Table Of Contents

oam-bundle

police

police (EtherSwitch)

police (percent)

police (two rates)

police rate (control-plane)

policy-map

precedence

precedence (WRED group)

priority

priority-group

priority-list default

priority-list interface

priority-list protocol

priority-list queue-limit

protect

pvc-bundle

oam-bundle

To enable end-to-end F5 Operation, Administration, and Maintenance (OAM) loopback cell generation and OAM management for all virtual circuit (VC) members of a bundle or a VC class that can be applied to a VC bundle, use the oam-bundle command in switched virtual circuit (SVC)-bundle configuration mode or VC-class configuration mode. To remove OAM management from the bundle or class configuration, use the no form of this command.

To enable end-to-end F5 OAM loopback cell generation and OAM management for all VC members of a bundle, use the oam-bundle command in bundle configuration mode. To remove OAM management from the bundle, use the no form of this command.

oam-bundle [manage] [frequency]

no oam-bundle [manage] [frequency]

Syntax Description

manage	(Optional) Enables OAM management. If this keyword is omitted, loopback cells are sent, but the bundle is not managed.
frequency	(Optional) Number of seconds between transmitted OAM loopback cells. Values range from 0 to 600 seconds. The default value for the frequency argument is 10 seconds.

Defaults

End-to-end F5 OAM loopback cell generation and OAM management are disabled, but if OAM cells are received, they are looped back.

Command Modes

SVC-bundle configuration (for an SVC bundle)

VC-class configuration (for a VC class)

Bundle configuration (for an ATM VC bundle)

Command History

Release	Modification
12.0(3)T	This command was introduced.
12.2(4)T	This command was made available in SVC-bundle configuration mode.

Usage Guidelines

This command defines whether a VC bundle is OAM managed. If this command is configured for a bundle, every VC member of the bundle is OAM managed. If OAM management is enabled, further control of OAM management is configured using the oam retry command.

This command has no effect if the VC class that contains the command is attached to a standalone VC; that is, if the VC is not a bundle member. In this case, the attributes are ignored by the VC.

To use this command in VC-class configuration mode, first enter the vc-class atm global configuration command.

To use this command in bundle configuration mode, enter the bundle subinterface configuration command to create the bundle or to specify an existing bundle before you enter this command.

VCs in a VC bundle are subject to the following configuration inheritance rules (listed in order of next-highest precedence):

•VC configuration in bundle-VC mode

•Bundle configuration in bundle mode (with effect of assigned VC-class configuration)

Examples

The following example enables OAM management for a bundle called "chicago":

bundle chicago 
 oam-bundle manage

Related Commands

Command	Description
broadcast	Configures broadcast packet duplication and transmission for an ATM VC class, PVC, SVC, or VC bundle.
class-bundle	Configures a VC bundle with the bundle-level commands contained in the specified VC class.
encapsulation	Sets the encapsulation method used by the interface.
inarp	Configures the Inverse ARP time period for an ATM PVC, VC class, or VC bundle.
oam retry	Configures parameters related to OAM management for an ATM PVC, SVC, VC class, or VC bundle.
protocol (ATM)	Configures a static map for an ATM PVC, SVC, VC class, or VC bundle. Enables Inverse ARP or Inverse ARP broadcasts on an ATM PVC by configuring Inverse ARP either directly on the PVC, on the VC bundle, or in a VC class (applies to IP and IPX protocols only).

police

To configure traffic policing, use the police command in policy-map class configuration mode or policy-map class police configuration mode. To remove traffic policing from the configuration, use the no form of this command.

police bps [burst-normal] [burst-max] conform-action action exceed-action action [violate-action  action]

no police bps [burst-normal] [burst-max] conform-action action exceed-action action [violate-action action]

Syntax Description

bps	Average rate in bits per second. Valid values are 8000 to 200000000.
burst-normal	(Optional) Normal burst size in bytes. Valid values are 1000 to 51200000. The default normal burst size is 1500 bytes.
burst-max	(Optional) Excess burst size in bytes. Valid values are 1,000 to 51200000.
conform-action action	Action to take on packets that conform to the rate limit.
exceed-action action	Action to take on packets that exceed the rate limit.
violate-action action	(Optional) Action to take on packets that violate the normal and maximum burst sizes.
action	Action to take on packets. Specify one of the following keywords: •drop—Drops the packet. •set-clp-transmit value—Sets the ATM Cell Loss Priority (CLP) bit from 0 to 1 on the ATM cell and transmits the packet with the ATM CLP bit set to 1. •set-discard-class-transmit—Sets the discard class attribute of a packet and transmits the packet with the new discard class setting. •set-dscp-transmit value—Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value setting. •set-frde-transmit value—Sets the Frame Relay Discard Eligibility (DE) bit from 0 to 1 on the frame relay frame and transmits the packet with the DE bit set to 1. •set-mpls-experimental-imposition-transmit value—Sets the Multiprotocol Label Switching (MPLS) experimental (EXP) bits (0 to 7) in the imposed label headers and transmits the packet with the new MPLS EXP bit value setting. •set-mpls-experimental-topmost-transmit value—Sets the MPLS EXP field value in the topmost MPLS label header at the input and/or output interfaces. •set-prec-transmit value—Sets the IP precedence and transmits the packet with the new IP precedence value setting. •set-qos-transmit value—Sets the qos-group value and transmits the packet with the new qos-group value setting. •transmit—Transmits the packet. The packet is not altered.

