Knowledge Search


×
 

[Junos] How to police input L1 traffic rate on an L3 family inet interface

  [KB35005] Show Article Properties


Summary:

In Junos, policer works on L2 or L3 based on the filter family:

  • If the filter is attached to L2 IFF (Bridge/Vpls etc), then the policer will consider L2 Packet length.
  • If the filter is attached to L3 IFF (IPV4/IPV6 etc), then the policer will consider L3 packet length.
  • If the policer is explicitly configured as “layer2-policer”, then it will always consider L2 packet length, regardless of family of the attached interface.

As a result, when using policer to do rate limiting on Junos device, by default, it limits L2 (on L2 IFF or configured as layer2-policer) or L3 (on L3 IFF) traffic rate. In either case, L1 overhead is not taken into consideration.

This article will discuss how to police input L1 traffic rate on an L3 family inet interface.
Solution:
  1. Configure logical interface policer.

    set firewall policer 50M-POL logical-interface-policer  <-- "logical-interface-policer" needs to be specified in order to apply the policer as layer2-policer in step2.
    set firewall policer 50M-POL if-exceeding bandwidth-limit 50m
    set firewall policer 50M-POL if-exceeding burst-size-limit 312500
    set firewall policer 50M-POL then discard
  2. Apply the policer as input layer2-policer on a family inet logical unit.

    set interfaces xe-9/0/0 unit 0 layer2-policer input-policer 50M-POL
    set interfaces xe-9/0/0 unit 0 family inet address 1.1.1.2/24
  3. Add L1 policer overhead on the logical unit.

    set interfaces xe-9/0/0 unit 0 policer-overhead 16
Related Links: