Juniper EX9200 Series Features Manual

Traffic Policers Feature Guide for EX9200

Switches

Release

16.2

Modified: 2016-11-02

Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United

States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other

trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,

transfer, or otherwise revise this publication without notice.

Traffic Policers Feature Guide for EX9200 Switches

16.2

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the

year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks

software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of

that EULA.

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Part 1 Overview

Chapter 1 Understanding Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Controlling Network Access Using Traffic Policing Overview . . . . . . . . . . . . . . . . . . 3

Congestion Management for IP Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Traffic Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Traffic Color Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Policer Application to Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Traffic Policer Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Basic Single-Rate Two-Color Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Two-Color and Three-Color Policer Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Logical Interface (Aggregate) Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Physical Interface Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Policers Applied to Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Order of Policer and Firewall Filter Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Understanding the Frame Length for Policing Packets . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 Traffic Policing Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Supported Standards for Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 3 Introduction to Configuring Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Guidelines for Applying Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 4 Configuring Policer Rate Limits and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Policer Bandwidth and Burst-Size Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Policer Color-Marking and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Conformance Measurement for Two-Color Marking . . . . . . . . . . . . . . . . . . . . 21

Dual Token Bucket Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Guaranteed Bandwidth for Three-Color Marking . . . . . . . . . . . . . . . . . . . . . . 22

Nonconformance Measurement for Single-Rate Three-Color Marking . . . . . 22

Nonconformance Measurement for Two-Rate Three-Color Marking . . . . . . . 23

Chapter 5 Implementing Traffic Policers on EX 9200 Switches . . . . . . . . . . . . . . . . . . . 25

Policer Implementation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Understanding the Benefits of Policers and Token Bucket Algorithms . . . . . . . . . 28

Scenario 1: Single TCP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Scenario 2: Multiple TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Determining Proper Burst Size for Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . 30

Policer Burst Size Limit Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Effect of Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Bursty Traffic Policed Without a Burst-Size Limit . . . . . . . . . . . . . . . . . . . 31

Burst-Size Limit Configured to Match Bandwidth Limit and Flow

Burstiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Burst-Size Limit That Depletes All Accumulated Tokens . . . . . . . . . . . . . 31

Two Methods for Calculating Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . . . 32

Calculation Based on Interface Bandwidth and Allowable Burst

Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Calculation Based on Interface Traffic MTU . . . . . . . . . . . . . . . . . . . . . . . 32

Comparison of the Two Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

10 x MTU Method for Selecting Initial Burst Size for Gigabit Ethernet

with 100 Kbps Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5 ms Method for Selecting Initial Burst Size for Gigabit Ethernet Interface

with 200 Mbps Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

200 Mbps Bandwidth Limit, 5 ms Burst Duration . . . . . . . . . . . . . . . . . . 35

200 Mbps Bandwidth Limit, 600 ms Burst Duration . . . . . . . . . . . . . . . . 35

Part 2 Configuring Layer 2 Policers

Chapter 6 Two-Color and Three-Color Policers at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . 39

Two-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Guidelines for Configuring Two-Color Policing of Layer 2 Traffic . . . . . . . . . . 39

Statement Hierarchy for Configuring a Two-Color Policer for Layer 2

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Statement Hierarchy for Applying a Two-Color Policer to Layer 2 Traffic . . . 40

Three-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Guidelines for Configuring Three-Color Policing of Layer 2 Traffic . . . . . . . . . 41

Statement Hierarchy for Configuring a Three-Color Policer for Layer 2

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Traffic Policers Feature Guide for EX9200 Switches

Statement Hierarchy for Applying a Three-Color Policer to Layer 2

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Example: Configuring a Three-Color Logical Interface (Aggregate) Policer . . . . . 42

Part 3 Configuring Two-Color Traffic Policers at Layer 3

Two-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 7 Basic Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Single-Rate Two-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Example: Limiting Inbound Traffic at Your Network Border by Configuring an

Ingress Single-Rate Two-Color Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Example: Configuring Interface and Firewall Filter Policers at the Same

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Chapter 8 Bandwidth Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Bandwidth Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Guidelines for Configuring a Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . 75

