-
Cisco 10000 Series Router Quality of Service Configuration Guide
-
Cisco 10000 Series Router Quality of Service Configuration Guide
-
About This Guide
-
Quality of Service Overview
-
Classifying Traffic
-
Configuring QoS Policy Actions and Rules
-
Attaching Service Policies
-
Distributing Bandwidth Between Queues
-
Policing Traffic
-
Marking Traffic
-
Prioritizing Services
-
Shaping Traffic
-
Overhead Accounting
-
Managing Packet Queue Congestion
-
Sharing Bandwidth Fairly During Congestion
-
Simultaneous Policy Maps
-
Defining QoS for Multiple Policy Levels
-
Oversubscribing Physical and Virtual Links
-
Fragmenting and Interleaving Real-Time and Nonreal-Time Packets
-
Configuring Dynamic Subscriber Services
-
Regulating Subscriber Traffic
-
Configuring Quality of Service for PVC Bundles
-
Configuring Quality of Service for MPLS Traffic
-
VLAN Tag-Based Quality of Service
-
Hierarchical Scheduling and Queuing
-
Configuring Frame Relay QoS Using Frame Relay Legacy Commands
-
QoS Policy Propagation Through the Border Gateway Protocol
-
Glossary
-
Feedback
Table Of Contents
Feature History for Traffic Policing
Single-Rate Color Marker for Traffic Policing
Feature History for the Single-Rate Color Marker
Configuration Commands for the Single-Rate Color Marker
Two-Rate Three-Color Marker for Traffic Policing
Feature History for the Two-Rate Color Marker
Configuration Commands for the Two-Rate Color Marker
Feature History for Percent-Based Policing
AToM Set ATM CLP Bit Using a Policer
Feature History for Set ATM CLP Bit Marking As a Police Action
AToM Set FR DE as Police Action
Feature History for AToM Set FR DE as Police Action
Set Layer 2 CoS as a Policer Action
Feature History for Set Layer 2 CoS as Policer Action
Set Inner CoS as a Policer Action
Feature History for Set Inner CoS as a Policer Action
Set Inner and Outer CoS as a Policer Action
Feature History for Set Inner and Outer CoS as a Policer Action
Feature History for Dual Police Actions
Policing Support for GRE Tunnels
Interfaces Supporting Policing
Metering Traffic and Token Buckets
Metering Traffic Using Token Buckets (Single-Rate Policer)
Metering Traffic Using Token Buckets (Two-Rate Policer)
Committed Bursts and Excess Bursts
Deciding if Packets Conform or Exceed the Committed Rate
Data Included in the Policing Rate
Avoiding Bandwidth Starvation Due to Priority Services
Restrictions and Limitations for Traffic Policing
Configuring Single-Rate Traffic Policing Based on Bits per Second
Configuration Examples for Configuring Single-Rate Traffic Policing Based on Bits per Second
Configuring Percent-Based Policing
Configuration Examples for Configuring Percent-Based Policing
Configuration Example for Configuring Two-Rate Three-Color Policing
Marking Traffic Using Police Actions
Configuration Example for Marking Traffic Using Police Actions
Configuring Dual Police Actions
Configuration Example for Configuring Dual Police Actions
Configuration Example for Dual Actions—set-clp-transmit and set-mpls-exp-transmit
Configuration Example for Dual Actions—set-frde-transmit and set-mpls-exp-imposition-transmit
Configuration Example of the set-cos-transmit Police Action
Verifying and Monitoring Traffic Policing
Verification Examples for Traffic Policing
Verifying Policing for a Specific Traffic Class
Verifying Policing on a Specific Interface
Verifying Dual Police Actions—set-clp-transmit and set-mpls-exp-transmit
Policing Traffic
It is critical that network resources are available to customers. When network resources are overloaded due to inadequate traffic management, you lose the benefits that a network provides. Controlling the flow of data across your network helps to ensure the efficiency of the network.
Policing is an important traffic regulation mechanism. Using policing, you can configure your system to more effectively handle traffic issues before they overload your network. Policing enables you to determine how traffic is managed by the network to avoid congestion and system inefficiencies, thereby increasing network availability and maximizing the use of bandwidth.
This chapter describes the policing capabilities of the Cisco 10000 series router. It includes the following topics:
•
Single-Rate Color Marker for Traffic Policing
•
•
•
•
•
•
•
•
•
•
Traffic Policing
Traffic policing is a traffic regulation mechanism that is used to limit the rate of traffic streams. Policing allows you to control the maximum rate of traffic sent or received on an interface. Policing propagates bursts of traffic and is applied to the inbound or outbound traffic on an interface. When the traffic rate exceeds the configured maximum rate, policing drops or remarks the excess traffic. Although policing does not buffer excess traffic, a configured queuing mechanism applies to conforming packets that might need to be queued while waiting to be serialized at the physical interface.
Traffic policing uses a token bucket algorithm to manage the maximum rate of traffic. This algorithm is used to define the maximum rate of traffic allowed on an interface at a given moment in time. The token bucket algorithm is especially useful in managing network bandwidth in cases where several large packets are sent in the same traffic stream. The algorithm puts tokens into the bucket at a certain rate. Each token is permission for the source to send a specific number of bits into the network. With policing, the token bucket determines whether a packet exceeds or conforms to the applied rate. In either case, policing implements the action you configure such as setting the IP precedence or differentiated services code point (DSCP). For more information about the token bucket, see the "Metering Traffic and Token Buckets" section.
Policing restricts the output rate to a maximum kilobits per second (kbps) value or to a percentage of the available or unused bandwidth. Policing does not provide a minimum bandwidth guarantee during periods of congestion; to provide these guarantees, you must use the bandwidth or priority command.
Policing is class-based in that the policer is applied to a specific class of traffic within a policy map by using the police command. When you attach the service policy to an interface, the router applies the policing action to the packets that match that class.
Feature History for Traffic Policing
Policing Actions
Table 6-1 lists the actions the router can take on packets. These are the actions you specify in the police command.
Note
Single-Rate Color Marker for Traffic Policing
The Cisco 10000 series router supports a single-rate color marker to police traffic streams into groups of conforming and nonconforming traffic. This marker is useful in marking packets in a packet stream with different, decreasing levels of assurances (either absolute or relative). The marker can mark packets with green, yellow, or red markings, which cause a specific action to occur. For example, a service might discard all red packets because they exceed both the committed and excess burst sizes, forward yellow packets as best effort, and forward green packets with a low drop probability.
The router provides two types of single-rate color markers: two-color and three-color.
•
•
The router maintains the behavior of the two-color marker by automatically setting the violate action to be the same as the exceed action (unless you configure the violate action). Therefore, you can continue to use the two-color marker. However, it is important to note that the router collects statistics for conforming, exceeding, and violating packets. Therefore, when verifying packet counts be sure to observe all three statistical categories to ensure an accurate count.
Feature History for the Single-Rate Color Marker
Configuration Commands for the Single-Rate Color Marker
The commands used to configure the single-rate color marker are:
police Command (Single-Rate)
To configure traffic policing based on bits per second, use the police command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of this command. By default, this command is disabled.
police [cir] bps [bc] burst-normal [be] burst-excess [conform-action action] [exceed-action action] [violate-action action]no police [cir] bps [bc] burst-normal [be] burst-excess [conform-action action] [exceed-action action] [violate-action action]Syntax Description
cir
(Optional) Committed information rate (CIR). Indicates an average rate at which the policer meters traffic. CIR is based on the interface shape rate.
bps
Specifies the average rate in bits per second (bps). Valid values are from 8,000 to 2,488,320,000 bps. If you only specify police bps, the router transmits the traffic that conforms to the bps value and drops the traffic that exceeds the bps value. For information on how the router calculates the policing rate, see the "Policing Rate Granularity" section.)
bc burst-normal
(Optional) Normal or committed burst (bc) size used by the first token bucket for policing. The burst-normal specifies the bc value in bytes. Valid values are from 1 to 512,000,000. The default is 9,216 bytes. For more information, see the "Committed Bursts and Excess Bursts" section.
be burst-excess
(Optional) Excess burst (be) size used by the second token bucket for policing. The burst-excess specifies the excess burst in bytes. Valid values are from 0 to 1,024,000,000 bytes. The default is 0. You must specify burst-normal before you specify burst-excess. For more information, see the "Committed Bursts and Excess Bursts" section.
