QoS: Color-Aware Policer

Table Of Contents

QoS: Color-Aware Policer

Contents

Information About the Color-Aware Policer

Benefits

Color-Aware Mode

Color-Aware Mode of Single-Rate Traffic Policing

Color-Aware Mode of Two-Rate Traffic Policing

Packet Matching Criteria

How to Configure Color-Aware Policing

Creating a Class Map

Configuring a Policy Map

Attaching the Policy Map

Verifying the Configuration

Troubleshooting Tips

Configuration Examples for Color-Aware Policing

Color-Aware Policing: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

QoS: Color-Aware Policer

---

First Published: August 26, 2003

Last Updated: February 28, 2006

The QoS: Color-Aware Policer enables a "color-aware" method of traffic policing. This feature allows you to police traffic according to the color classification of a packet. The packet color classification is based on packet matching criteria defined for two user-specified traffic classes—the conform-color class and the exceed-color class. These two traffic classes are created using the conform-color command and the metering rates are defined using the police command.

History for the QoS: Color-Aware Policer Featurer

Release	Modification
12.0(26)S	This feature was introduced.
12.2(28)SB	This feature was integrated into Cisco IOS Release 12.2(28)SB.

Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Information About the Color-Aware Policer

•How to Configure Color-Aware Policing

•Configuration Examples for Color-Aware Policing

•Additional References

•Command Reference

Information About the Color-Aware Policer

To configure the Color-Aware Policer, you should understand the following concepts:

•Benefits

•Color-Aware Mode

•Packet Matching Criteria

Benefits

Extended Traffic Policing Functionality

The Color-Aware Policer extends the functionality of the quality of service (QoS) traffic policing feature. It allows you to police traffic on the basis of the packet color classification in color-aware mode.

Improved SLA Provisioning

The Color-Aware Policer allows you to provision enhanced Service Level Agreements (SLAs) across the DiffServ domain.

Full Compliance with Industry-Standard RFCs

This feature fully complies with the following two industry-standard RFCs:

•RFC 2697: A Single Rate Three Color Marker

•RFC 2698: A Two Rate Three Color Marker

Use of Preexisting Packet Marking from Other Traffic Policers

Cisco IOS software includes a number of traffic policing features, including the Two-Rate Policer. The Color-Aware Policer takes into account any preexisting markings that may be set for a packet by another traffic policer (for example, the Two-Rate Policer) configured at a previous network node. At the node where color-aware policing is configured, these preexisting markings are then used in determining the appropriate color-aware policing action for the packet.

For example, two-rate policing may be configured on a node upstream in the network. The Two-Rate Policer has marked a packet as violate-color. The Color-Aware Policer takes this violate-color marking into account when determining the appropriate policing action. In color-aware policing, the violate-color packet would never receive the action associated with either the conform-color packets or exceed-color packets. This way, tokens for violating packets are never taken from the metering token buckets at the color-aware policing node.

Color-Aware Mode

The Cisco IOS traffic policing software polices traffic on the basis of metering rates such as the committed information rate (CIR), the peak information rate (PIR), their associated burst sizes, and any policing actions (such as transmit or drop) configured for the traffic. These metering rates, sizes, and policing actions are specified using the police command.

This feature allows you to police traffic in color-aware mode. In the color-aware mode, packet matching criteria will first be specified using the class-map command. Then a policy map will be configured to create classes, enable color-aware traffic policing, and create two classes used specifically for color-aware policing—the conform-color class and the exceed-color class.

The conform-color class and the exceed-class are created by using the conform-color command (described later in this document). The police command is used in conjunction with the conform-color command to specify the policing actions to be taken on packets in the conform-color class and the exceed-color class.

With color-aware policing, packets are classified as either conform-color packets, exceed-color packets, or violate-color packets. The metering treatment the packet receives varies by the classification, as described below:

•Packets belonging to the conform-color class are metered against both the CIR and the PIR.

•Packets belonging to the exceed-color class are metered against the PIR only.

•Packets belonging to the violate-color class are not metered against either the CIR or the PIR.