Guidelines for Applying a Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Example: Configuring a Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . 76

Chapter 9 Filter-Specific Counters and Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Filter-Specific Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Example: Configuring a Stateless Firewall Filter to Protect Against TCP and

ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Chapter 10 Prefix-Specific Counting and Policing Actions . . . . . . . . . . . . . . . . . . . . . . . . 97

Prefix-Specific Counting and Policing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Separate Counting and Policing for Each IPv4 Address Range . . . . . . . . . . . . 97

Prefix-Specific Action Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Counter and Policer Set Size and Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Filter-Specific Counter and Policer Set Overview . . . . . . . . . . . . . . . . . . . . . . . . . 100

Example: Configuring Prefix-Specific Counting and Policing . . . . . . . . . . . . . . . . 100

Prefix-Specific Counting and Policing Configuration Scenarios . . . . . . . . . . . . . . 107

Prefix Length of the Action and Prefix Length of Addresses in Filtered

Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Scenario 1: Firewall Filter Term Matches on Multiple Addresses . . . . . . . . . . 109

Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match

Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter

Match Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Chapter 11 Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Multifield Classification Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Multifield Classification and BA Classification . . . . . . . . . . . . . . . . . . . . . . . . 115

Multifield Classification Used In Conjunction with Policers . . . . . . . . . . . . . . 116

Multifield Classification Requirements and Restrictions . . . . . . . . . . . . . . . . . . . . 118

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

CoS Tricolor Marking Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Table of Contents

Multifield Classification Limitations on M Series Routers . . . . . . . . . . . . . . . . . . . 119

Problem: Output-Filter Matching on Input-Filter Classification . . . . . . . . . . . 119

Workaround: Configure All Actions in the Ingress Filter . . . . . . . . . . . . . . . . . 120

Example: Configuring Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Example: Configuring and Applying a Firewall Filter for a Multifield Classifier . . . 127

Chapter 12 Policer Overhead to Account for Rate Shaping in the Traffic Manager . . . 135

Policer Overhead to Account for Rate Shaping Overview . . . . . . . . . . . . . . . . . . . 135

Example: Configuring Policer Overhead to Account for Rate Shaping . . . . . . . . . 135

Part 4 Configuring Three-Color Traffic Policers at Layer 3

Three-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Chapter 13 Three-Color Policer Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . 149

Platforms Supported for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Color Modes for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Color-Blind Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Color-Aware Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Naming Conventions for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Chapter 14 Basic Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Single-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Example: Configuring a Single-Rate Three-Color Policer . . . . . . . . . . . . . . . . . . . 154

Chapter 15 Basic Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Two-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Example: Configuring a Two-Rate Three-Color Policer . . . . . . . . . . . . . . . . . . . . . 162

Part 5 Configuring Logical and Physical Interface Traffic Policers at

Layer 3

Chapter 16 Two-Color and Three-Color Logical Interface Policers . . . . . . . . . . . . . . . . . 171

Logical Interface (Aggregate) Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Example: Configuring a Two-Color Logical Interface (Aggregate) Policer . . . . . . 172

Example: Configuring a Three-Color Logical Interface (Aggregate) Policer . . . . . 177

Chapter 17 Two-Color and Three-Color Physical Interface Policers . . . . . . . . . . . . . . . 185

Physical Interface Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Example: Configuring a Physical Interface Policer for Aggregate Traffic at a

Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Part 6 Configuration Statements and Operational Commands

Chapter 18 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

bandwidth-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

bandwidth-percent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

burst-size-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

color-aware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

color-blind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

committed-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Traffic Policers Feature Guide for EX9200 Switches

committed-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

excess-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

filter-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

if-exceeding (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

input-hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

input-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

input-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

layer2-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

load-balance-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

logical-bandwidth-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

logical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

loss-priority (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

loss-priority high then discard (Three-Color Policer) . . . . . . . . . . . . . . . . . . . . . . 224

output-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

output-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

peak-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

peak-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

physical-interface-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

physical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

policer (Applying to a Logical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

policer (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

prefix-action (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

prefix-action (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

single-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

three-color-policer (Applying) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

three-color-policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

two-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Chapter 19 Firewall Filter and Policer Operational Mode Commands . . . . . . . . . . . . . . 241

clear firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

show firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

show firewall filter version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

show firewall log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

show firewall prefix-action-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

show policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Table of Contents

Traffic Policers Feature Guide for EX9200 Switches

List of Figures

Part 1 Overview

Chapter 1 Understanding Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 1: Network Traffic and Burst Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Figure 2: Incoming and Outgoing Policers and Firewall Filters . . . . . . . . . . . . . . . . 12