Note
be = 0egress bc >= ingress bc + 1conform-action action
Specifies the action to take on packets that conform to the rate limit. The default action is transmit. You must specify burst-excess before you specify the conform-action.
exceed-action action
Specifies the action to take on packets that exceed the rate limit, but not the PIR. The default action is drop. You must specify the conform-action before you specify the exceed-action.
violate-action action
(Optional) Specifies the action to take on packets that continuously exceed the PIR rate limit. The default action is the same as the exceed-action. You must specify the exceed-action before you specify the violate-action.
See Table 6-1 for a description of each action you can specify in the police command.
For information about conforming, exceeding, and violating traffic, see the "Usage Guidelines for the police Command" section
police Command History
Usage Guidelines for the police Command
A packet is classified as conforming (or of color green) if its size is at most the size of the normal or committed burst (bc) and within the allowance of the committed information rate (CIR).
A packet is classified as exceeding (or of color yellow) only if its size is greater than the allowance of the CIR, but is at most the number of bytes of the excess burst (be) and within the available surplus.
A packet is classified as violating (or of color red) only if its size is greater than both the CIR allowance and the available surplus, either because the packet's size exceeds the excess burst (be) size or because a previous packet used some of the surplus and the traffic since then has not slowed sufficiently to acquire the surplus needed for the current packet. The policer starts with a surplus equal to the excess burst (be) size and replenishes it by the amount of unused CIR allowance until the surplus reaches the be size.
The policer measures the committed burst size (CBS) and the excess burst size (EBS) in bytes. The Cisco IOS software converts the policing rate you enter in bits per second to bytes per millisecond. You must configure the CBS and EBS so that at least one of them is larger than 0.
When the be value equals 0, we recommend that you set the egress bc value to be greater than or equal to the ingress bc value plus 1. Otherwise, packet loss can occur. For example:
be = 0egress bc >= ingress bc + 1Two-Rate Three-Color Marker for Traffic Policing
The two-rate three-color marker improves bandwidth management by allowing you to police traffic streams according to two separate rates. Unlike the single-rate policer, which allows you to manage bandwidth by setting the excess burst size (be), the two-rate policer allows you to manage bandwidth by setting the committed information rate (CIR) and the peak information rate. Therefore, the two-rate policer supports a higher level of bandwidth management and a sustained excess rate. The two-rate policer also enables you to implement differentiated services (DiffServ) assured forwarding (AF) per-hop behavior (PHB) traffic conditioning (see the "Implementing DiffServ for End-to-End Quality of Service" section in the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.3).
Note
The two-rate policer is often configured on interfaces at the edge of a network to limit the rate of traffic entering or leaving the network. In addition to rate-limiting traffic, the policer's three-color marker can mark packets according to whether the packet conforms (green), exceeds (yellow), or violates (red) a specified rate. You decide the actions you want the router to take for conforming, exceeding, and violating traffic. For example, you can configure conforming packets to be sent, exceeding packets to be sent with a decreased priority, and violating packets to be dropped. In most common configurations, traffic that conforms is sent and traffic that exceeds is sent with decreased priority or is dropped. You can change these actions according to your network needs.
With packet marking, you can partition your network into multiple priority levels or classes of service (CoS). For example, you can configure the two-rate three-color marker to do the following:
•
•
•
The three-color marker distinguishes between the nonconforming traffic that occasionally bursts a certain number of bytes more than the CIR and violating traffic that continually violates the PIR allowance. Applications can utilize the three-color marker to provide three service levels: guaranteed, best effort, and deny. The three-color marker is useful in marking packets in a packet stream with different, decreasing levels of assurances (either absolute or relative). For example, a service might discard all red packets because they exceed both the committed and excess burst sizes, forward yellow packets as best effort, and forward green packets with a low drop probability.
Note
The two-rate three-color marker uses a token bucket algorithm to manage the maximum rate of traffic. The token bucket algorithm can use the values you specify to determine the maximum rate of traffic allowed on an interface at a given moment in time. All traffic entering or leaving an interface affects the token bucket algorithm, depending on whether the two-rate policer is configured on an inbound or outbound interface. The token bucket algorithm is useful in managing network bandwidth when large packets are sent in the same traffic stream. For more information about the token bucket algorithm, see the "Metering Traffic and Token Buckets" section.
To mark traffic without using a policer, see Chapter 7 "Marking Traffic."
Feature History for the Two-Rate Color Marker
Configuration Commands for the Two-Rate Color Marker
The commands used to configure the two-rate color marker are:
police Command (Two-Rate)
To configure traffic policing using the committed information rate (CIR) and the peak information rate (PIR), use the police command in policy-map class configuration mode. To remove two-rate traffic policing from the configuration, use the no form of this command. By default, this command is disabled.
police {cir cir} [bc] burst-normal [pir pir] [be] peak-burst [conform-action action] [exceed-action action] [violate-action action]no police {cir cir} [bc] burst-normal [pir pir] [be] peak-burst [conform-action action] [exceed-action action] [violate-action action]Syntax Description
cir cir
Committed information rate (CIR). Indicates an average rate at which the policer meters traffic. CIR is based on the interface shape rate. The cir specifies the CIR value in bits per second. Valid values are from 8000 to 2,488,320,000 bits per second.
bc burst-normal
(Optional) Specifies the normal or committed burst (bc) size used by the first token bucket for policing. The burst-normal specifies the bc value in bytes. Valid values are from 1 to 512,000,000. The default is 9,216 bytes.
For more information, see the "Committed Bursts and Excess Bursts" section.
pir pir
Peak information rate (PIR). Indicates the rate at which the second token bucket is updated. The pir specifies the PIR value in bits per second. Valid values are from 8000 to 2,488,320,000.
be peak-burst
(Optional) Specifies the peak burst (be) size used by the second token bucket for policing. The peak-burst specifies the be value in bytes. The size depends on the interface used. Valid values are 0 to 1,024,000,000.
Note
be = 0egress bc >= ingress bc + 1conform-action action
(Optional) Specifies the action to take on packets that conform to the rate limit. The default action is transmit. You must specify burst-excess before you specify the conform-action.
exceed-action action
(Optional) Specifies the action to take on packets that exceed the rate limit, but not the PIR. The default action is drop. You must specify the conform-action before you specify the exceed-action.
violate-action action
(Optional) Specifies the action to take on packets that continuously exceed the PIR rate limit. The default action is the same as the exceed-action. You must specify the exceed-action before you specify the violate-action.
See Table 6-1 for a description of each action you can specify.
For information about conforming, exceeding, and violating traffic, see the "Usage Guidelines for the police Command" section.
police Command History
Usage Guidelines for the police Command
When the be value equals 0, we recommend that you set the egress bc value to be greater than or equal to the ingress bc value plus 1. Otherwise, packet loss can occur. For example:
be = 0egress bc >= ingress bc + 1Percent-Based Policing
Percent-based policing enables you to configure traffic policing as a percentage of the bandwidth of the network interface on which policing is applied. Configuring traffic policing based on bandwidth percentage enables you to use the same policy map for multiple interfaces with differing amounts of bandwidth.
Percent-based policing also allows you to specify burst sizes in milliseconds (ms). The router calculates the burst value in milliseconds based on the policing rate.
When you use a percent-based police command within a nested policy, the police percent is based on the nearest parent shape rate. If no parent shaping exists, the police percent is based on the link bandwidth. The router calculates the burst value in milliseconds (ms) based on the policing rate.
Percent-based policing supports two traffic policing rates if the parent policy map has only one class defined: the class-default class. The parent policy does only match-any matching when applying the class-default shaping rate.
Feature History for Percent-Based Policing
police percent Command
To configure traffic policing on the basis of a percentage of bandwidth available on an interface, use the police percent command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of the command. By default, this command is disabled.
police [cir] percent percent [bc] normal-burst-in-msec [pir pir] [be] excess-burst-in-msec [conform-action action] [exceed-action action] [violate-action action]no police [cir] percent percent [bc] normal-burst-in-msec [pir pir] [be] excess-burst-in-msec [conform-action action] [exceed-action action] [violate-action action]Syntax Description
See Table 6-1 for a description of each action you can specify.
For information about conforming, exceeding, and violating traffic, see the "Usage Guidelines for the police Command" section.
police percent Command History
Usage Guidelines for the police percent Command
Percent-based policing supports two levels of policing if the parent policy map has only one class defined: the class-default class. The parent policy does only match-any matching when applying the class-default shaping rate.
Shaping affects the input and output policer. For example, if you configure a percent-based policer on an input interface and the output interface has a nested policy attached, the policing percentage is based on the outgoing shape rate.
You must explicitly enter the PIR when using percent-based policing.
Example
The following configuration polices Data traffic at 20 percent and sets the PIR to 25 percent.
