The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Policing allows you to monitor the data rates for a particular class of traffic. When the data rate exceeds user-configured values, the switch drops packets immediately. Because policing does not buffer the traffic; transmission delays are not affected. When traffic exceeds the data rate on a specific class, the switch drops the packets.
You can define single-rate and two-color Ingress Policing.
Single-rate Ingress Policing monitors the committed information rate (CIR) of traffic.
Note | The committed information rate (CIR) is a value specified as a bit rate from 1 to 80000000000 or a percentage of the link rate. |
In addition, Ingress Policing can monitor associated burst sizes of the packets. Two colors, or conditions, are determined by Ingress Policing for each packet depending on the data rate parameters that you supply.
You can configure only one action for each condition. For example, you might police for traffic in a class to conform to the data rate of 256000 bits per second with up to 200 millisecond bursts.
Color-aware Ingress Policing assumes that traffic has been previously marked with a color.
Nexus 5500 Series | Nexus 2232 | Nexus 2248TP-E | Nexus 6000 Series | |
---|---|---|---|---|
Burst Size |
64 MB |
32 MB |
32 MB |
64 MB |
Max Rate |
96 Gbps |
12 Gbps |
8 Gbps |
8 Gbps |
Granularity |
732 kbps |
732 kbps |
488 kbps |
122 kbps |
The configuration for Ingress Policing is a part of the Quality of Service (QoS) policy configuration. You can configure QoS policies with Ingress Policing on the following :
Statistics are provided with Ingress Policing. Statistics include the drop count and allowed count. You can display the statistics by entering the show policy-map interface ethernet command.
QoS policies that you configure on the attachments are installed in the QoS region of the Ternary Content Addressable Memory (TCAM) and causes the switch to apply Ingress Policing.
If you configure a QoS policy with Ingress Policing on a HIF port or HIF port channel, Ingress Policing is offloaded to the Fabric Extender (FEX). Policy rewrites occur only in the switch. So QOS policy offload to FEX is required if there is any QOS policy rewrites which affects policer.
All the match/set criteria that are supported in a QoS policy are supported even with Ingress Policing present in the policy. A Fabric Extender (FEX) supports Layer 3 operations (fragments) and Layer 4 operations (source and destination port ranges) but not the Transmission Control Protocol (TCP) flags and Layer 2 operations.
You can define match criteria for a QoS policy so that it matches the control protocol traffic. If the type of policy is configured with Ingress Policing on an HIF port, the control traffic also gets policed. Therefore, the match criteria must be specific to the required flow of traffic.
The police command is not supported on the Cisco Nexus device ASICs.
The switch cannot apply a QoS policy with Ingress Policing to an HIF port that has virtual Ethernet interfaces attached.
If the switch applies Ingress Policing on the HIF port, the policer is applied to traffic with no Virtual Network Tag (VNTAG).
A policy with Ingress Policing is allowed only on switch ports, HIF ports, and port channels with switch/HIF ports.
Ingress Policing with Layer 2 operations and TCP flags in the match criteria is not allowed on FEX interfaces.
Ingress Policing is not supported on Enhanced VPC (2LayerVPC) ports.
It is recommended that you apply identical Ingress Policing on Dual-homed (AA) HIF interfaces.
The police command is not supported on system QoS policies.
The show policy-map interface command is recommended to check that the ingress rate limiter is conformed and to display violated statistics. The CLI displays conformed/violated packets and packet per second statistics on HIF interfaces (regular as well as port-channel), whereas on the switchport (regular as well as port-channel) the command displays conformed/violated bytes and bits per second (bps).