Chapter 5 Implementing Traffic Policers on EX 9200 Switches . . . . . . . . . . . . . . . . . . . 25

Figure 3: Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 4: Traffic Behavior Using Policer and Burst Size . . . . . . . . . . . . . . . . . . . . . . 27

Figure 5: Policer Behavior with a Single TCP Connection . . . . . . . . . . . . . . . . . . . . 29

Figure 6: Policer Behavior with Background Traffic (Multiple TCP

Connections) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Figure 7: Bursty Traffic Without Configured Burst Size (Excessive Unused

Bandwidth) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Figure 8: Bursty Traffic with Configured Burst Size (Less Unused Bandwidth) . . . 31

Figure 9: Comparing Burst Size Calculation Methods . . . . . . . . . . . . . . . . . . . . . . . 33

Part 3 Configuring Two-Color Traffic Policers at Layer 3

Chapter 7 Basic Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Figure 10: Single-Rate Two-Color Policer Scenario . . . . . . . . . . . . . . . . . . . . . . . . 58

Figure 11: Traffic Limiting in a Single-Rate Two-Color Policer Scenario . . . . . . . . . 59

Chapter 9 Filter-Specific Counters and Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Figure 12: Firewall Filter to Protect Against TCP and ICMP Floods . . . . . . . . . . . . . 87

Chapter 11 Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Figure 13: Multifield Classifier Based on TCP Source Ports . . . . . . . . . . . . . . . . . . 128

Figure 14: Multifield Classifier Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Traffic Policers Feature Guide for EX9200 Switches

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Part 1 Overview

Chapter 1 Understanding Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 3: Policer Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Table 4: Packet Lengths Considered for Traffic Policers . . . . . . . . . . . . . . . . . . . . . 12

Chapter 4 Configuring Policer Rate Limits and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table 5: Policer Bandwidth Limits and Burst-Size Limits . . . . . . . . . . . . . . . . . . . . 17

Table 6: Implicit and Configurable Policer Actions Based on Color Marking . . . . . 18

Part 3 Configuring Two-Color Traffic Policers at Layer 3

Table 7: Two-Color Policer Configuration and Application Overview . . . . . . . . . . 49

Chapter 10 Prefix-Specific Counting and Policing Actions . . . . . . . . . . . . . . . . . . . . . . . . 97

Table 8: Examples of Counter and Policer Set Size and Indexing . . . . . . . . . . . . . 99

Table 9: Summary of Prefix-Specific Action Scenarios . . . . . . . . . . . . . . . . . . . . . 107

Part 4 Configuring Three-Color Traffic Policers at Layer 3

Table 10: Three-Color Policer Configuration and Application Overview . . . . . . . . 145

Chapter 13 Three-Color Policer Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . 149

Table 11: Recommended Naming Convention for Policers . . . . . . . . . . . . . . . . . . 152

Part 6 Configuration Statements and Operational Commands

Chapter 18 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Table 12: Bandwidth Limits and Token Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Chapter 19 Firewall Filter and Policer Operational Mode Commands . . . . . . . . . . . . . . 241

Table 13: show firewall Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Table 14: show firewall filter version Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 251

Table 15: show firewall log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Table 16: show firewall prefix-action-stats Output Fields . . . . . . . . . . . . . . . . . . 256

Table 17: show policer Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Traffic Policers Feature Guide for EX9200 Switches

About the Documentation

•

Documentation and Release Notes on page xiii

•

Supported Platforms on page xiii

•

Using the Examples in This Manual on page xiii

•

Documentation Conventions on page xv

•

Documentation Feedback on page xvii

•

Requesting Technical Support on page xvii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks

®

technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

•

EX Series

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the load merge or the load

merge relative command. These commands cause the software to merge the incoming

configuration into the current candidate configuration. The example does not become

active until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiple

hierarchies), the example is a full example. In this case, use the load merge command.