Router(config)# policy-map BusinessRouter(config-pmap)# class DataRouter(config-pmap-c)# police percent 20 3 ms pir 25 10 msControl Plane Policing
The Cisco 10000 series router supports control plane policing in Cisco IOS Release 12.2(31)SB2 and later releases. The Control Plane Policing feature allows you to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets. This allows you to protect the control plane of the router against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.
For more information, see the Control Plane Policing, Release 12.2(31)SB2 feature module.
AToM Set ATM CLP Bit Using a Policer
The AToM Set ATM CLP Bit Using a Policer feature enables you to police and mark inbound ATM traffic before forwarding it onto Any Transport over MPLS (AToM) Layer 2 virtual private network (VPN) pseudowire. Using this feature, you can configure the police command to set the ATM cell loss priority (CLP) bit in the packet header. This bit indicates the drop priority of the ATM cell. During ATM network congestion, the router discards ATM cells with the CLP bit set to 1 before discarding cells with a CLP bit setting of 0.
The Set ATM CLP Bit Using a Policer feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of the ATM cells using the set-clp-transmit policing action occurs on the outbound interface. Therefore, when configuring this feature for AToM, you must attach a policy map that includes the set-clp-transmit action to the interface upon which the ATM VC terminates or, in other words, attach the policy map to the input interface of the PE.
The router supports the set-clp-transmit policing action in single-rate and dual-rate policing policies, and in hierarchical policies.
The router allows you to simultaneously configure the policing actions set-clp-transmit and set-mpls-exp-imposition-transmit in a single police command on the Layer 2 VPN inbound interface.
Feature History for Set ATM CLP Bit Marking As a Police Action
Release 12.3(7)XI
This feature was introduced on the PRE2.
PRE2
Release 12.2(33)SB
This feature was introduced on the PRE3 and PRE4.
PRE3, PRE4
AToM Set FR DE as Police Action
The AToM Set FR DE as Police Action feature enables you to police and mark inbound Frame Relay traffic before forwarding it onto Any Transport over MPLS (AToM) Layer 2 virtual private network (VPN) pseudowire. Using this feature, you can configure the police command to set the Frame Relay discard eligibility (DE) bit in the packet header. This bit indicates the drop priority of the frame. During Frame Relay network congestion, the router discards frames with the DE bit set to 1 before discarding frames with a DE bit setting of 0.
The AToM Set FR DE as Police Action feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of frames using the set-frde-transmit policing action occurs on the outbound interface. Therefore, when configuring this feature, you must attach a policy map that includes the set-frde-transmit action to an input interface of the PE.
The router supports the set-frde-transmit policing action in single-rate and dual-rate policing policies, and in hierarchical policies.
The router allows you to configure the set-frde-transmit and set-mpls-exp-imposition-transmit policing actions in a single police command on Any Transport over MPLS (AToM) Layer 2 VPN inbound interfaces.
Feature History for AToM Set FR DE as Police Action
Release 12.2(33)SB
This feature was introduced on the PRE2, PRE3, and PRE4.
PRE2, PRE3, PRE4
Set Layer 2 CoS as a Policer Action
The Set Layer 2 CoS as a Policer Action feature enables you to police and mark inbound VLAN and QinQ traffic before forwarding the traffic onto the outbound link. Using this feature, you can configure the police command to set the class of service (CoS) bits for VLAN traffic and to set the outer CoS bits for QinQ traffic. The 3-bit CoS field is part of the VLAN tag and indicates the priority level of the frame. IEEE 802.1p establishes eight levels of priority: 0 to 7.
This feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of frames using the set-cos-transmit policing action occurs on the outbound interface. Therefore, when configuring this feature, you must attach a policy map that includes the set-cos-transmit action to an outbound interface, not to an inbound interface.
The set-cos-transmit policing action marks the outer CoS bits. To configure marking of outer CoS bits, configure the police command and specify the set-cos-transmit policing action as a conform, exceed, or violate action.
The router supports set-cos-transmit as a three-color policing action in single-rate and dual-rate policing policies, and in hierarchical policies.
Feature History for Set Layer 2 CoS as Policer Action
Release 12.2(33)SB
This feature was introduced on the router for the PRE2, PRE3, and PRE4.
PRE2, PRE3, PRE4
Set Inner CoS as a Policer Action
The Set Inner CoS as a Policer Action feature uses the police command to set the inner VLAN class of service (CoS) bits for QinQ traffic on the PRE2, PRE3, and PRE4. The 3-bit CoS field is part of the VLAN tag and indicates the priority level of the frame. IEEE 802.1p establishes eight levels of priority: 0 to 7
This feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of frames using the set-cos-inner-transmit policing action occurs on the outbound interface. Therefore, when configuring this feature, you must attach a policy map that includes the set-cos-inner-transmit action to an outbound interface, not to an inbound interface.
To configure marking of inner CoS bits, configure the police command and specify the set-cos-inner-transmit policing action as a conform, exceed, or violate action.
The router supports the set-cos-inner-transmit policing action in single-rate and dual-rate policing policies, and in hierarchical policies.
Feature History for Set Inner CoS as a Policer Action
Release 12.2(33)SB
This feature was introduced on the router for the PRE2, PRE3, and PRE4.
PRE2, PRE3, PRE4
Set Inner and Outer CoS as a Policer Action
The Set Inner and Outer CoS as a Policer Action feature uses the police command to set the inner and outer VLAN class of service (CoS) bits for QinQ traffic on the PRE2, PRE3, and PRE4. The 3-bit CoS field is part of the VLAN tag and indicates the priority level of the frame. IEEE 802.1p establishes eight levels of priority: 0 to 7
This feature polices the traffic on the inbound interface of the provider edge (PE) router where the attachment VC terminates. Marking of frames using the set-cos-transmit and set-cos-inner-transmit policing actions occurs on the outbound interface. Therefore, when configuring this feature, you must attach a policy map that includes the both of these policing actions to an outbound interface, not to an inbound interface.
The set-cos-transmit policing action sets the outer CoS bits whereas the set-cos-inner-transmit action sets the inner CoS bits. To configure marking of both inner and outer CoS bits at the same time, you must specify both the set-cos-transmit and set-cos-inner-transmit policing actions in a single police command. You can specify these policing actions as conform, exceed, or violate actions.
The router supports simultaneous inner and outer CoS marking in single-rate and dual-rate policing policies, and in hierarchical policies.
Feature History for Set Inner and Outer CoS as a Policer Action
Release 12.2(33)SB
This feature was introduced on the router for the PRE2, PRE3, and PRE4.
PRE2, PRE3, PRE4
Dual Police Actions
The router allows you to specify dual actions for conforming, exceeding, and violating traffic, one line at a time. After you provide the police rates, press Return to enter the policy-map-class-police configuration mode. While in this mode, you can configure the dual conform, exceed, and violate actions by entering an action keyword and action value, and pressing Return after each specified action. Valid combinations of dual actions are:
•
•
•
Note
For example, you can specify the first conform-action as set-frde-transmit and the second conform-action as set-mpls-exp-imposition-transmit. If desired, you can then specify these same two actions as the action for the first and second exceed actions and for the two violate actions.
If you upgrade from a Cisco IOS software release that does not support dual police actions to a Cisco IOS release that supports dual police actions, the police command displays on a single line. If you configure each police action on a separate line and then downgrade to a Cisco IOS release that does not support dual actions, the router rejects the policer.
For backward compatibility, the router accepts the police command on a single line, but after entering the police command, the router enters policy-map-class-police configuration mode.
Feature History for Dual Police Actions
Release 12.2(33)SB
This feature was introduced on the router for the PRE3 and PRE4.
PRE3, PRE4
Policing Support for GRE Tunnels
The Policing Support for GRE Tunnels feature allows you to set the Differentiated Services Code Point (DSCP) and IP precedence values on Generic Routing Encapsulation (GRE) tunnel packets.
This feature is essential for MPLS carriers to offer QoS on Multicast VPN services. Multicast VPN (MVPN) uses GRE tunnels between PE devices, and multicast packets are placed in GRE tunnels for transmission across the MPLS core network. The Policing Support for GRE Tunnels feature allows the GRE tunnel to reflect the underlying QoS of the multicast packets. Once the GRE packets accurately reflect the QoS markings of the underlying multicast packets, they may be queued accordingly as they travel across the core nodes.
For more information, see the Policing Support for GRE Tunnels, Release 12.2(31)SB2 feature module and the "Tunnel Header Marking" section.
Interfaces Supporting Policing
The following describes interface support for policing using the police command:
Interfaces Supporting the police Command
•
•
•
•
•
•
•
•
•
Note
Interfaces Not Supporting the police Command
•
•
Metering Traffic and Token Buckets
The following sections describe how single-rate and two-rate policers meter traffic using token buckets:
•
•
Metering Traffic Using Token Buckets (Single-Rate Policer)
The router uses two token buckets to meter the traffic that passes through the system: conforming and exceeding. The router uses the first bucket to hold tokens that determine whether the committed information rate (CIR) is conforming (green) or exceeding (yellow). A traffic stream is conforming when the average number of bytes over time does not cause the bucket to overflow. The first bucket can hold bytes up to the size of the committed burst (bc) before overflowing.
A traffic stream exceeds the police rate when it causes the first token bucket to overflow into the second token bucket. When this occurs, the router marks the traffic stream yellow. The second token bucket is filled as long as the traffic exceeds the police rate.
The second token bucket can hold bytes up to the size of the excess burst (be) before overflowing. A traffic stream violates the police rate if the second token bucket overflows. When this occurs, the router marks the traffic stream red.
The router updates the tokens for both the conforming and exceeding token buckets based on the token arrival rate or the committed information rate (CIR). When a packet of a given size (for example, "B" bytes) arrives at specific time (time "T"), the following actions occur:
•
The router calculates the token arrival rate in the following way:
(time between packets * policer rate) / 8 bytes
where time between packets equals T - T1
•
•
•
Metering Traffic Using Token Buckets (Two-Rate Policer)
The two-rate policer manages the maximum rate of traffic by using two token buckets: the committed token bucket and the peak token bucket. The dual-token bucket algorithm uses user-configured values to determine the maximum rate of traffic allowed on a queue at a given moment. In this way, the two-rate policer can meter traffic at two independent rates: the committed information rate (CIR) and the peak information rate (PIR).
The committed token bucket can hold bytes up to the size of the committed burst (bc) before overflowing. This token bucket holds the tokens that determine whether a packet conforms to or exceeds the CIR as the following describes:
•
•
The peak token bucket can hold bytes up to the size of the peak burst (be) before overflowing. This token bucket holds the tokens that determine whether a packet violates the PIR. A traffic stream is violating when it causes the peak token bucket to overflow. When this occurs, the token bucket algorithm marks the traffic stream red.
The dual-token bucket algorithm provides users with three actions for each packet—a conform action, an exceed action, and an optional violate action. Traffic entering a queue with the two-rate policer configured is placed into one of these categories. Within these three categories, users can decide packet treatments. For instance, packets that conform can be configured to be sent; packets that exceed can be configured to be sent with a decreased priority; and packets that violate can be configured to be dropped.
Figure 6-1 shows how the two-rate policer marks a packet and assigns a corresponding action to the packet.
Figure 6-1 Marking Packets and Assigning Actions—2-Rate Policer
For example, if a data stream with a rate of 250 kbps arrives at the two-rate policer, and the CIR is 100 kbps and the PIR is 200 kbps, the policer marks the packet in the following way:
•
•
•
The router updates the tokens for both the committed and peak token buckets in the following way:
•
•
•
•
•
Committed Bursts and Excess Bursts
Unlike a traffic shaper, a traffic policer does not buffer excess packets and transmit them later. Instead, the policer executes a "send or do not send" policy without buffering. During periods of congestion, proper configuration of the excess burst parameter enables the policer to drop packets less aggressively. Therefore, it is important to understand how policing uses the committed (normal) and excess burst values to ensure the router reaches the configured committed information rate (CIR).
Burst parameters are based on a generic buffering rule for routers, which recommends that you configure buffering to be equal to the round-trip time bit-rate to accommodate the outstanding TCP windows of all connections in times of congestion.
The following sections describe committed bursts and excess bursts, and the recommended formula for calculating each of them:
•
Committed Bursts
The committed burst (bc) parameter of the police command implements the first, conforming (green) token bucket that the router uses to meter traffic. The bc parameter sets the size of this token bucket. Initially, the token bucket is full and the token count is equal to the committed burst size (CBS). Thereafter, the meter updates the token counts the number of times per second indicated by the committed information rate (CIR).
The following describes how the meter uses the conforming token bucket to send packets:
•
•
a.
b.
•
Note
The default committed burst size is the greater of 2 milliseconds of bytes at the police rate or the network maximum transmission unit (MTU).
Committed Burst Calculation
To calculate committed burst, use the following formula:
bc = CIR bps * (1 byte) / (8 bits) * 1.5 seconds
Note
For example, if the committed information rate is 512000 bps, then using the committed burst formula, the committed burst is 96000 bytes.
bc = 512000 * 1/8 * 1.5
bc = 64000 * 1.5 = 96000
Note
be = 0
egress bc >= ingress bc + 1
Excess Bursts
The excess burst (be) parameter of the police command implements the second, exceeding (yellow) token bucket that the router uses to meter traffic. The exceeding token bucket is initially full and the token count is equal to the excess burst size (EBS). Thereafter, the meter updates the token counts the number of times per second indicated by the committed information rate (CIR).
The following describes how the meter uses the exceeding token bucket to send packets:
•
•
Excess Burst Calculation
To calculate excess burst, use the following formula:
be = 2 * committed burst
For example, if you configure a committed burst of 4000 bytes, then using the excess burst formula, the excess burst is 8000 bytes.
be = 2 * 4000 = 8000
The default excess burst size is 0.
Deciding if Packets Conform or Exceed the Committed Rate
Policing uses normal or committed burst (bc) and excess burst (be) values to ensure that the configured committed information rate (CIR) is reached. Policing decides if a packet conforms or exceeds the CIR based on the burst values you configure. Several factors can influence the policer's decision, such as the following:
•
•
It is important that you set the burst values high enough to ensure good throughput. If your router drops packets and reports an exceeded rate even though the conformed rate is less than the configured CIR, use the show interface command to monitor the current burst, determine whether the displayed value is consistently close to the committed burst (bc) and excess burst (be) values, and if the actual rates (the committed rate and exceeded rate) are close to the configured committed rate. If not, the burst values might be too low. Try reconfiguring the burst rates using the suggested calculations in the "Committed Burst Calculation" section and the "Excess Burst Calculation" section.
Data Included in the Policing Rate
Table 6-2 describes the data included and excluded in the policing rate.
Table 6-2 Policing Rate Data
Frame Relay
Layer 2 framing
No bit or byte stuffing
No 7E flags1
No Frame Check Sequence (FCS)
Ethernet
Layer 2 framing
No Inter-Frame Gap (IFG)
No Preamble
No Start of Frame Delimiter (SFD)
No Frame Check Sequence (FCS)
ATM
(VBR)Layer 2 framing
Cell overhead
No cell header
No AAL Common Part Convergence Sublayer (CPCS) pad
No ATM trailer
ATM
(UBR)Cell overhead
No ATM cell overhead
No AAL Common Part Convergence Sublayer (CPCS) pad
ATM
(CBR)Cell overhead
No ATM cell overhead
No AAL Common Part Convergence Sublayer (CPCS) pad
1 The router does not account for flags or Frame Check Sequence (FCS) that the hardware adds or removes.
Table 6-3 describes what bandwidth is based on for each media type.
Table 6-3 Basis for Bandwidth
Frame Relay
Fragments1
Ethernet
Bits
ATM variable bit rate (VBR)
Sustained cell rate (SCR)
ATM unspecified bit rate (UBR)
Peak cell rate (PCR)
ATM constant bit rate (CBR)
Peak cell rate (PCR)
1 For Frame Relay networks with link fragmentation and interleaving (LFI) enabled.
Be sure to take into account the framing and cell overhead when specifying a minimum bandwidth for a class. For example, if you need to commit a rate of 1000 64-byte packets per second and each packet has 4 bytes of framing overhead, instead of using 512 kbps in the bandwidth or police command, use 544 kbps, calculated as follows:
1000 * (64 + 4) * 8 /1000 = 544
A similar scenario for ATM requires 848 kbps because each 64-byte packet requires two cells of 53 bytes.
1000 * 2 * 53 * 8 / 1000 = 848
Policing Rate Granularity
Policing
•
For example, if you request 127,000 bps, the router rounds up to 128,000 bps; for 124,000 bps, the router rounds up to 128,000 bps; and for 123,999 bps the router rounds down to 120,000 bps.
Percent-Based Policing
•
•
•
Avoiding Bandwidth Starvation Due to Priority Services
The Cisco 10000 series router services priority traffic at near line rate to ensure that traffic is handled with minimal delay. The router gives preference to the priority class over other class queues on a traffic link. Unless the priority class contains a police command, the router does not police the priority traffic to its configured rate and the router does not discard excess priority traffic. As a result, excess priority traffic might cause additional packet delay and other queues on the link might experience bandwidth starvation.
To prevent the priority queue from starving the other queues, use the police command with the priority command. To ensure the committed rate of the priority queue, you must set the exceed and violate actions of the police command to drop. You can use the bandwidth command on the other queues on the link to create one or more queues with guaranteed bandwidth.
Example 6-1 shows how to configure the priority and police commands for a priority class:
Example 6-1 Configuring the priority and police Commands
Router(config)# policy-map goldRouter(config-pmap)# class class1Router(config-pmap-c)# priorityRouter(config-pmap-c)# police 512000 8000 1000 conform-action transmit exceed-action drop violate-action dropExample 6-2 shows how to configure the priority and police percent commands for a priority class:
Example 6-2 Configuring the priority and police percent Commands
Router(config)# policy-map new-trafficRouter(config-pmap)# class voiceRouter(config-pmap-c)# priorityRouter(config-pmap-c)# queue-limit 32Router(config-pmap-c)# police percent 25 2 ms 2 ms conform-action transmit exceed-action drop violate-action dropBandwidth and Policing
The police command allows you to police the traffic that passes through the router. You can configure traffic policing in bits per second (bps) or as a percentage of bandwidth of the network interface on which policing is applied. Configuring traffic policing based on bandwidth percentage enables you to use the same policy map for multiple interfaces with differing amounts of bandwidth.
To configure traffic policing on the basis of a percentage of bandwidth available on an interface, use the police percent command in policy-map class configuration mode. The police percent command calculates the CIR based on a percentage of the maximum amount of bandwidth available on the interface. When you attach a policy map to an interface, the router calculates the equivalent CIR values in bits per second (bps) based on the interface bandwidth and the percentage you entered for the police percent command.
The police percent command also allows you to optionally specify values for the conform burst size and the peak burst size in bytes per millisecond. If you specify the burst sizes, be sure to specify the size in milliseconds.
If the interface bandwidth changes (for example, more is added), the router recalculates the bps values of the CIR based on the revised amount of bandwidth. If you change the CIR percentage after you attach the policy map to the interface, the router recalculates the bps value of the CIR.
When you use a percent-based police command within a nested policy, the police percentage is based on the policy's topmost, class-default, shape rate. Otherwise, the police percentage is based on the bandwidth of the network interface on which the police command is applied.
In a hierarchical policy, the police percent command uses the maximum rate of bandwidth available as the reference point for calculating the bandwidth percentage. Within a nested policy, the police percent is based on the policy's topmost, class-default, shape rate. Otherwise, the police percent is based on the bandwidth of the network interface on which the police command is applied.
When the police percent command is configured in a child (secondary-level) policy map, the police percent command uses the bandwidth amount specified in the next higher-level policy, which in this case is the parent (primary-level) policy map. The police percent command always looks to the next higher level for the bandwidth reference point.
Restrictions and Limitations for Traffic Policing
•
•
•
•
•
•
–
•
•
•
•
•
•
•
–
–
•
•
•
Configuring Traffic Policing
To configure traffic policing, perform any of the following configuration tasks:
•
•
•
•
•
For more information about classifying traffic and creating QoS service policies, see Chapter 2 "Classifying Traffic" and Chapter 3 "Configuring QoS Policy Actions and Rules."
Configuring Single-Rate Traffic Policing Based on Bits per Second
To configure traffic policing based on bits per second (bps), enter the following commands beginning in global configuration mode:
Step 1
Router(config)# policy-map policy-map-name
Specifies the name of the policy map and enters policy-map configuration mode.
policy-map-name is the name of the policy map.
Step 2
Router(config-pmap)# class class-map-name
Assigns the traffic class you specify to the policy map. Enters policy-map class configuration mode.
class-map-name is the name of a previously configured class map and is the traffic class for which you want to define QoS actions.
Step 3
Router(config-pmap-c)# police [cir] bps [bc] burst-normal [pir pir] [be] burst-excess [conform-action action] [exceed-action action] [violate-action action]
Configures bits per second-based traffic policing.
For more information, see the "police Command (Single-Rate)" section or the "police Command (Two-Rate)" section.
Configuration Examples for Configuring Single-Rate Traffic Policing Based on Bits per Second
This section provides the following configuration examples:
•
•
•
•
•
•
Configuration Example for Configuring a Single Policing Rate and Burst Sizes
Example 6-3 shows how to configure a policing rate for the class named group1 in the policy map named police. In the example, the router polices group1 traffic at 8000 bits per second and allows committed bursts of 2000 bytes and excess bursts of 4000 bytes.
Example 6-3 Configuring a Policing Rate Based on Bits per Second
Router(config)# class-map group1Router(config-cmap)# match access-group 2Router(config-cmap)# exitRouter(config)# policy-map policeRouter(config-pmap)# class group1Router(config-pmap-c)# police 8000 2000 4000Router(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface atm 1/0/0.1 point-to-pointRouter(config-subif)# service-policy input policeConfiguration Example for Configuring Single-Rate Two-Color Policing
Example 6-4 shows how to configure single-rate two-color policing that includes actions for conforming and exceeding traffic. In the example, policing is configured for the class named Group1 in the policy map named Premium. The router polices Group1 traffic at 8,000,000 bits per second and allows committed bursts of 4000 bytes and excess bursts of 6000 bytes. The router transmits Group1 traffic that conforms to the normal or committed rate and sets the precedence-transmit value to 2 for Group1 traffic that exceeds the burst sizes. The router polices Group2 traffic at 4,000,000 bits per second and allows committed bursts of 2000 bytes and excess bursts of 5000 bytes. The router transmits Group2 traffic that conforms to the policing rate and sets the dscp-transmit value to 5 for Group2 traffic that exceeds the burst sizes.
Example 6-4 Configuring Single-Rate Two-Color Policing
Router(config)# policy-map PremiumRouter(config-pmap)# class Group1Router(config-pmap-c)# police 8000000 4000 6000 conform-action transmit exceed-action set-prec-transmit 2Router(config-pmap-c)# exitRouter(config-pmap)# class Group2Router(config-pmap-c)# police 4000000 2000 5000 conform-action transmit exceed-action set-dscp-transmit 5Router(config-pmap)# exitRouter(config)# interface atm 1/0/0.1 point-to-pointRouter(config-subif)# service-policy input PremiumConfiguration Example for Configuring Single-Rate Three-Color Policing
Example 6-5 shows how to configure single-rate three-color policing that includes actions for conforming, exceeding, and violating traffic. In the example, policing is configured for the classes named Bronze and Silver in the policy map named Policy_0. The router polices Bronze traffic at 4,000,000 bits per second and allows normal or committed bursts of 5000 bytes and excess bursts of 2000 bytes. The router transmits Bronze traffic that conforms to the policing rate, sets the precedence-transmit value to 2 for Bronze traffic that exceeds the burst sizes, and drops Bronze traffic that violates the policing rate. The router polices Silver traffic at 8,000,000 bits per second and allows committed bursts of 6000 bytes and excess bursts of 4000 bytes. The router transmits Silver traffic that conforms to the policing rate, drops Silver traffic that exceeds the burst sizes, and drops Silver traffic that violates the policing rate.
Example 6-5 Configuring Single-Rate Three-Color Policing
Router(config)# policy-map Policy_0Router(config-pmap)# class class-defaultRouter(config-pmap-c)# set ip precedence 0Router(config-pmap-c)# class BronzeRouter(config-pmap-c)# police 4000000 5000 2000 conform-action transmit exceed-action set-prec-transmit 2 violate-action dropRouter(config-pmap-c)# class SilverRouter(config-pmap-c)# police 8000000 6000 4000 conform-action transmit exceed-action drop violate-action dropRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface atm 1/0/0.1 point-to-pointRouter(config-subif)# pvc 1/32Router(config-atm-vc)# service-policy input Policy_0Configuration Example for Policing a Priority Service
Example 6-6 shows how to configure the police command for a priority service. In the example, the priority class named Priority-Class is configured in the policy map named Gold. The router polices Priority-Class traffic at 10200 bits per second and allows committed bursts of 1000 bytes and excess bursts of 500 bytes. The router transmits Priority-Class traffic that conforms to the policing rate, drops Priority-Class traffic that exceeds the burst sizes, and drops Priority-Class traffic that violates the policing rate.
