Configuring a layer2-policer for rate limiting on a physical port in Access Mode

by ·0评论

Description

This article describes how to configure a basic layer2-policer for rate limiting on a physical port in Access Mode.
Symptoms

Solution

Topology
Bridge Domain TEST
PC1 —— <ge-1/3/8> | R1 | <ge-1/3/9> ——- <ge-2/3/9> |R2| <ge-2/3/8> ——- PC2
10.1.1.1/24 10.1.1.2/24

Hardware used
R1 –> FPC 1 REV 17 750-021157 YB4434 DPCE 40x 1GE R TX
R2 –> FPC 2 REV 17 750-021157 YA9121 DPCE 40x 1GE R TX

Configuration

In this topology, a layer2-policer is applied on ge-1/3/9.0 :
R1

set interfaces ge-1/3/8 unit 0 family bridge interface-mode access
set interfaces ge-1/3/8 unit 0 family bridge vlan-id 10
set interfaces ge-1/3/9 unit 0 filter input TEST-L2-POLICER
set interfaces ge-1/3/9 unit 0 filter output TEST-L2-POLICER
set interfaces ge-1/3/9 unit 0 family bridge interface-mode access
set interfaces ge-1/3/9 unit 0 family bridge vlan-id 10

set bridge-domains TEST domain-type bridge
set bridge-domains TEST vlan-id 10

set firewall family any filter TEST-L2-POLICER term 1 then policer L2-Policer
set firewall family any filter TEST-L2-POLICER term 1 then count L2-packets
set firewall policer L2-Policer if-exceeding bandwidth-limit 10m
set firewall policer L2-Policer if-exceeding burst-size-limit 15m
set firewall policer L2-Policer then discard

R2

set interfaces ge-2/3/8 unit 0 family bridge interface-mode access
set interfaces ge-2/3/8 unit 0 family bridge vlan-id 10
set interfaces ge-2/3/9 unit 0 filter input TEST-L2-POLICER
set interfaces ge-2/3/9 unit 0 filter output TEST-L2-POLICER
set interfaces ge-2/3/9 unit 0 family bridge interface-mode access
set interfaces ge-2/3/9 unit 0 family bridge vlan-id 10

set bridge-domains TEST domain-type bridge
set bridge-domains TEST vlan-id 10

Verification

Verify the outcome of the above configuration:
1. Enable FTP server on PC1.
2. Connect FTP from PC2 and copy a huge file around 500 MB. Note: IXIA can be used to generate traffic and test the setup.
3. Check if the firewall counter is incrementing by running the following command:

R1# run show firewall filter TEST-L2-POLICER counter L2-packets

Filter: TEST-L2-POLICER
Counters:
Name Bytes Packets
L2-packets 202012424 221753

R1> monitor interface ge-1/3/9.0

From the output of the monitor interface command, you can see the rate limiting.
Related Information

Two-Color and Three-Color Policers at Layer 2:
https://www.juniper.net/documentation/en_US/junos12.3/topics/topic-map/policer-layer2.html

发表回复