Skip to content

Support



Juniper was the first North American IP routing vendor to achieve the prestigious TL 9000 certification by the Quality of Excellence for Suppliers of Telecommunications (QuEST) Forum in the router category, for design, development, provision and service and support.



What is J-Care?

It's the world-class service and support that you expect from a company that delivers the industry's best infrastructure and security products. With J-Care, you now have the confidence knowing that Juniper will do our part to keep you on top of the world!


Configuring Policers to Control Traffic Rates (CLI Procedure)

You can configure policers to rate limit traffic on EX-series switches. After you configure a policer, you can include it in an ingress firewall filter configuration.

When you configure a firewall filter, you can specify a policer action for any term or terms within the filter. All traffic that matches a term that contains a policer action goes through the policer that the term references. Each policer that you configure includes an implicit counter. To get term-specific packet counts, you must configure a new policer for each filter term that requires policing.

The following policer limits apply on the switch:

  • A maximum of 512 policers can be configured for port firewall filters.
  • A maximum of 512 policers can be configured for VLAN and Layer 3 firewall filters.

If the policer configuration exceeds these limits, the switch returns the following message after the commit operation:

Cannot assign policers: Max policer limit reached
  1. Configuring Policers
  2. Specifying Policers in a Firewall Filter Configuration
  3. Applying a Firewall Filter That Is Configured with a Policer

Configuring Policers

To configure a policer:

  1. Specify the name of the policer:
    [edit firewall]
    user@switch# set policer policer-one

    The policer name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long.

  2. Configure rate limiting for the policer:
    1. Specify the bandwidth limit in bits per second (bps) to control the traffic rate on an interface:
      [edit firewall policer policer-one]
      user@switch# set if-exceeding bandwidth-limit 300k

      The range for the bandwidth limit is 1k through 102.3g bps.

    2. Specify the maximum allowed burst size to control the amount of traffic bursting:
      [edit firewall policer policer-one]
      user@switch# set if-exceeding burst-size-limit 500k

      To determine the value for the burst-size limit, multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

      burst size = bandwidth * allowable time for burst traffic

      The range for the burst-size limit is 1 through 2,147,450,880 bytes.

  3. Specify the policer action discard to discard packets that exceed the rate limits:
    [edit firewall policer]
    user@switch# set policer-one then discard

    Discard is the only supported policer action.

Specifying Policers in a Firewall Filter Configuration

To reference a policer, configure a filter term that includes the policer action:


[edit firewall family ethernet-switching]
user@switch# set filter limit-hosts term term-one from source-address 192.0.2.16/28
userswitch# set filter limit-hosts term term-one then policer policer-one

    Applying a Firewall Filter That Is Configured with a Policer

    A firewall filter that is configured with one or more policer actions, like any other filter, must be applied to a port, VLAN, or Layer 3 interface. For information about applying firewall filters, see the sections on applying firewall filters in Configuring Firewall Filters (CLI Procedure).

    Note: You can include policer actions on ingress firewall filters only.