2. Computers & electronics
  3. Software
  4. Juniper
  5. EX9200 Series

Juniper EX9200 Series Features Manual

  • Hello! I am an AI chatbot trained to assist you with the Juniper EX9200 Series Features Manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Traffic Policers Feature Guide for EX9200
Switches
Release
16.2
Modified: 2016-11-02
Copyright © 2016, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Traffic Policers Feature Guide for EX9200 Switches
16.2
Copyright © 2016, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
Copyright © 2016, Juniper Networks, Inc.ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Part 1 Overview
Chapter 1 Understanding Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Controlling Network Access Using Traffic Policing Overview . . . . . . . . . . . . . . . . . . 3
Congestion Management for IP Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Traffic Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Traffic Color Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Policer Application to Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Traffic Policer Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Basic Single-Rate Two-Color Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Two-Color and Three-Color Policer Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Logical Interface (Aggregate) Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Physical Interface Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Policers Applied to Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Order of Policer and Firewall Filter Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Understanding the Frame Length for Policing Packets . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 2 Traffic Policing Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Supported Standards for Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 3 Introduction to Configuring Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Guidelines for Applying Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
iiiCopyright © 2016, Juniper Networks, Inc.
Chapter 4 Configuring Policer Rate Limits and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Policer Bandwidth and Burst-Size Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Policer Color-Marking and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Conformance Measurement for Two-Color Marking . . . . . . . . . . . . . . . . . . . . 21
Dual Token Bucket Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Guaranteed Bandwidth for Three-Color Marking . . . . . . . . . . . . . . . . . . . . . . 22
Nonconformance Measurement for Single-Rate Three-Color Marking . . . . . 22
Nonconformance Measurement for Two-Rate Three-Color Marking . . . . . . . 23
Chapter 5 Implementing Traffic Policers on EX 9200 Switches . . . . . . . . . . . . . . . . . . . 25
Policer Implementation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Understanding the Benefits of Policers and Token Bucket Algorithms . . . . . . . . . 28
Scenario 1: Single TCP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Scenario 2: Multiple TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Determining Proper Burst Size for Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . 30
Policer Burst Size Limit Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Effect of Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Bursty Traffic Policed Without a Burst-Size Limit . . . . . . . . . . . . . . . . . . . 31
Burst-Size Limit Configured to Match Bandwidth Limit and Flow
Burstiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Burst-Size Limit That Depletes All Accumulated Tokens . . . . . . . . . . . . . 31
Two Methods for Calculating Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . . . 32
Calculation Based on Interface Bandwidth and Allowable Burst
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Calculation Based on Interface Traffic MTU . . . . . . . . . . . . . . . . . . . . . . . 32
Comparison of the Two Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
10 x MTU Method for Selecting Initial Burst Size for Gigabit Ethernet
with 100 Kbps Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5 ms Method for Selecting Initial Burst Size for Gigabit Ethernet Interface
with 200 Mbps Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
200 Mbps Bandwidth Limit, 5 ms Burst Duration . . . . . . . . . . . . . . . . . . 35
200 Mbps Bandwidth Limit, 600 ms Burst Duration . . . . . . . . . . . . . . . . 35
Part 2 Configuring Layer 2 Policers
Chapter 6 Two-Color and Three-Color Policers at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . 39
Two-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Guidelines for Configuring Two-Color Policing of Layer 2 Traffic . . . . . . . . . . 39
Statement Hierarchy for Configuring a Two-Color Policer for Layer 2
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Statement Hierarchy for Applying a Two-Color Policer to Layer 2 Traffic . . . 40
Three-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Guidelines for Configuring Three-Color Policing of Layer 2 Traffic . . . . . . . . . 41
Statement Hierarchy for Configuring a Three-Color Policer for Layer 2
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Copyright © 2016, Juniper Networks, Inc.iv
Traffic Policers Feature Guide for EX9200 Switches
Statement Hierarchy for Applying a Three-Color Policer to Layer 2
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Example: Configuring a Three-Color Logical Interface (Aggregate) Policer . . . . . 42
Part 3 Configuring Two-Color Traffic Policers at Layer 3
Two-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 7 Basic Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Single-Rate Two-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Example: Limiting Inbound Traffic at Your Network Border by Configuring an
Ingress Single-Rate Two-Color Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Example: Configuring Interface and Firewall Filter Policers at the Same
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Chapter 8 Bandwidth Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Bandwidth Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Guidelines for Configuring a Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . 75
Guidelines for Applying a Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Example: Configuring a Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 9 Filter-Specific Counters and Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Filter-Specific Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Example: Configuring a Stateless Firewall Filter to Protect Against TCP and
ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Chapter 10 Prefix-Specific Counting and Policing Actions . . . . . . . . . . . . . . . . . . . . . . . . 97
Prefix-Specific Counting and Policing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Separate Counting and Policing for Each IPv4 Address Range . . . . . . . . . . . . 97
Prefix-Specific Action Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Counter and Policer Set Size and Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Filter-Specific Counter and Policer Set Overview . . . . . . . . . . . . . . . . . . . . . . . . . 100
Example: Configuring Prefix-Specific Counting and Policing . . . . . . . . . . . . . . . . 100
Prefix-Specific Counting and Policing Configuration Scenarios . . . . . . . . . . . . . . 107
Prefix Length of the Action and Prefix Length of Addresses in Filtered
Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Scenario 1: Firewall Filter Term Matches on Multiple Addresses . . . . . . . . . . 109
Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match
Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter
Match Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Chapter 11 Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Multifield Classification Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Multifield Classification and BA Classification . . . . . . . . . . . . . . . . . . . . . . . . 115
Multifield Classification Used In Conjunction with Policers . . . . . . . . . . . . . . 116
Multifield Classification Requirements and Restrictions . . . . . . . . . . . . . . . . . . . . 118
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
CoS Tricolor Marking Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
vCopyright © 2016, Juniper Networks, Inc.
Table of Contents
Multifield Classification Limitations on M Series Routers . . . . . . . . . . . . . . . . . . . 119
Problem: Output-Filter Matching on Input-Filter Classification . . . . . . . . . . . 119
Workaround: Configure All Actions in the Ingress Filter . . . . . . . . . . . . . . . . . 120
Example: Configuring Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Example: Configuring and Applying a Firewall Filter for a Multifield Classifier . . . 127
Chapter 12 Policer Overhead to Account for Rate Shaping in the Traffic Manager . . . 135
Policer Overhead to Account for Rate Shaping Overview . . . . . . . . . . . . . . . . . . . 135
Example: Configuring Policer Overhead to Account for Rate Shaping . . . . . . . . . 135
Part 4 Configuring Three-Color Traffic Policers at Layer 3
Three-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Chapter 13 Three-Color Policer Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . 149
Platforms Supported for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Color Modes for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Color-Blind Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Color-Aware Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Naming Conventions for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Chapter 14 Basic Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Single-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Example: Configuring a Single-Rate Three-Color Policer . . . . . . . . . . . . . . . . . . . 154
Chapter 15 Basic Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Two-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Example: Configuring a Two-Rate Three-Color Policer . . . . . . . . . . . . . . . . . . . . . 162
Part 5 Configuring Logical and Physical Interface Traffic Policers at
Layer 3
Chapter 16 Two-Color and Three-Color Logical Interface Policers . . . . . . . . . . . . . . . . . 171
Logical Interface (Aggregate) Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Example: Configuring a Two-Color Logical Interface (Aggregate) Policer . . . . . . 172
Example: Configuring a Three-Color Logical Interface (Aggregate) Policer . . . . . 177
Chapter 17 Two-Color and Three-Color Physical Interface Policers . . . . . . . . . . . . . . . 185
Physical Interface Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Example: Configuring a Physical Interface Policer for Aggregate Traffic at a
Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Part 6 Configuration Statements and Operational Commands
Chapter 18 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
bandwidth-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
bandwidth-percent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
burst-size-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
color-aware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
color-blind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
committed-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Copyright © 2016, Juniper Networks, Inc.vi
Traffic Policers Feature Guide for EX9200 Switches
committed-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
excess-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
filter-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
if-exceeding (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
input-hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
input-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
input-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
layer2-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
load-balance-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
logical-bandwidth-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
logical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
loss-priority (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
loss-priority high then discard (Three-Color Policer) . . . . . . . . . . . . . . . . . . . . . . 224
output-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
output-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
peak-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
peak-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
physical-interface-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
physical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
policer (Applying to a Logical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
policer (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
prefix-action (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
prefix-action (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
single-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
three-color-policer (Applying) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
three-color-policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
two-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Chapter 19 Firewall Filter and Policer Operational Mode Commands . . . . . . . . . . . . . . 241
clear firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
show firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
show firewall filter version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
show firewall log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
show firewall prefix-action-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
show policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
viiCopyright © 2016, Juniper Networks, Inc.
Table of Contents
Copyright © 2016, Juniper Networks, Inc.viii
Traffic Policers Feature Guide for EX9200 Switches
List of Figures
Part 1 Overview
Chapter 1 Understanding Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: Network Traffic and Burst Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 2: Incoming and Outgoing Policers and Firewall Filters . . . . . . . . . . . . . . . . 12
Chapter 5 Implementing Traffic Policers on EX 9200 Switches . . . . . . . . . . . . . . . . . . . 25
Figure 3: Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 4: Traffic Behavior Using Policer and Burst Size . . . . . . . . . . . . . . . . . . . . . . 27
Figure 5: Policer Behavior with a Single TCP Connection . . . . . . . . . . . . . . . . . . . . 29
Figure 6: Policer Behavior with Background Traffic (Multiple TCP
Connections) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure 7: Bursty Traffic Without Configured Burst Size (Excessive Unused
Bandwidth) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 8: Bursty Traffic with Configured Burst Size (Less Unused Bandwidth) . . . 31
Figure 9: Comparing Burst Size Calculation Methods . . . . . . . . . . . . . . . . . . . . . . . 33
Part 3 Configuring Two-Color Traffic Policers at Layer 3
Chapter 7 Basic Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 10: Single-Rate Two-Color Policer Scenario . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 11: Traffic Limiting in a Single-Rate Two-Color Policer Scenario . . . . . . . . . 59
Chapter 9 Filter-Specific Counters and Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Figure 12: Firewall Filter to Protect Against TCP and ICMP Floods . . . . . . . . . . . . . 87
Chapter 11 Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 13: Multifield Classifier Based on TCP Source Ports . . . . . . . . . . . . . . . . . . 128
Figure 14: Multifield Classifier Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
ixCopyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.x
Traffic Policers Feature Guide for EX9200 Switches
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Part 1 Overview
Chapter 1 Understanding Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Policer Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Table 4: Packet Lengths Considered for Traffic Policers . . . . . . . . . . . . . . . . . . . . . 12
Chapter 4 Configuring Policer Rate Limits and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 5: Policer Bandwidth Limits and Burst-Size Limits . . . . . . . . . . . . . . . . . . . . 17
Table 6: Implicit and Configurable Policer Actions Based on Color Marking . . . . . 18
Part 3 Configuring Two-Color Traffic Policers at Layer 3
Table 7: Two-Color Policer Configuration and Application Overview . . . . . . . . . . 49
Chapter 10 Prefix-Specific Counting and Policing Actions . . . . . . . . . . . . . . . . . . . . . . . . 97
Table 8: Examples of Counter and Policer Set Size and Indexing . . . . . . . . . . . . . 99
Table 9: Summary of Prefix-Specific Action Scenarios . . . . . . . . . . . . . . . . . . . . . 107
Part 4 Configuring Three-Color Traffic Policers at Layer 3
Table 10: Three-Color Policer Configuration and Application Overview . . . . . . . . 145
Chapter 13 Three-Color Policer Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . 149
Table 11: Recommended Naming Convention for Policers . . . . . . . . . . . . . . . . . . 152
Part 6 Configuration Statements and Operational Commands
Chapter 18 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Table 12: Bandwidth Limits and Token Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Chapter 19 Firewall Filter and Policer Operational Mode Commands . . . . . . . . . . . . . . 241
Table 13: show firewall Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Table 14: show firewall filter version Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 251
Table 15: show firewall log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Table 16: show firewall prefix-action-stats Output Fields . . . . . . . . . . . . . . . . . . 256
Table 17: show policer Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
xiCopyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.xii
Traffic Policers Feature Guide for EX9200 Switches
About the Documentation
Documentation and Release Notes on page xiii
Supported Platforms on page xiii
Using the Examples in This Manual on page xiii
Documentation Conventions on page xv
Documentation Feedback on page xvii
Requesting Technical Support on page xvii
Documentation and Release Notes
To obtain the most current version of all Juniper Networks
®
technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
EX Series
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
xiiiCopyright © 2016, Juniper Networks, Inc.
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
Copyright © 2016, Juniper Networks, Inc.xiv
Traffic Policers Feature Guide for EX9200 Switches
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
[edit system scripts]
user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see CLI Explorer.
Documentation Conventions
Table 1 on page xv defines notice icons used in this guide.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xv defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type the
configure command:
user@host> configure
Represents text that you type.Bold text like this
xvCopyright © 2016, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
user@host> show chassis alarms
No alarms currently active
Represents output that appears on the
terminal screen.
Fixed-width text like this
A policy term is a named structure
that defines match conditions and
actions.
Junos OS CLI User Guide
RFC 1997, BGP Communities Attribute
Introduces or emphasizes important
new terms.
Identifies guide names.
Identifies RFC and Internet draft titles.
Italic text like this
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
Italic text like this
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
The console port is labeled CONSOLE.
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
Text like this
stub <default-metric metric>;Encloses optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamic MPLS onlyIndicates a comment specified on the
same line as the configuration statement
to which it applies.
# (pound sign)
community name members [
community-ids ]
Encloses a variable for which you can
substitute one or more values.
[ ] (square brackets)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Identifies a level in the configuration
hierarchy.
Indention and braces ( { } )
Identifies a leaf statement at a
configuration hierarchy level.
; (semicolon)
GUI Conventions
In the Logical Interfaces box, select
All Interfaces.
To cancel the configuration, click
Cancel.
Represents graphical user interface (GUI)
items you click or select.
Bold text like this
Copyright © 2016, Juniper Networks, Inc.xvi
Traffic Policers Feature Guide for EX9200 Switches
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
In the configuration editor hierarchy,
select Protocols>Ospf.
Separates levels in a hierarchy of menu
selections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
xviiCopyright © 2016, Juniper Networks, Inc.
About the Documentation
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Copyright © 2016, Juniper Networks, Inc.xviii
Traffic Policers Feature Guide for EX9200 Switches
PART 1
Overview
Understanding Traffic Policers on page 3
Traffic Policing Standards on page 13
Introduction to Configuring Policers on page 15
1Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.2
Traffic Policers Feature Guide for EX9200 Switches
/