Understanding The Use Of Policers In Firewall Filters - Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual

Related
Documentation

Understanding the Use of Policers in Firewall Filters

Related
Documentation
Copyright © 2010, Juniper Networks, Inc.
—Specify the match
source-port
If you do not specify the protocol when using the preceding fields, design your filters
carefully to ensure that they perform the expected matches. For example, if you specify
a match of
destination-port ssh
have a value of 22 in the two-byte field that is two bytes beyond the end of the IP header
without ever checking the IP protocol field.
Firewall Filters for EX Series Switches Overview on page 3225
Understanding Firewall Filter Match Conditions on page 3255
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series
Switches on page 3261
Policing, or rate limiting, is an important component of firewall filters that lets you control
the amount of traffic that enters an interface.
A single firewall filter configured with a policer permits only traffic at specified data rates
to provide protection from denial-of-service (DOS) attacks. Traffic that exceeds the rate
limits specified by the policer can be discarded. Discard is the only supported policer
action. Typically, traffic that exceeds the rate limits specified by the policer is either
discarded or marked as lower priority than traffic that meets the rate limits specified by
the policer. When necessary, low-priority traffic can be discarded by the switch to prevent
congestion.
A policer applies two types of rate limits on traffic:
Bandwidth—The number of bits per second permitted, on average.
Maximum burst size—The maximum size permitted for bursts of data that exceed the
given bandwidth limit.
Policing uses an algorithm to enforce a limit on average bandwidth while allowing bursts
up to a specified maximum value. You can define specific classes of traffic on an interface
and apply a set of rate limits to each class. After you name and configure a policer, it is
stored as a template. You can then use a policer in a firewall filter configuration.
Each policer that you configure includes an implicit counter that counts the number of
packets that exceed the rate limits that are specified for the policer. To get filter or
term-specific packets counts, you must configure a new policer for each filter or term
that requires policing.
Firewall Filters for EX Series Switches Overview on page 3225
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series
Switches on page 3261
Firewall Filter Match Conditions and Actions for EX Series Switches on page 3233
Chapter 106: Firewall Filters—Overview
or
protocol tcp protocol udp
, the switch deterministically matches any packets that
.
3259