Traffic rates are easier to understand than traffic burstiness. When specifying a contract for network admission control (See Why Traffic Policing), you might have trouble describing expectations in terms of multiple burst sizes above a single rate. The dual-rate, three-color (2R3C) policer simplifies matters by primarily employing rates to differentiate conform, exceed and violate. It also introduces a second rate, PIR (Peak Information Rate)
CIR and PIR have
the following characteristics:
-
Traffic
below the
CIR is conforming.
-
Traffic
greater than
CIR but less than
PIR is exceeding.
-
Traffic
above
PIR is violating.
You specify these rates with the cir and pir keywords of the police command. (For details, please refer to the command page for police.)
With a 2R3C
policer, unlike a 1R3C, we replenish token buckets independently whenever a
packet arrives at the policer.
We refill conforming buckets at rate CIR; it can
contain up to value Bc.
; exceeding buckets, at PIR; it can contain up
to value Be.
Note |
PIR must exceed
CIR and overflow between buckets is disallowed.
|
If a steady stream
of packets arrives at a rate exceeding the CIR but less than the PIR, all
packets are marked either conforming or exceeding. With the 1R3C policer, this
scenario would have resulted in marking a minimal number of packets as
exceeding and a majority as conforming or violating.
A 2R3C policer
supports three possible actions for each packet: conform, exceed, and violate.
Traffic entering the interface configured with a
dual-rate policer is placed into one of these action categories, which dictates
how we treat a packet. For instance, in the most common configuration, you can
configure to send packets that either conform or exceed (with a decreased
priority), and to drop packets that violate.
Figure 3. Dual-Rate,
Three-Color Policer
When a packet arrives, we assess whether ample
tokens exist in the conforming
and exceeding
buckets to cover that packet. If so, we take the conforming action (typically,
transmit or transmit and mark) and remove the necessary tokens to transmit the
packet from
both
buckets.
If the Exceeding Token Bucket (but not the Conforming Token Bucket) contains sufficient tokens to cover the packet, we take the exceeding action (typically, transmit or transmit and marking). The appropriate number of tokens are removed from the exceeding bucket only.
If neither bucket has sufficient tokens to cover the packet, the violating action is taken (typically, transmit, transmit and marking, or drop):
policy-map ingress-enforcement
class af41-metering
police cir 100k bc 3000 pir 150k be 3000 conform-action set-dscp-transmit af41 exceed-action set-dscp-transmit af42 violate-action drop
Observe how code from the preceding example and the corresponding code from Single-Rate, Three-Color Policer differ:
cir 100k bc 3000 pir 150k be 3000
cir percent 10 bc 5 ms be 10 ms
In the immediate
example, we handle traffic accordingly:
-
Up to 100Kbps
(allowing for bursts up to 3,000 bytes) as conforming and forward it with DSCP
marked as af41.
-
Above 100Kbps
but less than 150Kbps (again allowing a 3,000 byte burst) as exceeding and
forward it marked as af42.
-
Above 150Kbs
as violating; we drop it.