Two-Rate Three-Color Policer Overview

Two-rate three-color policing uses two bandwidth limits: one for guaranteed traffic and one for peak traffic [also called a committed information rate (CIR) and a peak information rate (PIR)]. This policer also has two burst sizes: the committed burst size and the peak burst size. The main difference between a single-rate and a two-rate policer is that the two-rate policer allows sustained bursts of traffic. In single-rate three-color policing, bursts of traffic are allowed for short periods. A period of relatively low activity has to occur between the bursts to allow the second token bucket to refill. In two-rate policing, the second bucket does not rely on overflow from the first token bucket; this enables the second token bucket to maintain a steadier supply of tokens, thus allowing sustained bursts of traffic. The policer classifies traffic into three groups: traffic that conforms to the CIR limit and the committed burst size, traffic that exceeds the CIR or committed burst size but conforms to the PIR, and traffic that exceeds the PIR. Each category is associated with an action. For traffic that conforms to the CIR and the committed burst size (also called green traffic), the action is to mark the packet with an implicit low loss priority and transmit the packet. For traffic that exceeds the CIR or committed burst size but conforms to the PIR (also called yellow traffic), the action is to mark the packet with an implicit loss priority of medium-high and then transmit the packet. For traffic that exceeds the PIR, the action is to mark the packet with an implicit loss priority of high and, optionally, to discard the packet. If congestion occurs downstream, the packets with higher loss priority are more likely to be discarded.

NOTE: The discard action for a tricolor marking policer for a firewall filter is supported on the M120, M320 with Enhanced-III FPCs, M7i and M10i with the Enhanced CFEB (CFEB-E), and the MX Series routers, so it is not necessary to include the logical-interface-policer statement for them. The following configuration demonstrates how the policer works in a sample scenario.
firewall { three-color-policer policer2 { logical-interface-policer; action { loss-priority high then discard; } two-rate { color-aware; committed-information-rate 40m; committed-burst-size 100k; peak-information-rate 60m; peak-burst-size 200k; } } }

If traffic arriving on the logical interface is within the average rate of 40 Mbps (based on the token bucket formula) or within the committed burst size limit of 100 KB, the

Two-Rate Three-Color Policer Overview

packets are green and are marked with an implicit loss priority of low. If traffic arriving on the logical interface is above the committed information rate and above the committed burst size but still within the peak information rate of 60 Mbps (based on the second token bucket), the packets are yellow and are marked with an implicit loss priority of medium-high. If traffic arriving on the logical interface is above the peak information rate of 60 Mbps, the packets are red, are marked with a loss priority of high, and are discarded. In the red case, if you omit the action statement, the packets are still marked with an implicit loss priority of high, but the packets are transmitted. As the traffic rate slows and the newly arriving traffic conforms to the configured limits, JUNOS Software stops marking packets with the medium-high and high loss priorities and stops dropping red packets. For two-rate, three-color policing, JUNOS Software uses two token buckets to manage bandwidth based on the two rates of traffic. When the policer is color-aware, it takes into account any preexisting markings that might be set for a packet by another traffic policer configured at a previous network node. At the node where color-aware policing is configured, these preexisting markings are then used in determining the appropriate policing action for the packet. For example, two-rate policing might be configured on a node upstream in the network. The two-rate policer has marked a packet as yellow (loss priority medium-low). The color-aware policer takes this yellow marking into account when determining the appropriate policing action. In color-aware policing, the yellow packet would never receive the action associated with either the green packets or red packets. This way, tokens for violating packets are never taken from the metering token buckets at the color-aware policing node. If you configure a policer to be color-blind instead of color-aware, the color-blind node ignores preexisting markings. Published: 2010-04-15

Two-Rate Three-Color Policer Overview