Defaults

Disabled

Command Modes

Policy-map class configuration (when specifying a single action to be applied to a marked packet)

Policy-map class police configuration (when specifying multiple actions to be applied to a marked packet)

Command History

Release	Modification
12.0(5)XE	This police command was introduced.
12.1(1)E	This command was integrated in Cisco IOS Release 12.1(1)E.
12.1(5)T	This command was integrated in Cisco IOS Release 12.1(5)T. The violate-action keyword was added.
12.2(2)T	The set-clp-transmit option for the action argument was added. The set-frde-transmit keyword for the action argument was added. The set-mpls-exp-transmit keyword for the action argument was added.
12.2(8)T	The command was modified for the Policer Enhancement — Multiple Actions feature. This command can now accommodate multiple actions for packets marked as conforming to, exceeding, or violating a specific rate.
12.2(13)T	In the action argument, the set-mpls-experimental-transmit keyword was renamed to set-mpls-experimental-imposition-transmit.

Usage Guidelines

Use the police command to mark a packet with different quality of service (QoS) values based on conformance to the service-level agreement.

Traffic policing will not be executed for traffic that passes through an interface.

Specifying Multiple Actions

The police command allows you to specify multiple policing actions. When specifying multiple policing actions when configuring the police command, note the following points:

•You can specify a maximum of four actions at one time.

•You cannot specify contradictory actions such as conform-action transmit and conform-action drop.

Using the Police Command with the Traffic Policing Feature

The police command can be used with the Traffic Policing feature. The Traffic Policing feature works with a token bucket algorithm. Two types of token bucket algorithms are in Cisco IOS Release 12.1(5)T: a single-token bucket algorithm and a two-token bucket algorithm. A single-token bucket system is used when the violate-action option is not specified, and a two-token bucket system is used when the violate-action option is specified.

The token bucket algorithm for the police command that was introduced in Cisco IOS Release 12.0(5)XE is different from the token bucket algorithm for the police command introduced in Cisco IOS Release 12.1(5)T. For information on the token bucket algorithm introduced in Release 12.0(5)XE, refer to the Traffic Policing document for Release 12.0(5)XE. This document is available on the New Features for 12.0(5)XE feature documentation index (under Modular QoS CLI-related feature modules) at www.cisco.com.

The following are explanations of how the token bucket algorithms introduced in Cisco IOS Release 12.1(5)T work.

Token Bucket Algorithm with One Token Bucket

The one token bucket algorithm is used when the violate-action option is not specified in the police command command-line interface (CLI).

The conform bucket is initially set to the full size (the full size is the number of bytes specified as the normal burst size).

When a packet of a given size (for example, "B" bytes) arrives at specific time (time "T") the following actions occur:

•Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current time is T, the bucket is updated with (T - T1) worth of bits based on the token arrival rate. The token arrival rate is calculated as follows:

(time between packets <which is equal to T - T1> * policer rate)/8 bytes

•If the number of bytes in the conform bucket B is greater than or equal to 0, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is completed for the packet.

•If the number of bytes in the conform bucket B (minus the packet size to be limited) is fewer than 0, the exceed action is taken.

Token Bucket Algorithm with Two Token Buckets

The two-token bucket algorithm is used when the violate-action option is specified in the police command CLI.

The conform bucket is initially full (the full size is the number of bytes specified as the normal burst size).

The exceed bucket is initially full (the full exceed bucket size is the number of bytes specified in the maximum burst size).

The tokens for both the conform and exceed token buckets are updated based on the token arrival rate, or committed information rate (CIR).

When a packet of given size (for example, "B" bytes) arrives at specific time (time "T") the following actions occur:

•Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current arrival of the packet is at t, the bucket is updated with T -T1 worth of bits based on the token arrival rate. The refill tokens are placed in the conform bucket. If the tokens overflow the conform bucket, the overflow tokens are placed in the exceed bucket.

