Rate Limiting on Juniper Networks

This Tech-recipe describes the steps for setting up rate limiting on Juniper networks.

The first step in configuring rate-limiting on a Juniper is to configure the firewall filter, under the firewall section of the router.conf file. The firewall section should be located just after the interface configurations.

Choose a filter name based on slot-pic-port-unit, e.g. “rate-limit-t3-0-1-1-0″.

The first set of statements are for the policer which define the bandwidth characteristics of the filter. It will always be called “p1″. The bandwidth limit and burst limits are configured under the policer, as well as what to do when limits are reached (in this case “discard”). Note: Bandwidth is configured in bits per second, Burst is configured in bytes per second. You can use k for Kbps 1000, m for Mbps 1,000,000, or g for Gbps 1,000, 000.

The next set of statements define the “term”, that is, how we are going to use the policer in this filter. Term should be named “slot-pic-port-unit-traffic”. Terms should be standard for all customers: the first line sets the action to count the traffic, the next line says to use policer p1.

The last step is to add the filters to the interface config. They will go under the logical port (usually “unit 0″) for the customer connection. Apply the filter to both the input and output (eg rate-limit-t3-0-1-1-0), that were created in the filter.on

Below is a sample configuration for a DS3 customer who is paying for a 10mbps CIR, burstable to 20mb. NOTE: Burst is a measured burst for a given time, not a sustained burst. Due to Verio product, you will set filter’s bandwidth to customer’s requested “burst” and set burst to (CIR * 1.5 / 8).


firewall {
filter rate-limit-t3-0-1-1-0 {
policer p1 {
if-exceeding {
bandwidth-limit 20m;
burst-size-limit 1875k;
then discard;
term t3-0-1-1-0-traffic {
then {
count t3-0-1-1-0-traffic;
policer p1;


t3-0/1/1 {
description "Interface Name";
clocking internal;
encapsulation cisco-hdlc;
t3-options {
compatibility-mode kentrox;
unit 0 {
family inet {
filter {
input rate-limit-t3-0-1-1-0;
output rate-limit-t3-0-1-1-0;

A useful command is show firewall filter rate-limit-t3-0-1-1-0. This will show you the Packet and Byte counts for the interface and for the Bytes that are policed:

usr@routerg> show firewall filter rate-limit-t3-0-1-1-0
Filter/Counter Packet count Byte count
t3-0-1-1-0-traffic 7647 624268
p1 1 NA

The Conversation

Follow the reactions below and share your own thoughts.

Leave a Reply