The police command is then used to specify the following items:

•The CIR and PIR

•The conform burst (bc) size

•The excess burst (be) size

•The policing actions to be taken on the packet

Color-aware mode can be used with either single-rate traffic policing or two-rate traffic policing.

Color-Aware Mode of Single-Rate Traffic Policing

Networks police traffic by limiting the input or output transmission rate of a class of traffic on the basis of user-defined criteria. Policing traffic allows you to control the maximum rate of traffic sent or received on an interface and to partition a network into multiple priority levels or class of service (CoS).

Single-rate traffic policing (often referred to simply as traffic policing) limits the input or output transmission rate of a class of traffic on the basis of user-defined criteria. It allows you to control the maximum rate of traffic transmitted or received on an interface.

Traffic policing works by using a token bucket algorithm. There are currently two types of token bucket algorithms: a single-token bucket algorithm and a two-token bucket algorithm. A single-token bucket system is used when the violate-action option is not specified, and a two-token bucket system is used when the violate-action option is specified.

Single-Rate Color-Aware Mode Functionality

The flow chart in Figure 1 illustrates the algorithm used for handling traffic in color-aware single-rate traffic policing.

Figure 1 Traffic Flow Algorithm Used in Color-Aware Single-Rate Traffic Policing

In the above flow chart, a packet of size B arrives at the interface. Tc indicates the number of tokens in the CIR token bucket, and Tb indicates the number of tokens in the excess token bucket.

When a packet of size B bytes arrives at the interface, the packet is evaluated as to whether it is marked as either a conform-color packet, an exceed-color packet, or a packet with no color marking. Then the following actions are performed on the packet in the order shown below:

1. If the packet is marked conform-color, and Tc is greater than or equal to B, the conform action is applied to the packet, and Tc is decremented by B.

2. Otherwise, if the packet is marked conform-color or exceed-color, and Te is greater than or equal to B, the exceed action is applied to the packet, and Te is decremented by B.

3. Otherwise, for all other packets, the violate action is applied to the packet.

Policing Actions

The algorithm provides users with three actions for each packet: a conform action, an exceed action, and an optional violate action. A conform action is applied to the conforming packets, an exceed action is applied to the exceeding packets, and an violate action is applied to the violating packets. Users can specify these actions. For instance, conforming packets can sent, exceeding packets can sent with a decreased priority, and violating packets can be dropped.

Color-Aware Mode of Two-Rate Traffic Policing

Networks police traffic by limiting the input or output transmission rate of a class of traffic on the basis of user-defined criteria. Policing traffic allows you to control the maximum rate of traffic sent or received on an interface and to partition a network into multiple priority levels or CoS.

With the two-rate traffic policing, you can enforce traffic policing according to two separate rates—the CIR and the PIR. You can specify the use of these two rates, along with their corresponding values, by using the cir and pir keywords of the police command.

Two-rate traffic policing uses two token buckets—Tc and Tp—for policing traffic at two independent rates. The Tc token bucket contains the tokens in the CIR bucket. The Tp token bucket contains the tokens in the PIR bucket.

Note the following points about the two token buckets:

•The Tc token bucket is updated at the CIR value each time a packet arrives at the interface. The Tc token bucket can contain up to the confirm burst (Bc) value.

•The Tp token bucket is updated at the PIR value each time a packet arrives at the interface. The Tp token bucket can contain up to the peak burst (Be) value.

Two-Rate Color-Aware Mode Functionality

The flow chart in Figure 2 illustrates the algorithm used for handling traffic in color-aware two-rate traffic policing.

Figure 2 Traffic Flow Algorithm Used in Color-Aware Two-Rate Traffic Policing

In the above illustration, a packet of size B arrives at the interface. Tc indicates the number of tokens in the CIR token bucket, and Tp indicates the number of tokens in PIR token bucket.

When a packet of size B bytes arrives at the interface, the packet is evaluated as to whether it is marked as either an exceed-color packet or a violate-color packet. Then the following actions are performed on the packet in the order shown below:

1. If the packet is marked violate-color, or Tp is less than B, the violate action is applied to the packet. Tp is not decremented.