Example 6-6 Policing a Priority Service
Router(config)# policy-map GoldRouter(config-pmap)# class Priority-ClassRouter(config-pmap-c)# priorityRouter(config-pmap-c)# police 102000 1000 500 conform-action transmit exceed-action drop violate-action dropConfiguration Example for Configuring Single-Rate Policing in a Hierarchical Policy
Example 6-7 shows how to configure a hierarchical policy named Parent-Policy and attach it to VLAN 2 (as indicated in the encapsulation dot1q 2 command) on the Gigabit Ethernet subinterface 1/0/0.1. In the Parent-Policy class-default class, bandwidth is shaped to 512 kbps. The policy map named Child-Policy is applied to the Parent-Policy. After the router shapes the bandwidth to 512 kbps as indicated in class-default, the router then polices Group1 and Group2 traffic configured in the policy map named Child-Policy. The router polices Group1 traffic at 12000 bits per second and allows committed bursts of 500 bytes and excess bursts of 1000 bytes. The router polices Group2 traffic at 8000 bits per second and allows committed bursts of 4000 bytes and excess bursts of 2000 bytes. The router performs three-color policing on both Group1 and Group2 traffic.
Example 6-7 Configuring Single-Rate Policing in a Hierarchical Policy
Router(config)# policy-map Child-PolicyRouter(config-pmap)# class Group1Router(config-pmap-c)# police 12000 500 1000 conform-action transmit exceed-action set-qos-transmit 4 violate-action set-qos-transmit 4Router(config-pmap-c)# class Group2Router(config-pmap-c)# police 8000 4000 2000 conform-action transmit exceed-action drop violate-action dropRouter(config-pmap-c)# exitRouter(config-pmap)# policy-map Parent-PolicyRouter(config-pmap)# class class-defaultRouter(config-pmap-c)# shape 512000Router(config-pmap-c)# service-policy Child-PolicyRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface GigabitEthernet 1/0/0.1Router(config-subif)# encapsulation dot1q 2Router(config-atm-range)# service-policy output Parent-PolicyConfiguration Example for Policing PPPoE over ATM Sessions
Example 6-8 shows how to create a policy map named Group1 and associate it with a virtual template interface named Virtual-Template 1. In the example, the router polices the Gold traffic at 8000 bits per second and allows committed bursts of 4000 bytes and excess bursts of 2000 bytes. The router polices the Bronze traffic at 5000 bits per second and allows committed bursts of 2000 bytes and excess bursts of 1000 bytes. The router performs three-color policing on the Gold traffic and two-color policing on the Bronze traffic.
When PPPoE sessions arrive on an interface, the protocol pppoe command configured on the interface points to a broadband aggregation (BBA) group, which references a virtual template that the router uses to create the virtual access interface (VAI) for the session. The router applies the QoS policy attached to the virtual template to the session.
Example 6-8 Configuring Policing for PPPoE Sessions
Router(config)# policy-map Group1Router(config-pmap)# class GoldRouter(config-pmap-c)# police 8000 4000 2000 conform-action transmit exceed-action drop violate-action dropRouter(config-pmap-c)# class BronzeRouter(config-pmap-c)# police 5000 2000 1000 conform-action transmit exceed-action drop!Router(config)# bba-group PPPoERouter(config-bba)# pppoe limit per-vc 200Router(config-bba)# protocol pppoeRouter(config-bba)# Virtual-Template 1!Router(config)# interface Loopback0Router(config-if)# ip address 192.168.1.1 255.255.255.0!Router(config)# interface atm 1/0/0.132 multipointRouter(config-atm-vc)# pvc 1/33Router(config-atm-vc)# encapsulation aal5snapRouter(config-atm-vc)# protocol pppoe group PPPoE!Router(config)# interface Virtual-Template 1Router(config-if)# ip unnumbered Loopback0Router(config-if)# peer default ip address pool PPPoEpoolRouter(config-if)# ppp authentication chapRouter(config-if)# service-policy input Gold!Router(config)# ip local pool PPPoEpool 192.168.1.2 192.168.1.254Configuring Percent-Based Policing
To configure policing based on a percentage of the bandwidth available on an interface, enter the following commands beginning in global configuration mode:
Step 1
Router(config)# policy-map policy-map-name
Specifies the name of the policy map and enters policy-map configuration mode.
policy-map-name is the name of the policy map.
Step 2
Router(config-pmap)# class class-map-name
Assigns the traffic class you specify to the policy map. Enters policy-map class configuration mode.
class-map-name is the name of a previously configured class map and is the traffic class for which you want to define QoS actions.
Step 3
Router(config-pmap-c)# police [cir] percent percent [bc] normal-burst-in-msec [be] excess-burst-in-msec [conform-action action] [exceed-action action] [violate-action action]
Configures traffic policing based on a percentage of bandwidth available on an interface.
For more information, see the "police percent Command" section.
Configuration Examples for Configuring Percent-Based Policing
This section provides the following configuration examples:
•
•
•
•
•
Configuration Example for Configuring Percent-Based Policing
Example 6-9 shows how to configure percent-based policing. In the example, the class named Premium is configured in the policy map named Test. The Premium class is a priority class with a queue depth of 32. The router allocates 5 percent of the committed rate to Premium traffic and allows burst sizes of 2 ms for both committed and excess bursts.
Example 6-9 Configuration Example for Percent-Based Policing
Router(config)# policy-map TestRouter(config-pmap)# class PremiumRouter(config-pmap-c)# priorityRouter(config-pmap-c)# queue-limit 32Router(config-pmap-c)# police percent 5 2 ms 2 msConfiguration Example for Configuring Percent-Based Two-Color Policing
Example 6-10 shows how to configure two-color percent-based policing. In the example, policing is configured for the classes named Voice and Test in the policy map named Premium. The router allocates 10 percent of the committed rate to voice traffic and allows burst sizes of 2 ms. The router transmits Voice traffic that conforms to the committed rate and sets the precedence-transmit value to 2 for Voice traffic that exceeds the burst sizes. The router allocates 5 percent of the committed rate to Test traffic and allows committed bursts of 4 ms and excess bursts of 2 ms. The router transmits Test traffic that conforms to the committed rate and drops Test traffic that exceeds the burst sizes.
Example 6-10 Configuring Percent-Based Two-Color Policing
Router(config)# policy-map PremiumRouter(config-pmap)# class VoiceRouter(config-pmap-c)# police percent 10 2 ms 2 ms conform-action transmit exceed-action set-prec-transmit 2Router(config-pmap-c)# class TestRouter(config-pmap-c)# police percent 5 4 ms 2 ms conform-action transmit exceed-action dropRouter(config-pmap)# exitRouter(config)# interface atm 1/0/0.1 point-to-pointRouter(config-subif)# service-policy input PremiumConfiguration Example for Configuring Percent-Based Three-Color Policing
Example 6-11 shows how to configure three-color percent-based policing. In the example, policing is configured for the class named Bronze in the policy map named Policy_0. The router allocates 10 percent of the committed rate to Bronze traffic and allows burst sizes of 2 ms. The router transmits Bronze traffic that conforms to the committed rate, sets the precedence-transmit value to 2 for Bronze traffic that exceeds the burst sizes, and drops Bronze traffic that violates the committed rate. For the Silver class, the router polices Silver traffic at 8,000,000 bits per second and allows committed bursts of 4000 bytes and excess bursts of 6000 bytes. The router transmits Silver traffic that conforms to the committed rate, sets the QoS transmit value to 4 for Silver traffic that exceeds the burst sizes, and drops Silver traffic that violates the committed rate.
Example 6-11 Configuring Percent-Based Three-Color Policing
Router(config)# policy-map Policy_0Router(config-pmap)# class class-defaultRouter(config-pmap-c)# set ip precedence 0Router(config-pmap-c)# class BronzeRouter(config-pmap-c)# police percent 10 2 ms 2 ms conform-action transmit exceed-action set-prec-transmit 2 violate-action dropRouter(config-pmap-c)# class SilverRouter(config-pmap-c)# police 8000000 4000 6000 conform-action transmit exceed-action set-qos-transmit 4 violate-action dropRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface atm 1/0/0.1 point-to-pointRouter(config-subif)# pvc 1/32Router(config-if-atm-range)# service-policy input Policy_0Configuration Example for Configuring Percent-Based Policing in a Hierarchical Policy
Example 6-12 shows how to configure a hierarchical policy and attach it to PVC 5/101. The router first shapes the bandwidth to 512000 bits per second as indicated in the Parent policy class-default class. The router then polices the Bronze and Gold classes in the policy-map named Child. The router allocates 30 percent of the committed rate to the Bronze traffic and allows committed bursts of 6 ms and excess bursts of 4 ms. The router transmits Bronze traffic that conforms to the committed rate and drops Bronze traffic that exceeds the burst sizes. The router polices Gold traffic at 8000 bits per second and allows committed bursts of 2000 bytes and excess bursts of 4000 bytes. The router transmits Gold traffic that conforms to the committed rate and sets the QoS transmit value to 4 for traffic that exceeds burst sizes.