This example shows how to create a policy map with Ingress Policing using the committed information rate:
switch# configure terminal switch(config)# policy-map type qos pm1 switch(config-pmap-qos)# class type qos cm1 switch(config-pmap-c-qos)# police cir 10 mbps bc 20 kbytes switch(config-pmap-c-qos)# set qos-group 4 switch(config-pmap-c-qos)# end switch# show policy-map type qos pm1 Type qos policy-maps ==================== policy-map type qos pm1 class type qos cm1 set qos-group 4 police cir 20 mbytes conform transmit violate drop set qos-group 4 class type qos class-default set qos-group 1 switch#
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# policy-map [type qos] [qos-policy-map-name] |
Creates a named object that represents a set of policies that are applied to a set of traffic classes. Policy-map names can contain alphabetic, hyphen, or underscore characters, are case sensitive, and can be up to 40 characters. |
Step 3 | switch(config-pmap-qos)# class [type qos] {class-map-name | class-default} |
Associates a class map with the policy map and enters configuration mode for the specified system class. Use the class-default keyword to select all traffic that is currently not matched by classes in the policy map. The class-map-name argument can be a maximum of 40 characters. The name is case sensitive and can only contain alphanumeric characters, hyphens, and underscores. |
Step 4 | switch(config-pmap-c-qos)# police [cir] {committed-rate [data-rate] | percent cir-link-percent} [ [bc] {committed-burst-rate}][conform{transmit} [violate {drop}]]] |
Polices cir in bits, kbps, mbps, or gbps. The conform action is applied if the data rate is less than or equal to cir, otherwise, the violate action is applied. The cir keyword specifies to use the committed information rate, or desired bandwidth, as a bit rate or a percentage of the link rate. The cir-link-percent value can range from 1 to 100 percent. Values for committed-burst-rate are the following: The following are the Ingress Policing actions:
|
Step 5 | switch(config-pmap-c-qos)# set {{dscp {dscp-val | dscp-enum}} | {precedence {prec-val | prec-enum}} | {qos-group qos-grp-val}} | (Optional)
Sets the dscp, precedence, or qos-group actions. dscp-val—DSCP value or parameter to assign for this class of traffic. Valid values are from 0 to 63. prec-val—IP precendence value to assign for this class of traffic. Valid values from 0 to 7. qos-grp-val—QoS group value to assign for this class of traffic. The range is from 1 to 5. |
Step 6 | switch(config-pmap-c-qos)# exit |
Exits policy-map class configuration mode and enters policy-map mode. |
Step 7 | switch(config-pmap-qos)# exit |
Exits policy-map mode and enters configuration mode. |
Step 8 | switch(config)# show policy-map [type qos] [policy-map-name | qos-dynamic] | (Optional)
Displays information about all configured policy maps or a selected policy map of type qos. |
This example shows how to create a policy map with Ingress Policing using the percentage of the interface rate:
switch# configure terminal switch(config)# policy-map type qos pm-test1 switch(config-pmap-qos)# class type qos cm-cos4 switch(config-pmap-c-qos)# police cir percent 10 bc 40 kbytes conform transmit violate drop switch(config-pmap-c-qos)# end switch# show policy-map type qos pm-test1 Type qos policy-maps ==================== policy-map type qos pm-test1 class type qos cm-cos4 set qos-group 4 police cir percent 10 bc 40 kbytes conform transmit violate drop class type qos class-default set qos-group 1 switch#
To verify Ingress Policing configuration information, perform one of the following tasks:
Command |
Purpose |
---|---|
switch# show policy-map interface [interface number] | Displays the policy map settings for an interface or all interfaces. |
switch# show policy-map [type qos] [policy-map-name] | Displays information about all configured policy maps or a selected policy map of type qos. |
The following example shows the Committed Information Rate (CIR) being specified as a percentage where the Ingress Policing rate is calculated based on the port/port-channel speed:
switch(config)# policy-map type qos pm-cos switch(config-pmap-qos)# class cm-cos switch(config-pmap-c-qos)# police cir percent 10 bc 20 mbytes conform transmit violate drop switch(config-pmap-c-qos)#
The following example shows the output of the show policy-map command with Ingress Policing configured:
switch(config-pmap-c-qos)# show policy-map pm-cos Type qos policy-maps ==================== policy-map type qos pm-cos class type qos cm-cos set qos-group 4 police cir percent 10 bc 20 mbytes conform transmit violate drop class type qos class-default set qos-group 1 switch(config-pmap-c-qos)#
The following example shows a policy being applied to an interface with the service-policy command:
switch(config)# interface ethernet 1/1 switch(config-if)# service-policy type qos input pm-cos
The following example shows policy statistics being displayed by using the show policy-map command:
switch(config-if)# show policy-map interface ethernet 1/1 Global statistics status : disabled Ethernet1/1 Service-policy (qos) input: qos-police policy statistics status: disabled Class-map (qos): qos-police (match-all) 0 packets Match: dscp 10 police cir percent 100 bc 200 ms conformed 0 bytes, 0 bps action: transmit violated 0 bytes, 0 bps action: drop