The token arrival rate is calculated as follows:

(time between packets <which is equal to T-T1> * policer rate)/8 bytes

•If the number of bytes in the conform bucket - B is greater than or equal to 0, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is taken. The exceed bucket is unaffected in this scenario.

•If the number of bytes in the conform bucket B is less than 0, the excess token bucket is checked for bytes by the packet. If the number of bytes in the exceed bucket B is greater than or equal to 0, the exceed action is taken and B bytes are removed from the exceed token bucket. No bytes are removed from the conform bucket.

•If the number bytes in the exceed bucket B is fewer than 0, the packet violates the rate and the violate action is taken. The action is complete for the packet.

Examples

Token Bucket Algorithm with One Token Bucket Example

The following example shows how to define a traffic class (using the class-map command) and associate the match criteria from the traffic class with the traffic policing configuration, which is configured in the service policy (using the policy-map command). The service-policy command is then used to attach this service policy to the interface.

In this particular example, traffic policing is configured with the average rate at 8000 bits per second and the normal burst size at 1000 bytes for all packets leaving Fast Ethernet interface 0/0:

Router(config)# class-map access-match

Router(config-cmap)# match access-group 1

Router(config-cmap)# exit

Router(config)# policy-map police-setting

Router(config-pmap)# class access-match

Router(config-pmap-c)# police 8000 1000 conform-action transmit exceed-action drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

Router(config)# interface fastethernet 0/0

Router(config-if)# service-policy output police-setting

In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet and 450 bytes are removed from the conform token bucket (leaving 550 bytes).

If the next packet arrives 0.25 seconds later, 250 bytes are added to the token bucket ((0.25 * 8000)/8), leaving 800 bytes in the token bucket. If the next packet is 900 bytes, the packet exceeds and the exceed action (drop) is taken. No bytes are taken from the token bucket.

Token Bucket Algorithm with Two Token Buckets Example

In this particular example, traffic policing is configured with the average rate at 8000 bits per second, the normal burst size at 1000 bytes, and the excess burst size at 1000 bytes for all packets leaving Fast Ethernet interface 0/0.

Router(config)# class-map access-match

Router(config-cmap)# match access-group 1

Router(config-cmap)# exit

Router(config)# policy-map police-setting

Router(config-pmap)# class access-match

Router(config-pmap-c)# police 8000 1000 1000 conform-action transmit exceed-action 
set-qos-transmit 1 violate-action drop

Router(config-pmap-c)# exit

Router(config-pmap)# exit

Router(config)# interface fastethernet 0/0

Router(config-if)# service-policy output police-setting

In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet and 450 bytes are removed from the conform token bucket (leaving 550 bytes).

If the next packet arrives 0.25 seconds later, 250 bytes are added to the conform token bucket
((0.25 * 8000)/8), leaving 800 bytes in the conform token bucket. If the next packet is 900 bytes, the packet does not conform because only 800 bytes are available in the conform token bucket.

The exceed token bucket, which starts full at 1000 bytes (as specified by the excess burst size) is then checked for available bytes. Because enough bytes are available in the exceed token bucket, the exceed action (set the QoS transmit value of 1) is taken and 900 bytes are taken from the exceed bucket (leaving 100 bytes in the exceed token bucket.

If the next packet arrives 0.40 seconds later, 400 bytes are added to the token buckets ((.40 * 8000)/8). Therefore, the conform token bucket now has 1000 bytes (the maximum number of tokens available in the conform bucket) and 200 bytes overflow the conform token bucket (because it only 200 bytes were needed to fill the conform token bucket to capacity). These overflow bytes are placed in the exceed token bucket, giving the exceed token bucket 300 bytes.

If the arriving packet is 1000 bytes, the packet conforms because enough bytes are available in the conform token bucket. The conform action (transmit) is taken by the packet, and 1000 bytes are removed from the conform token bucket (leaving 0 bytes).

If the next packet arrives 0.20 seconds later, 200 bytes are added to the token bucket ((.20 * 8000)/8). Therefore, the conform bucket now has 200 bytes. If the arriving packet is 400 bytes, the packet does not conform because only 200 bytes are available in the conform bucket. Similarly, the packet does not exceed because only 300 bytes are available in the exceed bucket. Therefore, the packet violates and the violate action (drop) is taken.

Conforming to the MPLS EXP Value Example

The following example shows that if packets conform to the rate limit, the MPLS EXP field is set to 5. If packets exceed the rate limit, the MPLS EXP field is set to 3.

policy-map input-IP-dscp

  class dscp24

   police 8000 1500 1000

     conform-action set-mpls-experimental-imposition-transmit 5

     exceed-action set-mpls-experimental-imposition-transmit 3

     violate-action drop

Related Commands

Command	Description
policy-map	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
service-policy	Specifies the name of the service policy to be attached to the interface.
show policy-map	Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.
show policy-map interface	Displays the configuration of all classes configured for all service policies on the specified interface or displays the classes for the service policy for a specific PVC on the interface.

police (EtherSwitch)

To define a policer for classified traffic, use the police command in policy-map class configuration mode. To remove an existing policer, use the no form of this command.

police {bps | cir bps} [burst-byte | bc burst-byte] conform-action transmit [exceed-action {drop | dscp dscp-value}]

no police {bps | cir bps} [burst-byte | bc burst-byte] conform-action transmit [exceed-action {drop | dscp dscp-value}]

Syntax Description

bps | cir bps	Average traffic rate or committed information rate (CIR) in bits per second (bps). For 10/100 ports, the range is 1000000 to 100000000, and the granularity is 1 Mbps. For Gigabit-capable Ethernet ports, the range is 8000000 to 1016000000, and the granularity is 8 Mbps.
burst-byte | bc burst-byte	(Optional) Normal burst size or burst count in bytes.
conform-action transmit	Sends packets that conform to the rate limit.
exceed-action drop	(Optional) When the specified rate is exceeded, specifies that the switch drops the packet.
exceed-action dscp dscp-value	(Optional) When the specified rate is exceeded, specifies that the switch changes the differentiated services code point (DSCP) of the packet to the specified dscp-value and then sends the packet.

Defaults

No policers are defined.

Command Modes

Policy-map class configuration

Command History

Release	Modification
12.1(6)EA2	This command was introduced.
12.2(15)ZJ	This command was implemented on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers.

Usage Guidelines

You can configure up to six policers on ingress Fast Ethernet ports.

You can configure up to 60 policers on ingress Gigabit-capable Ethernet ports.

Policers cannot be configured on egress Fast Ethernet and Gigabit-capable Ethernet ports.

To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.

Use the show policy-map privileged EXEC command to verify your settings.

Examples

The following example shows how to configure a policer that sets the DSCP value to 46 if traffic does not exceed a 1-Mbps average rate with a burst size of 65536 bytes and drops packets if traffic exceeds these conditions:

Router(config)# policy-map policy1

Router(config-pmap)# class class1

Router(config-pmap-c)# set ip dscp 46

Router(config-pmap-c)# police 1000000 65536 conform-action transmit exceed-action drop

Router(config-pmap-c)# exit

Related Commands

Command	Description
policy-map	Creates or modifies a policy map that can be attached to multiple interfaces and enters policy-map configuration mode.
show policy-map	Displays QoS policy maps.

police (percent)

To configure traffic policing on the basis of a percentage of bandwidth available on an interface, use the police (percent) command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of this command.

police cir percent percent [bc conform-burst-in-msec] [pir percent percent]
[be  peak-burst-in-msec]

no police cir percent percent [bc conform-burst-in-msec] [pir percent percent]
[be peak-burst-in-msec]

Syntax Description

cir	Committed information rate (CIR). Indicates that the CIR will be used for policing traffic.
percent	Specifies that percent of bandwidth will be used for calculating the CIR.
percent	Specifies the bandwidth percentage. Valid range is a number from 1 to 100.
bc	(Optional) Conform burst (bc) size used by the first token bucket for policing traffic.
conform-burst-in-msec	(Optional) Specifies the bc value in milliseconds (ms). Valid range is a number from 1 to 2000.
pir	(Optional) Peak information rate (PIR). Indicates that the PIR will be used for policing traffic.
percent	(Optional) Specifies that a percentage of bandwidth will be used for calculating the PIR.
percent	(Optional) Specifies the bandwidth percentage. Valid range is a number from 1 to 100.
be	(Optional) Peak burst (be) size used by the second token bucket for policing traffic.
peak-burst-in-msec	(Optional) Specifies the peak burst (be) size in ms. Valid range is a number from 1 to 2000.

Defaults

Disabled

Command Modes

Policy-map class configuration

Command History

Release	Modification
12.0(5)XE	This police command was introduced.
12.1(1)E	This command was integrated into Cisco IOS Release 12.1(1)E.
12.1(5)T	This command was integrated into Cisco IOS Release 12.1(5)T.
12.2(13)T	This command was modified for the Percentage-Based Policing and Shaping feature.

Usage Guidelines

This command calculates the CIR and PIR based on a percentage of the maximum amount of bandwidth available on the interface. When a policy map is attached to the interface, the equivalent CIR and PIR values in bits per second (bps) are calculated based on the interface bandwidth and the percent value entered with this command. The show policy-map interface command can then be used to verify the bps rate calculated.