Example 6-12 Policing in a Hierarchical Policy
Router(config)# policy-map ChildRouter(config-pmap)# class BronzeRouter(config-pmap-c)# police percent 30 6 ms 4 ms conform-action transmit exceed-action dropRouter(config-pmap-c)# class GoldRouter(config-pmap-c)# police 8000 2000 4000 conform-action transmit exceed-action set-qos-transmit 4Router(config-pmap-c)# exitRouter(config-pmap)# policy-map ParentRouter(config-pmap)# class class-defaultRouter(config-pmap-c)# shape 512000Router(config-pmap-c)# service-policy Child!Router(config-if)# interface atm 3/0/0.3 point-to-pointRouter(config-subif)# no atm pxf queuingRouter(config-subif)# pvc 5/101Router(config-if-atm-vc)# vbr-nrt 5000 2000Router(config-if-atm-vc)# service-policy out ParentConfiguration Example for Percent-Based Policing of a Priority Service
Example 6-13 shows how to configure the police percent command for a priority service. In the example, the priority class named Voice is configured in the policy map named New-Traffic. The router allocates 25 percent of the committed rate to Voice traffic and allows committed bursts of 4 ms and excess bursts of 1 ms. The router transmits Voice traffic that conforms to the committed rate, sets the QoS transmit value to 4 for Voice traffic that exceeds the burst sizes, and drops Voice traffic that violates the committed rate.
Example 6-13 Policing a Priority Service Using Percent-Based Policing
Router(config)# policy-map New-TrafficRouter(config-pmap)# class VoiceRouter(config-pmap-c)# priorityRouter(config-pmap-c)# queue-limit 32Router(config-pmap-c)# police percent 25 4 ms 1 ms conform-action transmit exceed-action set-qos-transmit 4 violate-action dropConfiguring Two-Rate Policing
To configure policing based on a committed information rate (CIR) and a peak information rate (PIR), enter the following commands beginning in global configuration mode:
Step 1
Router(config)# policy-map policy-map-name
Specifies the name of the policy map and enters policy-map configuration mode.
policy-map-name is the name of the policy map.
Step 2
Router(config-pmap)# class class-map-name
Assigns the traffic class you specify to the policy map. Enters policy-map class configuration mode.
class-map-name is the name of a previously configured class map and is the traffic class for which you want to define QoS actions.
Step 3
Router(config-pmap-c)# police {cir cir} [bc] burst-normal [pir pir] [be] peak-burst [conform-action action] [exceed-action action] [violate-action action]
Configures two-rate traffic policing by specifying both the committed information rate (CIR) and the peak information rate (PIR).
For more information, see the "police Command (Two-Rate)" section.
Configuration Example for Configuring Two-Rate Three-Color Policing
Example 6-14 shows how to configure two-rate three-color policing for the Premium traffic class in the policy map named Business. In the example, the committed information rate (CIR) is 512 kbps and the peak information rate (PIR) is 1 Mbps. Traffic that conforms to the CIR is sent as is. Traffic that exceeds the CIR, but not the PIR is marked with IP precedence 4. Traffic that exceeds the PIR is dropped. The burst parameters are set to 10,000 bytes.
Example 6-14 Configuring Two-Rate Three-Color Policing
Router(config)# class-map match-all PremiumRouter(config-cmap)# match access-group 106Router(config-cmap)# exitRouter(config)# policy-map BusinessRouter(config-pmap)# class PremiumRouter(config-pmap-c)# police cir 512000 bc 10000 pir 1000000 be 10000 conform-action transmit exceed-action set-prec-transmit 4 violate-action dropRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface atm 3/0/0Router(config-if)# service-policy output BusinessMarking Traffic Using Police Actions
To mark traffic using police actions, enter the following commands beginning in global configuration mode:
Step 1
Router(config)# policy-map policy-map-name
Specifies the name of the policy map and enters policy-map configuration mode.
policy-map-name is the name of the policy map.
Step 2
Router(config-pmap)# class class-map-name
Assigns the traffic class you specify to the policy map. Enters policy-map class configuration mode.
class-map-name is the name of a previously configured class map and is the traffic class for which you want to define QoS actions.
Step 3
Router(config-pmap-c)# police {cir cir} [bc] burst-normal [pir pir] [be] peak-burst [conform-action action] [exceed-action action] [violate-action action]
Configures traffic policing and optionally configures the policing action for conforming, exceeding, or violating traffic.
action specifies the policing action, such as set-clp-transmit, set-frde-transmit, set-cos-transmit, or set-cos-inner-transmit. Valid values for these actions are 0 to 7. For more information about the actions you can specify, see Table 6-1.
Configuration Example for Marking Traffic Using Police Actions
Example 6-15 shows how to configure conform, exceed, and violate actions in the police command. In the example configuration, traffic is policed at 8000 bps with the normal burst size set to 2000 bytes and the peak burst size set to 1000 bytes. Traffic whose rate is less than the conform burst rate has the CLP bit set to 1; traffic whose rate is within the conform and conform plus exceed burst rate has the CoS bits set to 3; and traffic whose rate is higher than the conform plus exceed rate has the CoS bits also set to 3.
Example 6-15 Marking Traffic Using Police Actions
Router(config)# policy-map policy1Router(config-pmap)# class goldRouter(config-pmap-c)# police 8000 2000 1000 conform-action set-clp-transmit exceed-action set-cos 3 violate-action set-cos 3Configuring Dual Police Actions
To configure dual police actions for conform, exceed, and violate actions, enter the following commands beginning in global configuration mode:
Configuration Example for Configuring Dual Police Actions
Example 6-16 shows how to configure the dual police actions set-clp-transmit and set-mpls-exp-imposition-transmit. The example configures set-clp-transmit and set-mpls-exp-transmit as the conform action and set-clp-transmit and set-mpls-exp-transmit as the exceed and violate actions.
Example 6-16 Configuring Dual Police Actions
Router(config)# policy-map clpRouter(config-pmap)# class class-defaultRouter(config-pmap-c) police 100000 100 10 conform-action set-clp-transmitRouter(config-pmap-c-police)# conform-action set-mpls-exp-transmit 1Router(config-pmap-c-police)# exceed-action set-clp-transmitRouter(config-pmap-c-police)# exceed-action set-mpls-exp-transmit 2Router(config-pmap-c-police)# violate-action set-clp-transmitRouter(config-pmap-c-police)# violate-action set-mpls-exp-transmit 3Router(config-pmap-c-police)# endRouter#Configuration Examples
This section provides the following configuration examples:
•
•
•
Configuration Example for Dual Actions—set-clp-transmit and set-mpls-exp-transmit
The following example shows how to configure set-clp-transmit and set-mpls-exp-transmit as the conform action and set-clp-transmit and set-mpls-exp-transmit as the exceed and violate actions:
policy-map clpclass class-defaultpolice 100000 100 10 conform-action set-clp-transmitconform-action set-mpls-exp-transmit 1exceed-action set-clp-transmitexceed-action set-mpls-exp-transmit 2violate-action set-clp-transmitviolate-action set-mpls-exp-transmit 3The following shows sample output from the show policy-map command:
Router# show policy-map clpPolicy Map clpClass class-defaultpolice 104000 100 10conform-action set-clp-transmitconform-action set-mpls-exp-transmit 1exceed-action set-clp-transmitexceed-action set-mpls-exp-transmit 2violate-action set-clp-transmitviolate-action set-mpls-exp-transmit 3The following shows sample output from the show running-config command beginning at the point where clp is specified:
Router# show running-config | begin clp|show running-config begin clpclass class-defaultpolice 104000 100 10conform-action set-clp-transmitconform-action set-mpls-exp-transmit 1exceed-action set-clp-transmitexceed-action set-mpls-exp-transmit 2violate-action set-clp-transmitviolate-action set-mpls-exp-transmit 3If the policy map is attached to an ATM PVC that is configured for Layer 2 VPN, the output from the show policy-map interface command displays the following information:
Router# show policy-map interface atm4/0/0.1ATM4/0/0.1: VC 1/100 -Service-policy input: clpClass-map: class-default (match-any)0 packets, 0 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: any0 packets, 0 bytes5 minute rate 0 bpsPolice:104000 bps, 100 limit, 10 extended limitconformed 0 packets, 0 bytes; action:set-clp-transmitset-mpls-exp-transmit 1exceeded 0 packets, 0 bytes; action:set-clp-transmitset-mpls-exp-transmit 2violated 0 packets, 0 bytes; action:set-clp-transmitset-mpls-exp-transmit 3Configuration Example for Dual Actions—set-frde-transmit and set-mpls-exp-imposition-transmit
The following example shows how to configure set-frde-transmit and set-mpls-exp-imposition-transmit as the conform action and set-frde-transmit and set-mpls-exp-imposition-transmit as the exceed and violate actions.
