The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Contents
This chapter contains the following sections:
Policing is the monitoring of data rates for a particular class of traffic. Cisco Nexus 1000V can also monitor associated burst sizes.
Three conditions, are determined by the policer depending on the data rate parameters supplied: conform (green), exceed (yellow), or violate (red). You can configure only one action for each condition. When the data rate exceeds the user-supplied values, packets are either marked down or dropped.
You can define single-rate or dual-rate policers. Single-rate policers monitor the specified committed information rate (CIR) of traffic. Dual-rate policers monitor both CIR and peak information rate (PIR) of traffic. For more information about policies, see RFC 2697, RFC 2698, and RFC4115.
The following conditions trigger actions by the policer depending on the defined data rate:
Condition |
Color |
Description |
Policer Action(only one allowed per condition) |
---|---|---|---|
Conform |
Green |
The packet traffic data rate is within the defined boundaries. |
The policer either transmits these packets as is, or changes the value in the header (DSCP, precedence, or CoS), and then transmits these packets. |
Exceed |
Yellow |
The packet traffic data rate exceeds the defined boundary. |
The policer can drop or mark down these packets. |
Violate |
Red |
The packet traffic data rate violates the defined boundaries. |
The policer can drop or mark down these packets. |
You are logged on to the CLI in EXEC mode.
You must be familiar with RFC 2698.
Each module polices independently, which might affect a policer that is applied to traffic distributed across more than one module, such as in the case of a port channel interface.
Configuring Policing
Note | Specify the identical value for pir and cir to configure 1-rate 3-color policing. |
Argument |
Description |
||
---|---|---|---|
cir | Committed information rate (cir), or desired bandwidth, specified as a bit rate or a percentage of the link rate. Although a value for cir is required, the argument itself is optional. The range of values is from 1 to 80000000000; the range of policing values that are mathematically significant is 8000 to 80 Gbps. |
||
percent | Specifies the rate as a percentage of the interface rate. The range of values is from 1 to 100%. |
||
bc | Indication of how much the cir can be exceeded, either as a bit rate or an amount of time at cir. The default is 200 milliseconds of traffic at the configured rate. The default data rate units are bytes, and the Gigabit per second (gbps) rate is not supported for this parameter. |
||
pir | Peak information rate (pir), which is specified as a PIR bit rate or a percentage of the link rate. There is no default. The range of values is from 1 to 80000000000; the range of policing values that are mathematically significant is from 8000 to 80 Gbps. The range of percentage values is from 1 to 100%. |
||
be |
|
||
conform | Single action to take if the traffic data rate is within bounds. The basic actions are transmit or one of the set commands listed in th table. The default is transmit. |
||
exceed | Single action to take if the traffic data rate exceeds the specified boundaries. The basic actions are drop or markdown. The default is drop. |
||
violate | Single action to take if the traffic data rate violates the configured rate values. The basic actions are drop or markdown. The default is drop. |
Although all the arguments in the above table are optional, you must specify a value for cir. In this section, cir indicates what is its value but not necessarily the keyword itself. The combination of these arguments and the resulting policer types and actions are described in the following table.
Police Arguments Present |
Policer Type |
Policer Action |
---|---|---|
cir, but not pir, be, or violate |
1-rate, 2-color |
≤ cir, then conform; otherwise violate |
cir and pir |
1-rate, 3-color |
You must specify identical values for cir and pir. |
cir and pir |
2-rate, 3-color |
≤ cir, then conform; ≤ pir, then exceed; otherwise violate |
You can take the following actions when the packet exceeds the parameters or violates the parameters:
Action |
Description |
---|---|
drop |
Drops the packet. This action is available only when the packet exceeds or violates the parameters. |
set dscp dscp table {cir-markdown-map | pir-markdown-map} |
Sets the specified fields from a table map and transmits the packet. For more information on the system-defined, or default table maps, see Configuring QoS Marking Policies. This is available only when the packet exceeds the parameters (use the cir-markdown-map) or violates the parameters (use the pir-markdown-map). |
Action |
Description |
---|---|
transmit |
Transmits the packet. This action is available only when the packet conforms to the parameters. |
set-prec-transmit |
Sets the IP precedence field to a specified value and transmits the packet. This action is available only when the packet conforms to the parameters. |
set-dscp-transmit |
Sets the DSCP field to a specified value and transmits the packet. This action is available only when the packet conforms to the parameters. |
set-cos-transmit |
Sets the CoS field to a specified value and transmits the packet. This action is available only when the packet conforms to the parameters. |
set-qos-transmit |
Sets the QoS group internal label to specified value and transmits the packet. This action can be used only in input policies and is available only when the packet conforms to the parameters. |
set-discard-class-transmit |
Sets the discard-class internal label to a specified value and transmits the packet. This action can be used only in ingress policies and is available only when the packet conforms to the parameters. |
The policer can only drop or mark down packets that exceed or violate the specified parameters. For information see, Configuring QoS Marking Policies on marking down packets.