The calculated CIR and PIR bps rates must be in the range of 8000 and 2000000000 bps. If the rates are outside this range, the associated policy map cannot be attached to the interface. If the interface bandwidth changes (for example, more is added), the bps values of the CIR and the PIR are recalculated based on the revised amount of bandwidth. If the CIR and PIR percentages are changed after the policy map is attached to the interface, the bps values of the CIR and PIR are recalculated.

This command also allows you to specify the values for the conform burst size and the peak burst size in milliseconds. If you want bandwidth to be calculated as a percentage, the conform burst size and the peak burst size must be specified in milliseconds (ms).

Policy maps can be configured in two-level (nested) hierarchies; a primary (or "parent") level and a secondary (or "child") level. The police (percent) command can be configured for use in either a parent or child policy map.

The police (percent) command uses the maximum rate of bandwidth available as the reference point for calculating the bandwidth percentage. When the police (percent) command is configured in a child policy map, the police (percent) command uses the bandwidth amount specified in the next higher-level policy (in this case, the parent policy map). If the parent policy map does not specify the maximum bandwidth rate available, the police (percent) command uses the maximum bandwidth rate available on the next higher level (in this case, the physical interface, the highest point in the hierarchy) as the reference point. The police (percent) command always looks to the next higher level for the bandwidth reference point. The following sample configuration illustrates this point:

policymap parent_policy

 class parent

  shape average 512000

  service-policy child_policy

policymap child_policy

 class normal_type

  police cir percent 30

In this sample configuration, there are two hierarchical policies; one called "parent_policy" and one called "child_policy." In the policy map called "child_policy," the police (percent) command has been configured in the class called "normal_type." In this class, the percentage specified by for the police (percent) command is 30 percent. The command will use 512 kbps, the peak rate, as the bandwidth reference point for "class parent" in "parent policy." The police (percent) command will use 512 kbps as the basis for calculating the CIR rate (512 kbps * 30 percent).

interface serial 4/0

 service-policy output parent_policy

Policymap parent_policy

 class parent

  bandwidth 512

  service-policy child_policy

In the above example, there is one policy map called "parent_policy." In this policy map, a peak rate has not been specified. The bandwidth (policy-map class) command has been used, but this command does not represent the maximum rate of bandwidth available. Therefore, the police (percent) command will look to the next higher level (in this case Serial interface 4/0) to get the bandwidth reference point. Assuming the bandwidth of the Series interface s4/0 is 1.5 Mbps, the police (percent) command will use 1.5 Mbps as the basis for calculating the CIR rate (1500000 * 30 percent).

How Bandwidth Is Calculated

The police (percent) command is often used in conjunction with the bandwidth (policy-map class) and priority commands. The bandwidth (policy-map class) and priority commands can be used to calculate the total amount of bandwidth available on an entity (for example, a physical interface). When the bandwidth (policy-map class) and priority commands calculate the total amount of bandwidth available on an entity, the following guidelines are invoked:

•If the entity is a physical interface, the total bandwidth is the bandwidth on the physical interface.

•If the entity is a shaped ATM permanent virtual circuit (PVC), the total bandwidth is calculated as follows:

–For a variable bit rate (VBR) virtual circuit (VC), the sustained cell rate (SCR) is used in the calculation.

–For an available bit rate (ABR) VC, the minimum cell rate (MCR) is used in the calculation.

For more information on bandwidth allocation, refer to the chapter "Congestion Management Overview" in the Cisco IOS Quality of Service Solutions Configuration Guide.

Examples

The following example configures traffic policing using a CIR and a PIR based on a percentage of bandwidth. In this example, a CIR of 20 percent and a PIR of 40 percent have been specified. Additionally, an optional bc value and be value (300 ms and 400 ms, respectively) have been specified.

Router(config)# policy-map policy1

Router(config-pmap)# class-map class1

Router(config-pmap-c)# police cir percent 20 bc 300 ms pir percent 40 be 400 ms

Router(config-pmap-c)# service-policy child-policy1

Router(config-pmap-c)# exit

Router(config-pmap-c)# interface serial 3/1

Router(config-if)# service-policy output policy1

Related Commands

Command	Description
bandwidth (policy-map class)	Specifies or modifies the bandwidth allocated for a class belonging to a policy map.
policy-map	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
priority	Gives priority to a class of traffic belonging to a policy map.
service-policy	Attaches a policy map to an input interface or VC, or an output interface or VC, to be used as the service policy for that interface or VC.
shape (percent)	Specifies average or peak rate traffic shaping based on a percentage of bandwidth available on an interface.
show policy-map	Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.
show policy-map interface	Displays the packet statistics of all classes that are configured for all service policies either on the specified interface or subinterface or on a specific PVC on the interface.

