To configure traffic policing, use the police command in policy-map class configuration mode or policy-map class police configuration mode. To remove traffic policing from the configuration, use the no form of this command.
police
bps [
burst-normal] [
burst-max]
conform-action
action
exceed-action
action
[
violate-action
action
]
no
police
bps [
burst-normal] [
burst-max]
conform-action
action
exceed-action
action
[
violate-action
action
]
Syntax Description
bps |
Average rate, in bits per second. Valid values are 8000 to 128000000000 (128 Gb/s). |
burst-normal |
(Optional) Normal burst size in bytes. Valid values are 1000 to 2000000000 (2 Gb). Default normal burst size is 1500. |
burst-max |
(Optional) Maximum burst size, in bytes. Valid values are 1000 to 2000000000 (2 Gb). Default varies by platform. |
conform-action |
Specifies the action to take on packets that conform to the rate limit. |
exceed-action |
Specifies the action to take on packets that exceed the rate limit. |
violate-action |
(Optional) Specifies the action to take on packets that violate the normal and maximum burst sizes. |
action |
Action to take on packets. Specify one of the following keywords:
-
drop --Drops the packet.
-
set-clp-transmit value--Sets the ATM Cell Loss Priority (CLP) bit from 0 to 1 on the ATM cell and transmits the packet with the ATM CLP bit set to 1.
-
set-cos-inner-transmit value--Sets the inner class of service field as a policing action for a bridged frame on the Enhanced FlexWAN module when using bridging features on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router.
-
set-cos-transmit value--Sets the class of service (CoS) packet value and sends it.
-
set-discard-class-transmit --Sets the discard class attribute of a packet and transmits the packet with the new discard class setting.
-
set-dscp-transmit value--Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value.
-
set-dscp-tunnel-transmit value--Sets the DSCP value (0 to 63) in the tunnel header of a Layer 2 Tunnel Protocol Version 3 (L2TPv3) or Generic Routing Encapsulation (GRE) tunneled packet for tunnel marking and transmits the packet with the new value.
-
set-frde-transmit value--Sets the Frame Relay Discard Eligibility (DE) bit from 0 to 1 on the Frame Relay frame and transmits the packet with the DE bit set to 1.
-
set-mpls-experimental-imposition-transmit value --Sets the Multiprotocol Label Switching (MPLS) experimental (EXP) bits (0 to 7) in the imposed label headers and transmits the packet with the new MPLS EXP bit value.
-
set-mpls-experimental-topmost value--Rewrites the experimental value.
-
set-mpls-experimental-topmost-transmit value--Sets the MPLS EXP field value in the topmost MPLS label header at the input and/or output interfaces.
-
set-prec-transmit value--Sets the IP precedence and transmits the packet with the new IP precedence value.
-
set-prec-tunnel-transmit value--Sets the precedence value (0 to 7) in the tunnel header of an L2TPv3 or GRE tunneled packet for tunnel marking and transmits the packet with the new value.
-
set-qos-transmit value--Sets the QoS group value and transmits the packet with the new QoS group value.
-
transmit --Transmits the packet. The packet is not altered.
|
Command Default
Traffic policing is not configured.
Command Modes
Policy-map class configuration (config-pmap-c) when specifying a single action to be applied to a marked packet
Policy-map class police configuration (config-pmap-c-police) when specifying multiple actions to be applied to a marked packet
Command History
Release |
Modification |
12.0(5)XE |
This command was introduced. |
12.1(1)E |
This command was integrated into Cisco IOS Release 12.1(1)E. |
12.1(5)T |
This command was integrated into Cisco IOS Release 12.1(5)T. The violate-action keyword was added. |
12.2(2)T |
This command was modified.
-
The set-clp-transmit keyword for the action argument was added.
-
The set-frde-transmit keyword for the action argument was added.