2. Otherwise, if the packet is marked exceed-color, and Tc is less than B, the exceed action is applied to the packet, and Tc bucket is decremented by B.

3. Otherwise, for all other packets, the conform action is applied to the packet, and both the Tc and Tp are decremented by B.

Policing Actions

The algorithm provides users with three actions for each packet: a conform action, an exceed action, and an optional violate action. A conform action is applied to the conforming packets, an exceed action is applied to the exceeding packets, and an violate action is applied to the violating packets. Users can specify these actions. For instance, conforming packets can sent, exceeding packets can sent with a decreased priority, and violating packets can be dropped.

Packet Matching Criteria

The first process in configuring color-aware policing is to create a class map. The class map is used to specify packet matching criteria.For instance, you can configure the class map to match packets based on a precedence level, a CoS value, or a differentiated services code point (DSCP) value. The match criteria is set with a specific match command. For example, to match packets based on a precedence value, use the match precedence command.

The match commands that can be used in a class map to establish packet matching criteria include the commands listed in Table 1.

Table 1 match Commands Used to Establish Packet Matching Criteria 

Command	Description
match cos	Matches a packet based on a Layer 2 CoS value.
match dscp	Identifies a specific DSCP value as a match criterion.
match fr-dlci	Specifies the Frame Relay data-link connection identifier (DLCI) number as a match criterion.
match mpls experimental	Specifies the value of the Multiprotocol Label Switching (MPLS) experimental (EXP) field as a match criterion.
match precedence	Identifies IP precedence values as match criterion.
match qos-group	Identifies a specific QoS group value as a match criterion.

.

The specific match commands that can be used to match packets vary from Cisco IOS release to Cisco IOS release. For more information about the match commands, refer to the documentation for your Cisco IOS release.

How to Configure Color-Aware Policing

This section contains the following procedures:

•Creating a Class Map (required)

•Configuring a Policy Map (required)

•Attaching the Policy Map (required)

•Verifying the Configuration (optional)

Creating a Class Map

A class map is used to specify packet matching criteria. To create a class map, use the commands in the following sections.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map [match-all | match-any] class-map-name

4. match [ip] precedence ip-precedence-value

5. exit

6. class-map [match-all | match-any] class-map-name

7. match [ip] precedence ip-precedence-value

8. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	class-map [match-all | match-any] class-map-name Example: Router(config)# class-map conform_color_map	Creates the conform-color class-map used for specifying packet matching criterion and enters class-map configuration mode. Note The optional match-all and match-any keywords determine how packets are evaluated when multiple match criteria exist. Packets must meet either all of the match criteria (match-all) or one of the match criteria (match-any) to be considered a member of the class. •Enter the class-map name.
Step 4	match [ip] precedence ip-precedence-value Router(config-cmap)# match ip precedence 5	(Optional) Specifies the IP precedence value as the match criterion. •Enter the IP precedence value. Note In this example, the IP precedence value was used as the match criterion. Other criteria (for example, the CoS value, the DSCP, or the MPLS EXP value) can be used. Match criteria are specified by using the various match commands. Use the match command that is appropriate for your network. For a list of match commands that are available, see Table 1.
Step 5	exit Example: Router(config-cmap)# exit	(Optional) Exits class-map configuration mode.
Step 6	class-map [match-all | match-any] class-map-name Example: Router(config)# class-map exceed_color_map	Creates the exceed-color class-map used for specifying packet matching criterion and enters class-map configuration mode. Note The optional match-all and match-any keywords determine how packets are evaluated when multiple match criteria exist. Packets must meet either all of the match criteria (match-all) or one of the match criteria (match-any) to be considered a member of the class. •Enter the class-map name.
Step 7	match [ip] precedence ip-precedence-value Router(config-cmap)# match ip precedence 3	(Optional) Specifies the IP precedence value as the match criterion. •Enter the IP precedence value. Note In this example, the IP precedence value was used as the match criterion. Other criteria (for example, the CoS value, the DSCP, or the MPLS EXP value) can be used. Match criteria are specified by using the various match commands. Use the match command that is appropriate for your network. For a list of match commands that are available, see Table 1.
Step 8	exit Example: Router(config-cmap)# exit	(Optional) Exits class-map configuration mode.