police (two rates)

To configure traffic policing using two rates, the committed information rate (CIR) and the peak information rate (PIR), use the police command in policy-map configuration mode. To remove two-rate traffic policing from the configuration, use the no form of this command.

police {cir cir} [bc conform-burst] {pir pir} [be peak-burst] [conform-action action [exceed-action action [violate-action action]]]

no police {cir cir} [bc conform-burst] {pir pir} [be peak-burst] [conform-action action [exceed-action action [violate-action action]]]

Syntax Description

cir	Committed information rate (CIR) at which the first token bucket is updated.
cir	Specifies the CIR value in bits per second. The value is a number from 8000 to 200000,000.
bc	(Optional) Conform burst (bc) size used by the first token bucket for policing.
conform-burst	(Optional) Specifies the bc value in bytes. The value is a number from 1000 to 51200,000.
pir	Peak information rate (PIR) at which the second token bucket is updated.
pir	Specifies the PIR value in bits per second. The value is a number from 8000 to 200000000.
be	(Optional) Peak burst (be) size used by the second token bucket for policing.
peak-burst	(Optional) Specifies the peak burst (be) size in bytes. The size varies according to the interface and platform in use.
conform-action	(Optional) Action to take on packets that conform to the CIR and PIR.
exceed-action	(Optional) Action to take on packets that conform to the PIR but not the CIR.
violate-action	(Optional) Action to take on packets exceed the PIR.
action	(Optional) Action to take on packets. Specify one of the following keywords: •drop—Drops the packet. •set-clp-transmit—Sets the ATM Cell Loss Priority (CLP) bit from 0 to 1 on the ATM cell and sends the packet with the ATM CLP bit set to 1. •set-dscp-transmit new-dscp—Sets the IP differentiated services code point (DSCP) value and sends the packet with the new IP DSCP value setting. •set-frde-transmit—Sets the Frame Relay discard eligible (DE) bit from 0 to 1 on the Frame Relay frame and sends the packet with the DE bit set to 1. •set-mpls-exp-transmit—Sets the Multiprotocol Label Switching (MPLS) experimental bits from 0 to 7 and sends the packet with the new MPLS experimental bit value setting. •set-prec-transmit new-prec—Sets the IP precedence and sends the packet with the new IP precedence value setting. •set-qos-transmit new-qos—Sets the quality of service (QoS) group value and sends the packet with the new QoS group value setting. •transmit—Sends the packet with no alteration.

Defaults

Disabled

Command Modes

Policy-map configuration

Command History

Release	Modification
12.0(5)XE	The police command was introduced.
12.1(1)E	This command was integrated into Cisco IOS Release 12.1(1)E.
12.1(5)T	This command was integrated into Cisco IOS Release 12.1(5)T. The violate-action keyword was added.
12.2(2)T	The following keywords for the action argument were added: •set-clp-transmit •set-frde-transmit •set-mpls-exp-transmit
12.2(4)T	This command expanded for the Two-Rate policing feature. The cir and pir keywords were added to accommodate two-rate traffic policing.

Usage Guidelines

Two-rate traffic policing uses two token buckets—Tc and Tp—for policing traffic at two independent rates. Note the following points about the two token buckets:

•The Tc token bucket is updated at the CIR value each time a packet arrives at the two-rate policer. The Tc token bucket can contain up to the confirm burst (Bc) value.

•The Tp token bucket is updated at the PIR value each time a packet arrives at the two-rate policer. The Tp token bucket can contain up to the peak burst (Be) value.

Updating Token Buckets

The following scenario illustrates how the token buckets are updated:

A packet of B bytes arrives at time t. The last packet arrived at time t1. The CIR and the PIR token buckets at time t are represented by Tc(t) and Tp(t), respectively. Using these values and in this scenario, the token buckets are updated as follows:

Tc(t) = min(CIR * (t-t1) + Tc(t1), Bc)

Tp(t) = min(PIR * (t-t1) + Tp(t1), Be)

Marking Traffic

The two-rate policer marks packets as either conforming, exceeding, or violating a specified rate. The following points (using a packet of B bytes) illustrate how a packet is marked:

•If B > Tp(t), the packet is marked as violating the specified rate.

•If B > Tc(t), the packet is marked as exceeding the specified rate, and the Tp(t) token bucket is updated as Tp(t) = Tp(t) - B.