If the example configuration does not start at the top level of the hierarchy, the example

is a snippet. In this case, use the load merge relative command. These procedures are

described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a

text file, save the file with a name, and copy the file to a directory on your routing

platform.

For example, copy the following configuration to a file and name the file ex-script.conf.

Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {

scripts {

commit {

file ex-script.xsl;

}

interfaces {

fxp0 {

disable;

unit 0 {

family inet {

address 10.0.0.1/24;

}

2. Merge the contents of the file into your routing platform configuration by issuing the

load merge configuration mode command:

[edit]

user@host# load merge /var/tmp/ex-script.conf

load complete

Merging a Snippet

To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration snippet into a text

file, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the file

ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory

on your routing platform.

commit {

file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following

configuration mode command:

Traffic Policers Feature Guide for EX9200 Switches

[edit]

user@host# edit system scripts

[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the

load merge relative configuration mode command:

[edit system scripts]

user@host# load merge relative /var/tmp/ex-script-snippet.conf

load complete

For more information about the load command, see CLI Explorer.

Documentation Conventions

Table 1 on page xv defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page xv defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type the

configure command:

user@host> configure

Represents text that you type.Bold text like this

About the Documentation

Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

user@host> show chassis alarms

No alarms currently active

Represents output that appears on the

terminal screen.

Fixed-width text like this

•

A policy term is a named structure

that defines match conditions and

actions.

•

Junos OS CLI User Guide

•

RFC 1997, BGP Communities Attribute

•

Introduces or emphasizes important

new terms.

•

Identifies guide names.

•

Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name:

[edit]

root@# set system domain-name

domain-name

Represents variables (options for which

you substitute a value) in commands or

configuration statements.

Italic text like this

•

To configure a stub area, include the

stub statement at the [edit protocols

ospf area area-id] hierarchy level.

•

The console port is labeled CONSOLE.

Represents names of configuration

statements, commands, files, and

directories; configuration hierarchy levels;

or labels on routing platform

components.

Text like this

stub <default-metric metric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between the mutually

exclusive keywords or variables on either

side of the symbol. The set of choices is

often enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamic MPLS onlyIndicates a comment specified on the

same line as the configuration statement

to which it applies.

# (pound sign)

community name members [

community-ids ]

Encloses a variable for which you can

substitute one or more values.

[ ] (square brackets)

[edit]

routing-options {

static {

route default {

nexthop address;

retain;

}

Identifies a level in the configuration

hierarchy.

Indention and braces ( { } )

Identifies a leaf statement at a

configuration hierarchy level.

; (semicolon)

GUI Conventions

•

In the Logical Interfaces box, select

All Interfaces.

•

To cancel the configuration, click

Cancel.

Represents graphical user interface (GUI)

items you click or select.

Bold text like this

Traffic Policers Feature Guide for EX9200 Switches

Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

In the configuration editor hierarchy,

select Protocols>Ospf.

Separates levels in a hierarchy of menu

selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

•

Online feedback rating system—On any page of the Juniper Networks TechLibrary site

at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,

and use the pop-up form to provide us with information about your experience.

Alternately, you can use the online feedback form at

http://www.juniper.net/techpubs/feedback/.

•

E-mail—Send your comments to techpubs-comments@juniper.net. Include the document

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides you with the

following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

About the Documentation

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

Traffic Policers Feature Guide for EX9200 Switches

PART 1

Overview

•

Understanding Traffic Policers on page 3

•

Traffic Policing Standards on page 13

•

Introduction to Configuring Policers on page 15

Traffic Policers Feature Guide for EX9200 Switches

Page is loading ...

Juniper EX9200 Series Features Manual

Juniper EX9200 Series Features Manual

Related papers

Other documents