Policer and Protocol Policer

Objective

This document provides instructions on setting up Policers and Protocol Policers in the F5® Distributed Cloud Console. Policers and Protocol Policers are available in load balancers, Web App & API Protection, and Shared Configuration services.

Policer is used for applying rate limits to traffic and protocol policer rate-limits traffic for specific type of packets (TCP, ICMP, UDP, DNS). You can use policers in ACLs and network policies.

Prerequisites

The following prerequisites apply:

Note: If you do not have an account, see Create an Account.

Configuration

Perform the following steps in F5® Distributed Cloud Console to set up new Policers and Protocol Policers:

Policers

Policers can be viewed and managed in multiple services: Cloud and Edge Sites, Distributed Apps,Web App & API Protection, Shared Configuration, and Load Balancers.

This example shows Policers setup in Load Balancers.

Step 1: Log into F5® Distributed Cloud Console, open Policers.
  • Open F5® Distributed Cloud Console > select Load Balancers box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Note: Protocol and Policiers is also available in Shared Configuration and Web App & API Protection.

NEW HOME PAGE C
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Security in left-menu > select Shared Objects > Policers.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Add Policer button.

POLICERS1 2
Figure: Shared Objects > Policer

Step 2: Add Policer.
  • Select Add Policer button in Policers, located under No Policer Configured in middle of page.

Note: The Add Policer center button is only visible when no policer is present. In case policers are present, use the + Add Policer option at the top left of the page.

POLICERS1 2
Figure: Add Policer Button

  • Enter Name in Metadata.

Note: The configuration object will be created with Name. It has to be unique within the namespace. The value of name has to follow DNS-1035 format. (DNS-1035 label must be lower case alphanumeric characters - start with letters - and end in letters or numbers corresponding with domains and clusters e.g. abc-123).

  • Select Labels as needed.

Note: Labels, Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the user. Values specified here will be used by selector expression.

  • Enter Description as needed.

Note: Human readable Description for the object.

ADDPOLICER1 2
Figure: Add Policer Metadata

Step 3: Configure Policer.
  • Select Policer Mode, from drop-down menu.

    • Not Shared, A separate policer instance is created for each reference to the policer.

    • Shared, A common policer instance is used for for all references to the policer.

Note: Policer mode specifies if policer needs to share the traffic limits across term references or a separate instance has to be created for each reference. For example if Rule 1 and Rule 2 refer to policer and each rule should get bandwidth of 10Kb, then policer mode to be used is “Not Shared” If both Rule 1 and Tule 2 cumulatively need 10kbs then a policer should be created with node as “Shared”.

  • Enter Committed information Rate(pps) value.

Note: Packets per second (pps).

Note: The committed information is the guaranteed packets rate for traffic arriving or departing under normal conditions. e.g. 10000 pps (Min value is 1).

  • Enter Burst Size(pps) value.

Note: The maximum size permitted for bursts of data e.g. 10000 pps burst (Min value is 1).

  • Select Policer Type, Single-Rate Two-Color Policer Basic Single-Rate Two-Color Policer option if needed.

ADDPOLICER1 4
Figure: Add Policer Metadata

  • Select Save and Exit button to add new policer.

Protocol Policers

Step 1: Add Protocol Policers.
  • Open F5® Distributed Cloud Console > select Load Balancers box.

Note: Protocol and Policiers is also available in Shared Configuration and Web App & API Protection.

NEW HOME PAGE C
Figure: Homepage

  • Select Security in left-menu > select Shared Objects > Protocol Policers.

  • Select Add Protocol Policer button.

PROTOCOLPOLICERS1 6
Figure: Protocol Policer

Note: The Add Protocol Policer center button is only visible when no protocol policer is present. In case policers are present, use the + Add Protocol Policer option at the top left of the page

Step 2: Configure Protocol Policers.
  • Enter Name in Metadata.

  • Select Namespace option from drop-down menu.

  • Enter Labels and Description as needed.

PROTOCOLPOLICERADD
Figure: Add Protocol Policer Metadata

  • Select + Add item button in Protocol Policer section.

Note: Two drop-down options will appear.

  • Select Packet Type (TCP, ICMP, UDP, DNS) in drop-down menu.

Note: Provide various protocol specific match conditions. Another drop-down option will appear for TCP and ICMP Packet type options.

  • Select Policer in drop-down menu.

Note: Reference to policer object to apply traffic rate limits.

PROTOCOLPOLICER1 4
Figure: Add Protocol Policer Metadata

  • Select Save & Exit.

Note: Select Cancel and Exit to cancel request and return to previous page.


Concepts