Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide - SSG Hierarchical Policing [Cisco 10000 Series Routers]

Table Of Contents

SSG Hierarchical Policing

SSG Hierarchical Policing Overview

SSG Hierarchical Policing Token Bucket Scheme

Restrictions for SSG Hierarchical Policing

SSG Hierarchical Policing Configuration

Configuration Examples for SSG Hierarchical Policing

SSG Hierarchical Policing

The SSG Hierarchical Policing feature ensures that a subscriber does not utilize additional bandwidth for overall service or for a specific service that is outside the bounds of the subscriber's contract with the service provider.

This chapter describes the SSG Hierarchical Policing feature supported by the Cisco 10000 series router.

SSG Hierarchical Policing Overview

The traffic policing feature limits the transmission rate of traffic entering or leaving a node. In SSG, traffic policing can be used to allocate bandwidth between subscribers and between services to a particular subscriber to ensure all types of services are allocated a proper amount of bandwidth. SSG uses per-user and per-service policing to ensure bandwidth is distributed properly between subscribers (per-user policing) and between services to a particular subscriber (per-session policing). Because these policing techniques are hierarchical in nature (bandwidth can be first policed between users and then policed again between services to a particular user), the feature is called SSG Hierarchical Policing.

Per-user policing is used to police the aggregated traffic destined to or sent from a particular subscriber and can only police the bandwidth allocated to a subscriber. Per-user policing cannot identify services to a particular subscriber and police bandwidth between these services.

Per-session policing is used to police the types of services available to a subscriber. Per-session policing is useful when an SSG subscriber is subscribed to multiple services and the services are allocated different amounts of bandwidth. For example, a subscriber pays separately for Internet access and video service but receives both services from the same service provider. The video service would likely be allocated more bandwidth than the Internet access service and would likely cost more to the subscriber. Per-session policing provides a mechanism for identifying the types of services (such as the video service or Internet access in the example) and ensuring that users do not exceed the allocated bandwidth for the service.

SSG Hierarchical Policing Token Bucket Scheme

The SSG Hierarchical Policing token bucket scheme uses an algorithm to police the use of bandwidth. The parameters that the algorithm uses to allocate bandwidth are user-configurable; however, other unpredictable variables (such as time between packets and packet sizes) ultimately determine whether a packet is transmitted or dropped.

For more information, refer to the Service Selection Gateway Hierarchical Policing feature module.

Restrictions for SSG Hierarchical Policing

The SSG Hierarchical Policing feature has the following restrictions:

•When using SSG hierarchical policing on Cisco 10000 Series routers, a maximum of 8 policing rates can be used per uplink interface and R attribute combination. Of these 8 rates, 1 is reserved for "no policing", leaving 7 different police rates available per uplink interface and R attribute combination For example, if eight SSG services are bound to the same SSG next-hop and all eight services carry an R attribute of "R0.0.0.0;0.0.0.0", the ninth service will fail to acquire correct policing rates and this error message may appear:
%GENERAL-3-EREVENT: C10KSSG: Vi2.8 svc_bitmap 0x2 Unable to set connection rate

•The Cisco 10000 router supports per-session and per-interface quality of service (QoS). This type of QoS is available on non-SSG interfaces and is applied to the sessions or interfaces using modular QoS CLI (MQC) service policies.

•SSG interfaces do not use MQC service policies and cannot use the more complete set of classification rules and QoS actions available through MQC. QoS support for SSG interfaces is limited to first classifying to a per-user level and then to a per-session level. At each level, the only action supported is applying a policed rate that either drops the packet or allows the packet to continue to be processed. You cannot mark or queue the packet in a specific manner. You also cannot use an ACL to classify packets for a QoS class.

•The upstream and downstream policing rates at the per-session level must be specified in pairs. You cannot individually specify the upstream and downstream policing rates to a particular service.

•If you configure an inbound or outbound MQC service policy on a downlink SSG interface, SSG ignores the service policy.

•You must configure the committed rate parameter at 8000 or larger. If you set the committed rate lower than 8000, it is automatically configured at 8000.

•If the normal burst parameter is less than the IP maximum transmission unit (MTU) of an interface, the normal burst parameter is set equal to the IP MTU of the interface.

•Only packets destined to subscribed services are policed. The following packets are not policed:

–Multicast packets

–Open Garden packets

–Default network packets

SSG Hierarchical Policing Configuration

The configuration of SSG Hierarchical Policing requires you to:

•Modify user profiles and service profiles in RADIUS.

•Enable per-user and per-session policing using the ssg qos police command in global configuration mode.

For more information, refer to the Service Selection Gateway Hierarchical Policing feature module.

Configuration Examples for SSG Hierarchical Policing

Example 8-1 Configuring a RADIUS Service Profile for Per-Session Policing
Router(config)# local-profile cisco.com
Router(config-prof)# attribute 26 9 1 "QU16000:3000:4000:D24000:4000:8000"
Example 8-2 Enabling Per-Session Policing on a Router
Router(config)# ssg qos police session
For more information, refer to the Service Selection Gateway Hierarchical Policing feature module.

	Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide
	SSG Hierarchical Policing
Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide About This Guide Service Selection Gateway Overview Scaling and Performance SSG Logon and Logoff Authentication and Accounting Service Selection Methods Service Connection Service Profiles and Cached Service Profiles SSG Hierarchical Policing Interface Configuration SSG TCP Redirect Miscellaneous SSG Features Monitoring and Maintaining SSG SSG Implementation Notes Configuration Example for SSG Glossary Index	Download this chapter SSG Hierarchical Policing Download the complete book Cisco 10000 Series Router Service Selection Gateway Configuration Guide (PDF - 1 MB) Table Of Contents SSG Hierarchical Policing SSG Hierarchical Policing Overview SSG Hierarchical Policing Token Bucket Scheme Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing Configuration Configuration Examples for SSG Hierarchical Policing SSG Hierarchical Policing The SSG Hierarchical Policing feature ensures that a subscriber does not utilize additional bandwidth for overall service or for a specific service that is outside the bounds of the subscriber's contract with the service provider. This chapter describes the SSG Hierarchical Policing feature supported by the Cisco 10000 series router. SSG Hierarchical Policing Overview The traffic policing feature limits the transmission rate of traffic entering or leaving a node. In SSG, traffic policing can be used to allocate bandwidth between subscribers and between services to a particular subscriber to ensure all types of services are allocated a proper amount of bandwidth. SSG uses per-user and per-service policing to ensure bandwidth is distributed properly between subscribers (per-user policing) and between services to a particular subscriber (per-session policing). Because these policing techniques are hierarchical in nature (bandwidth can be first policed between users and then policed again between services to a particular user), the feature is called SSG Hierarchical Policing. Per-user policing is used to police the aggregated traffic destined to or sent from a particular subscriber and can only police the bandwidth allocated to a subscriber. Per-user policing cannot identify services to a particular subscriber and police bandwidth between these services. Per-session policing is used to police the types of services available to a subscriber. Per-session policing is useful when an SSG subscriber is subscribed to multiple services and the services are allocated different amounts of bandwidth. For example, a subscriber pays separately for Internet access and video service but receives both services from the same service provider. The video service would likely be allocated more bandwidth than the Internet access service and would likely cost more to the subscriber. Per-session policing provides a mechanism for identifying the types of services (such as the video service or Internet access in the example) and ensuring that users do not exceed the allocated bandwidth for the service. SSG Hierarchical Policing Token Bucket Scheme The SSG Hierarchical Policing token bucket scheme uses an algorithm to police the use of bandwidth. The parameters that the algorithm uses to allocate bandwidth are user-configurable; however, other unpredictable variables (such as time between packets and packet sizes) ultimately determine whether a packet is transmitted or dropped. For more information, refer to the Service Selection Gateway Hierarchical Policing feature module. Restrictions for SSG Hierarchical Policing The SSG Hierarchical Policing feature has the following restrictions: •When using SSG hierarchical policing on Cisco 10000 Series routers, a maximum of 8 policing rates can be used per uplink interface and R attribute combination. Of these 8 rates, 1 is reserved for "no policing", leaving 7 different police rates available per uplink interface and R attribute combination For example, if eight SSG services are bound to the same SSG next-hop and all eight services carry an R attribute of "R0.0.0.0;0.0.0.0", the ninth service will fail to acquire correct policing rates and this error message may appear: %GENERAL-3-EREVENT: C10KSSG: Vi2.8 svc_bitmap 0x2 Unable to set connection rate •The Cisco 10000 router supports per-session and per-interface quality of service (QoS). This type of QoS is available on non-SSG interfaces and is applied to the sessions or interfaces using modular QoS CLI (MQC) service policies. •SSG interfaces do not use MQC service policies and cannot use the more complete set of classification rules and QoS actions available through MQC. QoS support for SSG interfaces is limited to first classifying to a per-user level and then to a per-session level. At each level, the only action supported is applying a policed rate that either drops the packet or allows the packet to continue to be processed. You cannot mark or queue the packet in a specific manner. You also cannot use an ACL to classify packets for a QoS class. •The upstream and downstream policing rates at the per-session level must be specified in pairs. You cannot individually specify the upstream and downstream policing rates to a particular service. •If you configure an inbound or outbound MQC service policy on a downlink SSG interface, SSG ignores the service policy. •You must configure the committed rate parameter at 8000 or larger. If you set the committed rate lower than 8000, it is automatically configured at 8000. •If the normal burst parameter is less than the IP maximum transmission unit (MTU) of an interface, the normal burst parameter is set equal to the IP MTU of the interface. •Only packets destined to subscribed services are policed. The following packets are not policed: –Multicast packets –Open Garden packets –Default network packets SSG Hierarchical Policing Configuration The configuration of SSG Hierarchical Policing requires you to: •Modify user profiles and service profiles in RADIUS. •Enable per-user and per-session policing using the ssg qos police command in global configuration mode. For more information, refer to the Service Selection Gateway Hierarchical Policing feature module. Configuration Examples for SSG Hierarchical Policing Example 8-1 Configuring a RADIUS Service Profile for Per-Session Policing Router(config)# local-profile cisco.com Router(config-prof)# attribute 26 9 1 "QU16000:3000:4000:D24000:4000:8000" Example 8-2 Enabling Per-Session Policing on a Router Router(config)# ssg qos police session For more information, refer to the Service Selection Gateway Hierarchical Policing feature module.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.