Note |
However, the set-frde-transmit keyword is not supported for AToM traffic in this release. Also, the set-frde-transmit keyword is supported only when Frame Relay is implemented on a physical interface without encapsulation. |
-
The set-mpls-experimental-transmit keyword for the action argument was added.
|
12.2(8)T |
This command was modified for the Policer Enhancement--Multiple Actions feature. This command can now accommodate multiple actions for packets marked as conforming to, exceeding, or violating a specific rate. |
12.2(13)T |
This command was modified. In the action argument, the set-mpls-experimental-transmit keyword was renamed to set-mpls-experimental-imposition-transmit. |
12.2(28)SB |
This command was modified. The set-dscp-tunnel-transmit and set-prec-tunnel-transmit keywords for the action argument were added. These keywords are intended for marking Layer 2 Tunnel Protocol Version 3 (L2TPv3) tunneled packets. |
12.2(33)SRA |
This command was modified. The set-cos-inner-transmit keyword for the action argument was added when using multipoint bridging (MPB) features on the Enhanced FlexWAN module and when using MPB on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router. |
12.2(31)SB2 |
This command was modified. Support for the set-frde-transmit action argument was added on the Cisco 10000 series router. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
12.2(33)SRC |
This command was modified. Support for the Cisco 7600 series router was added. |
12.4(15)T2 |
This command was modified to include support for marking Generic Routing Encapsulation (GRE) tunneled packets.
Note |
For this release, marking GRE-tunneled packets is supported only on platforms equipped with a Cisco MGX Route Processor Module (RPM-XF). |
|
12.2(33)SB |
This command was modified to include support for marking GRE-tunneled packets, and support for the Cisco 7300 series router was added. |
15.1(1)T |
This command was modified to include support for policing on SVI interfaces for Cisco ISR 1800, 2800, and 3800 series routers. |
12.2(50)SY |
This command was modified. Support for the set-mpls-experimental-topmost value argument was added. |
15.0(1)SY |
This command was modified. The maximum value for the bps, burst-normal, and burst-max arguments was increased. |
Cisco IOS XE Release 3.5S |
This command was modified. Support was added for the Cisco ASR 903 Router. |
Usage Guidelines
Use the police command to mark a packet with different quality of service (QoS) values based on conformance to the service-level agreement.
In Cisco IOS release 12.2(50)SY, when you apply the set-mpls-experimental-topmost value in the egress direction the set-mpls-experimental-imposition value is blocked.
Note |
In Cisco IOS Release 15.0(1)SY and above, if you configure a policy map without specifying the burst size, then the default burst size can reach 2 Gb/s.
|
If you configure a high rate or high burst size and then change to a Cisco IOS software release that does not support your settings, the configuration is rejected on boot up and the police command is removed from the policy map.
Specifying Multiple Actions
The police command allows you to specify multiple policing actions. When specifying multiple policing actions when configuring the police command, note the following points:
-
You can specify a maximum of four actions at one time.
-
You cannot specify contradictory actions such as conform-action transmit and conform-action drop.
Using the police Command with the Traffic Policing Feature
The police command can be used with the Traffic Policing feature. The Traffic Policing feature works with a token bucket algorithm. Two types of token bucket algorithms are in Cisco IOS Release 12.1(5)T: a single-token bucket algorithm and a two-token bucket algorithm. A single-token bucket system is used when the violate-action option is not specified, and a two-token bucket system is used when the violate-action option is specified.
The token bucket algorithm for the police command that was introduced in Cisco IOS Release 12.0(5)XE is different from the token bucket algorithm for the police command that was introduced in Cisco IOS Release 12.1(5)T. For information on the token bucket algorithm introduced in Release 12.0(5)XE, see the Traffic Policing document for Release 12.0(5)XE. This document is available on the New Features for 12.0(5)XE documentation index (under Modular QoS CLI-related feature modules) at www.cisco.com.
The following are explanations of how the token bucket algorithms introduced in Cisco IOS Release 12.1(5)T work.
Token Bucket Algorithm with Single-Token Bucket
The single-token bucket algorithm is used when the violate-action option is not specified in the police command CLI.
The conform bucket is initially set to the full size (the full size is the number of bytes specified as the normal burst size).
When a packet of a given size (for example, "B" bytes) arrives at specific time (time "T"), the following actions occur:
-
Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current time is T, the bucket is updated with (T - T1) worth of bits based on the token arrival rate. The token arrival rate is calculated as follows:
(time between packets (which is equal to T - T1) * policer rate)/8 bytes
-
If the number of bytes in conform bucket B is greater than or equal to the packet size, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is completed for the packet.
-
If the number of bytes in conform bucket B (minus the packet size to be limited) is fewer than 0, the exceed action is taken.