Otherwise, the packet is marked as conforming to the specified rate, and both token buckets—Tc(t) and Tp(t)—are updated as follows:

Tp(t) = Tp(t) - B

Tc(t) = Tc(t) - B

For example, if the CIR is 100 kbps, the PIR is 200 kbps, and a data stream with a rate of 250 kbps arrives at the two-rate policer, the packet would be marked as follows:

•100 kbps would be marked as conforming to the rate

•100 kbps would be marked as exceeding the rate

•50 kbps would be marked as violating the rate

Marking Packets and Assigning Actions Flowchart

The flowchart in Figure 4 illustrates how the two-rate policer marks packets and assigns a corresponding action (that is, violate, exceed, or conform) to the packet.

Figure 4 Marking Packets and Assigning Actions with the Two-Rate Policer

Examples

In the following example, two-rate traffic policing is configured on a class to limit traffic to an average committed rate of 500 kbps and a peak rate of 1 Mbps:

Router(config)# class-map police

Router(config-cmap)# match access-group 101

Router(config-cmap)# policy-map policy1

Router(config-pmap)# class police

Router(config-pmap-c)# police cir 500000 bc 10000 pir 1000000 be 10000 conform-action 
transmit exceed-action set-prec-transmit 2 violate-action drop

Router(config-pmap-c)# interface serial3/0

Router(config-if)# service-policy output policy1

Router(config-if)# end

Router# show policy-map policy1

 Policy Map policy1

  Class police

   police cir 500000 conform-burst 10000 pir 1000000 peak-burst 10000 conform-action 
transmit exceed-action set-prec-transmit 2 violate-action drop

Traffic marked as conforming to the average committed rate (500 kbps) will be sent as is. Traffic marked as exceeding 500 kbps, but not exceeding 1 Mbps, will be marked with IP Precedence 2 and then sent. All traffic marked as exceeding 1 Mbps will be dropped. The burst parameters are set to 10000 bytes.

In the following example, 1.25 Mbps of traffic is sent ("offered") to a policer class:

Router# show policy-map interface serial3/0

 Serial3/0

  Service-policy output: policy1

   Class-map: police (match all)

    148803 packets, 36605538 bytes

    30 second offered rate 1249000 bps, drop rate 249000 bps

    Match: access-group 101

    police:

     cir 500000 bps, conform-burst 10000, pir 1000000, peak-burst 100000

     conformed 59538 packets, 14646348 bytes; action: transmit

     exceeded 59538 packets, 14646348 bytes; action: set-prec-transmit 2

     violated 29731 packets, 7313826 bytes; action: drop

     conformed 499000 bps, exceed 500000 bps violate 249000 bps

   Class-map: class-default (match-any)

    19 packets, 1990 bytes

    30 seconds offered rate 0 bps, drop rate 0 bps

    Match: any

The two-rate policer marks 500 kbps of traffic as conforming, 500 kbps of traffic as exceeding, and 250 kbps of traffic as violating the specified rate. Packets marked as conforming to the rate will be sent as is, and packets marked as exceeding the rate will be marked with IP Precedence 2 and then sent. Packets marked as violating the rate are dropped.

Related Commands

Command	Description
police	Configures traffic policing.
policy-map	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
service-policy	Attaches a policy map to an input interface or an output interface to be used as the service policy for that interface.
show policy-map	Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.
show policy-map interface	Displays the packet statistics of all classes that are configured for all service policies either on the specified interface or subinterface or on a specific PVC on the interface.

police rate (control-plane)

To configure traffic policing for traffic that is destined for the control plane, use the police rate command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of this command.

Syntax for Packets Per Seconds

police rate units pps [burst burst-in-packets packets] [peak-rate peak-rate-in-pps pps] [pack-burst peak-burst-in-packets packets]

no police rate units pps [burst burst-in-packets packets] [peak-rate peak-rate-in-pps pps] [pack-burst peak-burst-in-packets packets]

Syntax for Bytes Per Seconds

police rate units bps [burst burst-in-bytes bytes] [peak-rate peak-rate-in-bps bps] [peak-burst peak-burst-in-bytes bytes]

no police rate units bps [burst burst-in-bytes bytes] [peak-rate peak-rate-in-bps bps] [peak-burst peak-burst-in-bytes bytes]

Syntax for Percent

police rate percent percentage [burst ms ms] [peak-rate percent percentage] [peak-burst ms ms]

no police rate percent percentage [burst ms ms] [peak-rate percent percentage] [peak-burst ms ms]