Configuring a Policy Map

A policy map determines the specific QoS feature that will be applied to the packets in a specific class. For instance, a policy map can be used to configure traffic shaping, Weight Random Early Detection (WRED), or, as in this case, color-aware traffic policing.

To configure a policy map for color-aware traffic policing, use the commands in the following sections:

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map policy-map-name

4. class {class-name | class-default}

5. police cir cir [bc conform-burst] pir pir [be peak-burst] [conform-action action [exceed-action action [violate-action action]]]

6. conform-color class-map-name [exceed-color class-map-name]

7. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	policy-map policy-map-name Example: Router(config)# policy-map color	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy and enters policy-map configuration mode. •Enter the policy map name.
Step 4	class {class-name | class-default} Example: Router(config-pmap)# class ccolor	Creates the specified class (or the default class) and enters policy-map class configuration mode. •Enter name of the class you want to create or type class-default (to specify the default class).
Step 5	police cir cir [bc conform-burst] pir pir [be peak-burst] [conform-action action [exceed-action action [violate-action action]]] Example: Router(config-pmap-c)# police cir 8000 bc 5000 pir 8000 be 5000 conform-action transmit exceed-action set-prec-transmit 4 violate-action drop	Configures traffic policing on the basis of the specified rates and optional actions, and enters policy-map class police configuration mode. •Enter the CIR and any optional values and actions, if applicable.
Step 6	conform-color class-map-name [exceed-color class-map-name] Example: Router(config-pmap-c-police)# conform-color c1 exceed-color c2	Enables color-aware traffic policing and creates the conform-color and exceed-color class-maps used for color-aware traffic policing. The conform-color class-map-name command creates the conform-color class. The exceed-color class-map-name option creates the exceed-color class. •Enter the class-map name or names.
Step 7	exit Example: Router(config-pmap-c-police)# exit	(Optional) Returns to global configuration mode.

Attaching the Policy Map

The policy map you have created must be attached to the appropriate interface or ATM permanent virtual circuit (PVC). For example, you may have to attach policy maps to either the input or the output interface on either the ingress or the egress router.

To attach a policy map to the appropriate interface or ATM PVC, use the commands in the following sections:

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number [name-tag]

4. pvc [name] vpi/vci [ilmi | qsaal | smds]

5. service-policy {input | output} policy-map-name

6. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface type number [name-tag] Example: Router(config)# interface FastEthernet1/0.1	Configures the interface type specified and enters interface configuration mode. •Enter interface type.
Step 4	pvc [name] vpi/vci [ilmi | qsaal | smds] Example: Router(config-if)# pvc cisco 0/16 ilmi	(Optional) Creates or assigns a name to an ATM PVC, specifies the encapsulation type on an ATM PVC, and enters ATM VC configuration mode. Note This step is required only if you are attaching the policy map to an ATM PVC. If you are not attaching the policy map to an ATM PVC, skip this step and proceed with Step 5. •Enter the PVC name.
Step 5	service-policy {input | output} policy-map-name Example: Router(config-if)# service-policy input policy1	Specifies the name of the policy map to be attached to the input or output direction of the interface. Note Policy maps can be configured on ingress or egress routers. They can also be attached in the input or output direction of an interface. The direction (input or output) and the router (ingress or egress) to which the policy map should be attached varies according your network configuration. When using the service-policy command to attach the policy map to an interface, be sure to choose the router and the interface direction that are appropriate for your network configuration. •Enter the policy map name.
Step 6	exit Example: Router(config-if)# exit	(Optional) Exits interface configuration mode.

Verifying the Configuration

This task allows you to verify that you created the configuration you intended and that the feature is functioning correctly. To verify the configuration, use the commands in the following sections:

SUMMARY STEPS

1. enable

2. show policy-map

3. show policy-map interface interface-name

4. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show policy-map Example: Router# show policy-map	Displays all configured policy maps.
Step 3	show policy-map interface interface-name Example: Router# show policy-map interface serial4/0	Displays the packet statistics of all classes that are configured for all service policies either on the specified interface or subinterface or on a specific PVC on the interface. •Enter the interface name.
Step 4	exit Example: Router(config-if)# exit	(Optional) Exits interface configuration mode.