Token Bucket Algorithm with a Two-Token Bucket
The two-token bucket algorithm is used when the violate-action option is specified in the police command.
The conform bucket is initially full (the full size is the number of bytes specified as the normal burst size).
The exceed bucket is initially full (the full exceed bucket size is the number of bytes specified in the maximum burst size).
The tokens for both the conform and exceed token buckets are updated based on the token arrival rate, or committed information rate (CIR).
When a packet of given size (for example, "B" bytes) arrives at specific time (time "T") the following actions occur:
-
Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current arrival of the packet is at T, the bucket is updated with T -T1 worth of bits based on the token arrival rate. The refill tokens are placed in the conform bucket. If the tokens overflow the conform bucket, the overflow tokens are placed in the exceed bucket.
The token arrival rate is calculated as follows:
(time between packets (which is equal to T-T1) * policer rate)/8 bytes
-
If the number of bytes in conform bucket B is greater than or equal to the packet size, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is taken. The exceed bucket is unaffected in this scenario.
-
If the number of bytes in conform bucket B is less than the packet size, the excess token bucket is checked for bytes by the packet. If the number of bytes in exceed bucket B is greater than or equal to 0, the exceed action is taken and B bytes are removed from the exceed token bucket. No bytes are removed from the conform bucket.
-
If the number of bytes in exceed bucket B is less than the packet size, the packet violates the rate and the violate action is taken. The action is complete for the packet.
Using the set-cos-inner-transmit Action for SIPs and SPAs on the Cisco 7600 Series Router
The set-cos-inner-transmit keyword action was introduced in Cisco IOS Release 12.2(33)SRA to support marking of the inner CoS value as a policing action when using MPB features on the Enhanced FlexWAN module and when using MPB features on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router.
This command is not supported on the Cisco 7600 SIP-600.
For more information about QoS and the forms of police commands supported by the SIPs on the Cisco 7600 series router, see the Cisco 7600 Series SIP, SSC, and SPA Software Configuration Guide.
Using the police command on the Cisco ASR 903 Router
The following restrictions apply when using the
police command on the Cisco ASR 903 router:
- Class-based policing on subinterfaces is not supported.
- Policing is supported for ingress policy maps only.
- Hierarchical policing (policing at both parent level and child level) is not supported.
- The Cisco ASR 903 router supports the following action keywords only:
- drop
- set-cos-transmit
- set-discard-class-transmit
- set-dscp-transmit
- set-mpls-exp-imposition-transmit
- set-mpls-exp-topmost-transmit
- set-precp-transmit
- set-qos-transmit
- transmit
Token Bucket Algorithm with Single-Token Bucket: Example
The following example shows how to define a traffic class (using the class-map command) and associate the match criteria from the traffic class with the traffic policing configuration, which is configured in the service policy (using the policy-map command). The service-policy command is then used to attach this service policy to the interface.
In this particular example, traffic policing is configured with the average rate at 8000 bits per second and the normal burst size at 1000 bytes for all packets leaving Fast Ethernet interface 0/0:
Router(config)# class-map access-match
Router(config-cmap)# match access-group 1
Router(config-cmap)# exit
Router(config)# policy-map police-setting
Router(config-pmap)# class access-match
Router(config-pmap-c)# police 8000 1000 conform-action transmit exceed-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface fastethernet 0/0
Router(config-if)# service-policy output police-setting
In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet and 450 bytes are removed from the conform token bucket (leaving 550 bytes).
If the next packet arrives 0.25 seconds later, 250 bytes are added to the token bucket ((0.25 * 8000)/8), leaving 800 bytes in the token bucket. If the next packet is 900 bytes, the packet exceeds and the exceed action (drop) is taken. No bytes are taken from the token bucket.
Token Bucket Algorithm with a Two-Token Bucket: Example
In this example, traffic policing is configured with the average rate at 8000 bits per second, the normal burst size at 1000 bytes, and the excess burst size at 1000 bytes for all packets leaving Fast Ethernet interface 0/0.
