action-stats command. Output fields are listed in the approximate order in which they appear. Copyright © 2016, Juniper Networks, Inc.

  • Page 274: Table 16: Show Firewall Prefix-Action-Stats Output Fields

    Traffic Policers Feature Guide for EX9200 Switches Table 16: show firewall prefix-action-stats Output Fields Field Name Field Description Filter name. Filter Filters configured for logical systems include the name of the filter prefixed with the two underscore characters (__) and the name of...

  • Page 275: Show Policer

    For other combinations of policer type, device, and line card type, this field is blank. (T Series and M10i)—Not applicable. The Bytes information is not displayed. Packets Total number of packets policed by the specified policer. Copyright © 2016, Juniper Networks, Inc.
  • Page 276 Traffic Policers Feature Guide for EX9200 Switches Table 17: show policer Output Fields (continued) Field Name Field Description Policer detail OOS packet statistics for packets that are marked out-of-specification by the policer. Changes to all packets that have out-of-specification actions, such as discard, color marking, or forwarding-class, are included in this counter.
  • Page 277 Chapter 19: Firewall Filter and Policer Operational Mode Commands __policer_tmpl__-fc2 __policer_tmpl__-fc0 __policer_tmpl__-fc1 __policer_tmpl__-fc2 __policer_tmpl__-fc3 show policer detail user@host> show policer detail Policers: Name Bytes Packets __default_arp_policer__ Offered Transmitted P1-xe-1/0/0.0-inet-i 11329 Offered 111188 Transmitted 99859 Copyright © 2016, Juniper Networks, Inc.
  • Page 278 Traffic Policers Feature Guide for EX9200 Switches Copyright © 2016, Juniper Networks, Inc.

Table of Contents