Troubleshooting Tips

The commands in the "Verifying the Configuration" section allow you to verify that you achieved the intended configuration and that the feature is functioning correctly. If after using the show commands listed above, the configuration is not correct or the feature is not functioning as expected, do the following.

If the configuration is not the one you intended, complete the following procedures:

•Use the show running-config command and analyze the output of the command.

•If the policy map does not appear in the output of the show running-config command, enable the logging console command.

•Attach the policy map to the interface again.

If the packets are not being matched correctly (for example, the packet counters are not incrementing correctly), complete the following procedures:

•Use the show policy-map command and analyze the output of the command.

•Use the show running-config command and analyze the output of the command.

•Run the show policy-map interface command and analyze the output of the command. Review the the following:

–If a policy map applies queueing and the packets are matching the correct class, but you see unexpected results, compare the number of packets to the number of packets matched.

–If the interface is congested and you are only seeing a small number of packets matched, check the tuning of the transmisson (tx) ring and evaluate whether the queueing is happening on the tx ring. To do this, use the show controllers command and look at the value of the tx count in the show output of the command.

Configuration Examples for Color-Aware Policing

This section provides the following configuration example:

•Color-Aware Policing: Example

Color-Aware Policing: Example

The following example shows color-aware policing configured in a policy map called "color." Before the feature was configured, the class-map command was used to create two classes called "c1" and "c2," respectively. These two classes were configured as shown below:

class-map c1

 match ip prec 5 

class-map c2

 match ip prec 3

With the two classes created, color-aware policing is configured as shown below:

Router# enable

Router# configure terminal

Router(config)# policy-map color

Router(config-pmap)# class ccolor

Router(config-pmap-c)# police cir 8000 bc 5000 pir 8000 be 5000 conform-action transmit 
exceed-action set-prec-transmit 4 violate-action drop

Router(config-pmap-c-police)# conform-color c1 exceed-color c2 

---

Note The traffic class (in this example, ccolor) must still be created using the Modular QoS Command-Line Interface (CLI) (MQC).

---

With color-aware policing configured as shown, the following results occur based on the CIR, the PIR, and the conform actions, exceed actions, and violate actions specified by the police command:

•Packets that have metering rates less than or equal to the CIR and belong to class c1 (conform-color) are policed as conforming to the rate. These packets are also policed according to the conform action specified by the police command. In this instance, the packets will be transmitted.

•Packets that have metering rates between the CIR and the PIR and belong to either class c1 (conform-color) or class c2 (exceed-color) are policed as exceeding the CIR. These packets are also policed according to the exceed action specified by the police command. In this instance, the precedence value of the packets will be set and the packets transmitted.

•Packets that have metering rates higher than the PIR or belong to neither class c1 or class c2 are policed as violating the rate. These packets are also policed according to the violate action specified by the police command. In this instance, the packets will be dropped.

Additional References

The following sections provide references related to the Color-Aware Policing feature:

Related Documents

Related Topic	Document Title
QoS commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples	Cisco IOS Quality of Service Solutions Command Reference
Additional information about configuring traffic policing	"Policing and Shaping" module
MQC	"Applying QoS Features Using the MQC" module
Two-rate traffic policing	"Two-Rate Policer" module
Traffic policing using multiple policer actions	"Policer Enhancement — Multiple Actions" module
Percentage-based traffic policing and shaping	"Percentage-Based Policing and Shaping" module

Standards

Standards	Title
None	—

MIBs

MIBs	MIBs Link
•CISCO-CLASS-BASED-QOS-MIB •CISCO-CLASS-BASED-QOS-CAPABILITY-MIB	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
RFC 2697	A Single Rate Three Color Marker
RFC 2698	A Two Rate Three Color Marker

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Command Reference

The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Quality of Service Solutions Command Reference at http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.

•conform-color

•show policy-map

•show policy-map interface

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0804R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007 Cisco Systems, Inc. All rights reserved.