Router(config)# class-map access-match
Router(config-cmap)# match access-group 1
Router(config-cmap)# exit
Router(config)# policy-map police-setting
Router(config-pmap)# class access-match
Router(config-pmap-c)# police 8000 1000 1000 conform-action transmit exceed-action set-qos-transmit 1 violate-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface fastethernet 0/0
Router(config-if)# service-policy output police-setting
In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet, and 450 bytes are removed from the conform token bucket (leaving 550 bytes).
If the next packet arrives 0.25 seconds later, 250 bytes are added to the conform token bucket ((0.25 * 8000)/8), leaving 800 bytes in the conform token bucket. If the next packet is 900 bytes, the packet does not conform because only 800 bytes are available in the conform token bucket.
The exceed token bucket, which starts full at 1000 bytes (as specified by the excess burst size), is then checked for available bytes. Because enough bytes are available in the exceed token bucket, the exceed action (set the QoS transmit value of 1) is taken and 900 bytes are taken from the exceed bucket (leaving 100 bytes in the exceed token bucket).
If the next packet arrives 0.40 seconds later, 400 bytes are added to the token buckets ((.40 * 8000)/8). Therefore, the conform token bucket now has 1000 bytes (the maximum number of tokens available in the conform bucket) and 200 bytes overflow the conform token bucket (because only 200 bytes were needed to fill the conform token bucket to capacity). These overflow bytes are placed in the exceed token bucket, giving the exceed token bucket 300 bytes.
If the arriving packet is 1000 bytes, the packet conforms because enough bytes are available in the conform token bucket. The conform action (transmit) is taken by the packet, and 1000 bytes are removed from the conform token bucket (leaving 0 bytes).
If the next packet arrives 0.20 seconds later, 200 bytes are added to the token bucket ((.20 * 8000)/8). Therefore, the conform bucket now has 200 bytes. If the arriving packet is 400 bytes, the packet does not conform because only 200 bytes are available in the conform bucket. Similarly, the packet does not exceed because only 300 bytes are available in the exceed bucket. Therefore, the packet violates and the violate action (drop) is taken.
Conforming to the MPLS EXP Value: Example
The following example shows that if packets conform to the rate limit, the MPLS EXP field is set to 5. If packets exceed the rate limit, the MPLS EXP field is set to 3.
Router(config)# policy-map input-IP-dscp
Router(config-pmap)# class dscp24
Router(config-pmap-c)# police 8000 1500 1000 conform-action set-mpls-experimental-imposition-transmit 5 exceed-action set-mpls-experimental-imposition-transmit 3
Router(config-pmap-c)# violate-action drop
Setting the Inner CoS Value as an Action for SIPs and SPAs on the Cisco 7600 Series Router: Example
The following example shows configuration of a QoS class that filters all traffic for virtual LAN (VLAN) 100 into a class named "vlan-inner-100" and establishes a traffic shaping policy for the vlan-inner-100 class. The service policy limits traffic to an average rate of 500 kb/s, with a normal burst of 1000 bytes and a maximum burst of 1500 bytes, and sets the inner CoS value to 3. Since setting of the inner CoS value is supported only with bridging features, the configuration also shows the service policy being applied as an output policy for an ATM SPA interface permanent virtual circuit (PVC) that bridges traffic into VLAN 100 using the bridge-domain command.
Router(config)# class-map match-all vlan-inner-100
Router(config-cmap)# match vlan inner 100
Router(config-cmap)# exit
Router(config)# policy-map vlan-inner-100
Router(config-pmap)# class vlan-inner-100
Router(config-pmap-c)# police 500000 1000 1500 conform-action set-cos-inner-transmit 3
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface atm3/0/0
Router(config-if)# pvc 100/100
Router(config-if-atm-vc)# bridge-domain 100 dot1q
Router(config-if-atm-vc)# service-policy output vlan-inner-100
Router(config-if-atm-vc)# end
Related Commands
Command |
Description |
bridge-domain |
Enables RFC 1483 ATM bridging or RFC 1490 Frame Relay bridging to map a bridged VLAN to an ATM PVC or Frame Relay data-link connection identifier (DLCI). |
class-map |
Creates a class map to be used for matching packets to a specified class. |
policy-map |
Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy. |
service-policy |
Specifies the name of the service policy to be attached to the interface. |
show policy-map |
Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps. |
show policy-map interface |
Displays the configuration of all classes configured for all service policies on the specified interface or displays the classes for the service policy for a specific PVC on the interface. |