policy-map frdeclass class-defaultpolice 100000 100 10 conform-action set-frde-transmitconform-action set-mpls-exp-imposition-transmit 1exceed-action set-frde-transmitexceed-action set-mpls-exp-imposition-transmit 2violate-action set-frde-transmitviolate-action set-mpls-exp-imposition-transmit 3The following shows sample output from the show policy-map command:
Router# show policy-map frdePolicy Map frdeClass class-defaultpolice 104000 100 10conform-action set-frde-transmitconform-action set-mpls-exp-imposition-transmit 1exceed-action set-frde-transmitexceed-action set-mpls-exp-imposition-transmit 2violate-action set-frde-transmitviolate-action set-mpls-exp-imposition-transmit 3The following shows sample output from the show running-config command:
Router# show running-config | begin frde|show running-config begin frdeclass class-defaultpolice 104000 100 10conform-action set-frde-transmitconform-action set-mpls-exp-imposition-transmit 1exceed-action set-frde-transmitexceed-action set-mpls-exp-imposition-transmit 2violate-action set-frde-transmitviolate-action set-mpls-exp-imposition-transmit 3If the policy map is attached to Frame Relay DLCI 101 that is configured for Layer 2 VPN, the output from the show policy-map interface command displays the following information:
Router# show policy-map serial4/0/0.1Serial4/0/0.1: DLCI 101 -Service-policy input: frdeClass-map: class-default (match-any)0 packets, 0 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: any0 packets, 0 bytes5 minute rate 0 bpsPolice:104000 bps, 100 limit, 10 extended limitconformed 0 packets, 0 bytes; action:set-frde-transmitset-mpls-exp-imposition-transmit 1exceeded 0 packets, 0 bytes; action:set-frde-transmitset-mpls-exp-imposition-transmit 2violated 0 packets, 0 bytes; action:set-frde-transmitset-mpls-exp-imposition-transmit 3Configuration Example of the set-cos-transmit Police Action
The following example shows how to configure the set-cos-transmit police action on the PRE2. In the example, the traffic class group2 is policed at 20000 bps with a normal burst of 100 bytes. Traffic that conforms to the rate is transmitted; traffic that exceeds the rate has the CoS bits set to 3; and traffic that violates the rate has the CoS bits set to 4.
policy-map policeclass group2police 20000 100 0 conform-action transmit exceed-action set-cos-transmit 3 violate-action set-cos-transmit 4The following example shows sample output from the show running-config command for a 2-level hierarchical policy that is configured with the set-cos-transmit action on the PRE2:
policy-map in-parentclass class-defaultpolice percent 85 1000 ms 2000 ms conform-action transmit exceed-action drop violate-action dropservice-policy in-childpolicy-map in-childclass c0prioritypolice 1000000 20000 30000 conform-action set-cos-transmit 0 exceed-action set-cos-transmit 0 violate-action set-cos-transmit 0class c1police 1000000 20000 30000 conform-action set-cos-transmit 1 exceed-action set-cos-transmit 1 violate-action set-cos-transmit 1class c2police 1000000 20000 30000 conform-action set-cos-transmit 2 exceed-action set-cos-transmit 2 violate-action set-cos-transmit 2class c3police 1000000 20000 30000 conform-action set-cos-transmit 3 exceed-action set-cos-transmit 3 violate-action set-cos-transmit 3class c4police 1000000 20000 30000 conform-action set-cos-transmit 4 exceed-action set-cos-transmit 4 violate-action set-cos-transmit 4class class-defaultpolice 1000000 20000 30000 conform-action set-cos-transmit 5 exceed-action set-cos-transmit 5 violate-action set-cos-transmit 5On the PRE3, output from the show running-config command is the same as the above sample output, except that the priority command configured in class c0 displays as priority level level-number.
On the PRE2 and PRE3, the show policy-map interface commands displays the set-cos-transmit action and corresponding value when configured as a police action in a policy map.
Verifying and Monitoring Traffic Policing
The Cisco 10000 series router collects information about the number of conforming, exceeding, and violating packets and bytes.
To verify and monitor traffic policing, enter any of the following commands in privileged EXEC mode:
Verification Examples for Traffic Policing
This section provides the following verification examples:
•
•
•
Verifying Policing for a Specific Traffic Class
The following example shows how to verify policing for a specific traffic class in a policy map. In this example, the Bronze class in the Child policy map is policed at 30 percent of the available bandwidth. The committed burst is 6 ms and the excess burst is 4 ms.
Router# show policy-map Child class BronzeClass Bronzepolice percent 30 6 ms 4 ms conform-action transmit exceed-action dropset dscp 3Verifying Policing on a Specific Interface
The following example uses the show policy-map interface command to verify traffic policing on the ATM 3/0/0.3 subinterface. The QoS policy attached to PVC 5/101 on ATM subinterface 3/0/0.3 is a hierarchical policy that consists of a Parent policy and a Child policy. The Bronze class is policed at 600,000 bps and the Gold class is policed at 8000 bps.
Router# show policy-map interface atm 3/0/0.3ATM3/0/0.3: VC 5/101 -Service-policy output: ParentClass-map: class-default (match-any)0 packets, 0 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: anyOutput queue: 0/64; 0/0 packets/bytes output, 0/0 dropsShape : 2000 kbpsService-policy : ChildClass-map: Bronze (match-all)0 packets, 0 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: ip precedence 3 5Police:600000 bps, 1536 limit, 1000 extended limitconformed 0 packets, 0 bytes; action: transmitexceeded 0 packets, 0 bytes; action: set-prec-transmit 2violated 0 packets, 0 bytes; action: dropClass-map: Gold (match-all)0 packets, 0 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: ip precedence 2Police:8000 bps, 2000 limit, 4000 extended limitconformed 0 packets, 0 bytes; action: transmitexceeded 0 packets, 0 bytes; action: set-qos-transmit 4violated 0 packets, 0 bytes; action: dropClass-map: class-default (match-any)0 packets, 0 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: anyOutput queue: 0/64; 0/0 packets/bytes output, 0/0 dropsVerifying Dual Police Actions—set-clp-transmit and set-mpls-exp-transmit
The following shows sample output from the show policy-map command on the PRE3 and PRE4. In the example, the class-default class is configured for dual police actions: set-clp-transmit and set-mpls-exp-transmit.
Router# show policy-map clpPolicy Map clpClass class-defaultpolice 104000 100 10conform-action set-clp-transmitconform-action set-mpls-exp-transmit 1exceed-action set-clp-transmitexceed-action set-mpls-exp-transmit 2violate-action set-clp-transmitviolate-action set-mpls-exp-transmit 3Related Documentation
This section provides hyperlinks to additional Cisco documentation for the features discussed in this chapter. To display the documentation, click the document title or a section of the document highlighted in blue. When appropriate, paths to applicable sections are listed below the documentation title.
Control Plane Policing
Control Plane Policing feature module, Release 12.2(31)SB2
DiffServ
Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.3
Part 7: Quality of Service Solutions > Implementing DiffServ for End-to-End Quality of Service Overview
Policing
Comparing Traffic Policing and Traffic Shaping for Bandwidth Limiting
Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2
Quality of Service Overview > Policing and Shaping
Single-rate policer
RFC 2697, A Single Rate Three Color Marker
Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2
Part 4: Policing and Shaping > Policing and Shaping Overview
Three-color marker for traffic policing (single-rate)
Release Notes for the Cisco 10000 Series ESR for Cisco IOS Release 12.0(23)SX
New Features in Cisco IOS Release 12.0(23)SX > Single-Rate 3-Color Marker for Traffic Policing
RFC 2697, A Single Rate Three Color Marker
Token bucket
Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2
Part 4: Policing and Shaping > Policing and Shaping Overview > What Is a Token Bucket?
Two-rate policer three-color marker
RFC 2698, A Two Rate Three Color Marker
Two-Rate Policer, Release 12.2(4)T3 feature module