The police command uses the following data rates:
Rate |
Description |
---|---|
bps |
Bits per second (default) |
kbps |
1,000 bits per seconds |
mbps |
1,000,000 bits per second |
gbps |
1,000,000,000 bits per second |
The police command uses the following Burst sizes:
Speed |
Description |
---|---|
bytes |
bytes |
kbytes |
1,000 bytes |
mbytes |
1,000,000 bytes |
ms |
milliseconds |
us |
microseconds |
Note | You must specify the identical value for pir and cir to configure 1-rate, 3-color policing. |
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# policy-map [type qos] [match-first] policy-map-name |
Places you into policy map QoS configuration mode for the specified policy map and configures the map name in the running configuration. The policy-map-name argument is a unique alphabetic string that can be up to 40 case-sensitive characters long, including hyphen (-) and underscore (_) characters. The map name must be unique across class-maps and policy-maps. For example, you cannot have a class-map and a policy-map with the same name of HR_Map. |
Step 3 | switch(config-pmap-qos)# class [type qos] {class_map_name |class-default} | Creates a reference to class-map-name and enters policy-map class QoS configuration mode for the specified class map. By default, the class is added to the end of the policy map. Changes are saved in the running configuration. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map. |
Step 4 | switch(config-pamp-c-qos)# police[cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate [link-speed]][pir] {peak-rate [data-rate] | percent cir-link-percent} [be peak-burst-rate [link-speed]] [conform {transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit | set-discard-class-transmit} [exceed {drop | set dscp dscp table {cir-markdown-map}} [violate {drop | set dscp dscp table {pir-markdown-map}}]} | Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is ≤cir. If be and pir are not specified, all other traffic takes the violate action. If be or violate are specified, the exceed action is taken if the data rate ≤ pir; otherwise. The actions are described in Information About Policing. The data rates and link speeds are described in Police Command Data Rates and Police Command Burst Sizes. |
Step 5 | switch(config-pamp-c-qos)# show policy-map [type qos] [policy-map-name] | (Optional) Displays information about all configured policy maps or a selected policy map of type QoS. |
Step 6 | switch(config-pmap-c-qos)# copy running-config startup-config | (Optional)
Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
This example shows how to configure a 1-rate, 2-color policer that transmits if the data rate is within 200 milliseconds of traffic at 256000 bps and marks IP precedence to 6 if the data rate is exceeded.
switch# configure terminal switch(config)# policy-map policy1 switch(config-pmap-qos)# class class-default switch(config-pmap-c-qos)# police cir 256000 conform transmit violate set dscp dscp table pir-markdown-map switch(config-pmap-c-qos)#
This example shows how to configure a 1-rate, 3-color policer that transmits if the data rate is within 200 milliseconds of traffic at 256000 bps, and marks DSCP to 6 if the data rate is within 300 milliseconds of traffic at 256000bps, and drops packets otherwise.
Note | You must specify identical values for cir and pir for a 1R3C policer. |
switch# configure terminal switch(config)# policy-map policy1 switch(config-pmap-qos)# class class-default switch(config-pmap-c-qos)# police cir 256000 pir 256000 conform transmit exceed set dscp dscp table cir-markdown-map violate drop switch(config-pmap-c-qos)#
You can apply the policing instructions in a QoS policy map to ingress or egress packets by attaching that QoS policy map to an interface or port profile. To select ingress or egress, you specify either the input or output keyword in the service-policy command. For an example of how to use the service-policy command, see Creating Ingress and Egress Policies.
Markdown policing is the setting of a QoS field in a packet when traffic exceeds or violates the policed data rates. You can configure markdown policing by using the set commands for conform described in Configuring 1-Rate and 2-Rate, 2-Color and 3-Color Policing.
This example shows a 1-rate, 3-color policer that transmits if the data rate is within 300 milliseconds of traffic at 256000 bps; marks down DSCP using the system-defined table map if the data rate is within 300 milliseconds of traffic at 256000 bps; and drops packets otherwise:
switch# config termnal switch(config)# policy-map policy1 switch(config-pmap-qos)# class class-default switch(config-pmap-c-qos)# police cir 256000 bps bc 300 ms pir 256000 conform transmit exceed set dscp dscp table cir-markdown-map violate drop switch(config-pmap-c-qos)# show policy-map policy1 Type qos policy-maps ==================== policy-map type qos policy1 class class-default police cir 256000 bps bc 300 ms pir 256000 bps be 300 ms conform transmit exceed set dscp dscp table cir-markdown-map violate drop switch(config-pmap-c-qos)# copy running-config startup-config
Use the following command to verify the configuration:
Command |
Description |
---|---|
show policy-map |
Displays information about policy maps and policing. |
The following example shows how to configure a 1-rate, 2-color policer:
switch# configure terminal switch(config)# policy-map policy1 switch(config-pmap-qos)# class one_rate_2_color_policer switch(config-pmap-c-qos)# police cir 256000 conform transmit violate drop
The following example shows how to configure a 1-rate, 2-color policer with DSCP mark down:
switch# configure terminal switch(config)# policy-map policy2 switch(config-pmap-qos)# class one_rate_2_color_policer_with_dscp_markdown switch(config-pmap-c-qos)# police cir 256000 conform set-dscp-transmit af11 violate set dscp dscp table pir-markdown-map
The following example shows how to configure a 1-rate, 3-color policer:
switch# configure terminal switch(config)# policy-map policy3 switch(config-pmap-qos)# class one_rate_3_color_policer switch(config-pmap-c-qos)# police cir 256000 pir 256000 conform transmit exceed set dscp dscp table cir-markdown-map violate drop
This section provides the QoS policing release history.
Feature Name |
Release |
Feature Information |
---|---|---|
QoS Policing |
4.0 |
This feature was introduced |