[MUSIC] Welcome to the policing module. By the end of this module, you should be able to implement a policer within Junos OS. Besides dropping or accepting packets, firewall filters can also police or rate limit traffic. Rate policing enables you to limit the amount of traffic that passes into or out of an interface. Firewall filters that use rate policing still employ normal match conditions, such as addresses, protocols, ports, and so forth, to determine which traffic on an interface is subject to rate limiting. As usual, the lack of a from clause matches all packets that do not match an earlier firewall filter term. If the first term in a firewall filter lacks a from clause and contains a policer, all packets on the interface, input or output as the filter is applied, are subject to rate policing. Junos OS also accommodates Interface-based policers that you apply directly to a given protocol family on a given logical unit of a particular interface. Such policers accommodate layer 2 VPN traffic, as well as the MPLS and IPv6 families. And they operate without the need for a calling firewall filter. Actual policer support might vary between Junos devices. Refer to the documentation for the specific product for support information. Policing employs the token bucket algorithm which enforces a limit on average bandwidth while enabling bursts up to a specified maximum value. You can configure two rate limits for the traffic bandwidth, which is the number of bits per second permitted on average. And maximum burst size, which defines the total number of bytes the system permits in bursts of data that exceed the bandwidth limit. The preferred method for determining the maximum burst size is to multiply the speed of the interface by the amount of time bursts that you want to allow at that bandwidth level. For example, to permit bursts on a fast ethernet link for five milliseconds, a reasonable value, use the calculation displayed. This calculation yields a birth size of 500,000 bits. You can divide this number by 8 to convert it to bytes, which gives you a burst size of 62,500 bytes. You can specify the bandwidth as a number of bits using the bandwidth limit statement. You can specify the maximum burst size as a number of bytes using the burst size limit statement. When a packet matches a term that has a policer in the then clause, the system first determines if the packet exceeds the policer. If the packet does not exceed the policer, the system performs the actions in the firewall filter's then clause, as if you left the policer out of the configuration. If the packet does exceed the policer, the system takes the actions in the policer's then clause. If the policer's then clause does not result in the software discarding the packet, the system takes the remainder of the actions in the firewall filter's then clause. Note that in cases where the specified rate limit has been exceeded and both the policer's then clause and the firewall filter's then clause defined action modifiers, the system uses the policer's action modifiers. For example, this firewall filter polices all TCP traffic that exceeds 10 mbps with a 62,500 byte burst size. It places traffic that exceeds these limits in the best effort forward in class, whereas it places traffic that conforms to these limits in the assured forwarding forwarding class. In this example, you define a policer named p1 that discards traffic that exceeds the defined average bandwidth of 400 kilobits per second and the defined burst size limit of 100 kilobytes. Once you define this policer, you can call it from any firewall filter. By default, devices running Junos OS treat each invocation of the policer separately, and tracks statistics separately for each term that references the policer. You can think of the policer definition as simply defining a set of parameters that you can choose to reference in any firewall filter term. The filter rate limits subnet polices traffic from the specified subnet. If the traffic source from the specified subnet exceeds the limits, the system discards it. If the traffic does not exceed the specified limits, the system accepts it. You can use the k, m, and g abbreviations to indicate 1,000, 1 million, and 1 billion bytes or bits, respectively. [SOUND]