Syntax Description

units	Specifies the police rate. If the police rate is specified in pps, the valid value range is 1 to 2000000. If the police rate is specified in bps, the valid range of values is 8000 to 10000000000.
pps	(Optional) Packets per second (ppp) will be used to determine the rate at which traffic is policed.
burst burst-in-packets packets	(Optional) Burst rate, in packets, will be used for policing traffic. Valid range is a number from 1 to 512000.
peak-rate peak-rate-in-pps pps	(Optional) Peak Information Rate (PIR) will be used for policing traffic and will be used to calculate the PIR. Valid range is a number from 1 to 512000.
peak-burst peak-burst-in-packets packets	(Optional) Peak burst value, in packets, will be used for policing traffic. Valid range is a number from 1 to 512000.
bps	(Optional) Bits per second (bps) will be used to determine the rate at which traffic is policed. Note If a rate is not specified, traffic is policed via bps.
burst burst-in-bytes bytes	(Optional) Specifies the burst rate, in bytes, will be used for policing traffic. Valid range is from 1000 to 512000000.
peak-rate peak-rate-in-bps bps	(Optional) Specifies the peak burst value, in bytes, for the peak rate. Valid range is from 1000 to 512000000.
peak-burst peak-burst-in-bytes bytes	(Optional) Specifies the peak burst value, in bytes, will be used for policing traffic. Valid range is from 1000 to 512000000.
percent	(Optional) A percentage of interface bandwidth will be used to determine the rate at which traffic is policed.
percentage	(Optional) Bandwidth percentage. Valid range is a number from 1 to 100.
burst ms ms	(Optional) Burst rate, in milliseconds, will be used for policing traffic. Valid range is a number from 1 to 2000.
peak-rate percent percentage	(Optional) A percentage of interface bandwidth will be used to determine the PIR. Valid range is a number from 1 to 100.
peak-burst ms ms	(Optional) Peak burst rate, in milliseconds, will be used for policing traffic. Valid range is a number from 1 to 2000.

Defaults

Disabled

Command Modes

Policy-map class configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.

Usage Guidelines

Use the police rate command to limit traffic that is destined for the control plane on the basis of pps, bps, or a percentage of interface bandwidth.

If the police rate command is issued, but the a rate is not specified, traffic that is destined for the control plane will be policed on the basis of bps.

Examples

The following example shows how to configure policing on a class to limit traffic to an average rate of 1500000 pps:

Router(config)# class-map telnet-class 

Router(config-cmap)# match access-group 140

Router(config-cmap)# exit

Router(config)# policy-map control-plane-policy

Router(config-pmap)# class telnet-class

Router(config-pmap-c)# police rate 1500000 pps burst 500000 packets 

Router(config-pmap-c)# exit

Related Commands

Command	Description
policy-map	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
show policy-map	Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.

policy-map

To create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-map command in global configuration command. To delete a policy map, use the no form of this command.

policy-map policy-map-name

no policy-map policy-map-name

Syntax Description

policy-map-name

Name of the policy map. The name can be a maximum of 40 alphanumeric characters.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you can configure policies for classes whose match criteria are defined in a class map. Entering the policy-map command enables QoS policy-map configuration mode in which you can configure or modify the class policies for that policy map.

You can configure class policies in a policy map only if the classes have match criteria defined for them. You use the class-map and match commands to configure the match criteria for a class. Because you can configure a maximum of 64 class maps, no policy map can contain more than 64 class policies.

A single policy map can be attached to multiple interfaces concurrently. When you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies comprising the policy map. In this case, if the policy map is already attached to other interfaces, it is removed from them.

Whenever you modify class policy in an attached policy map, CBWFQ is notified and the new classes are installed as part of the policy map in the CBWFQ system.

Examples

The following example creates a policy map called policy1 and configures two class policies included in that policy map. The class policy called class1 specifies policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy configured match criteria are directed.

! The following commands create class-map class1 and defines its match criteria:

class-map class1

 match access-group 136

! The following commands create the policy map, which is defined to contain policy

! specification for class1 and the default class:

policy-map policy1

class class1

 bandwidth 2000

 queue-limit 40

class class-default

 fair-queue 16

 queue-limit 20

The following example creates a policy map called policy9 and configures three class policies to belong to that map. Of these classes, two specify policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies policy for the default class called class-default to which packets that do not satisfy configured match criteria are directed.

policy-map policy9

class acl136

  bandwidth 2000

  queue-limit 40

 class ethernet101

  bandwidth 3000

  random-detect exponential-weighting-constant 10

 class class-default 
  fair-queue 10

  queue-limit 20Related Commands

Related Commands

Command	Description
bandwidth (policy-map class)	Specifies or modifies the bandwidth allocated for a class belonging to a policy map.
class (policy-map)	Specifies the name of the class whose policy you want to create or change, and the default class (commonly known as the class-default class) before you configure its policy.
class class-default	Specifies the default class whose bandwidth is to be configured or modified.
class-map	Creates a class map to be used for matching packets to a specified class.