- QoS CLI Index
- New and Changed Content for QoS CLI Config Guide
- Preface
- Overview
- Using Modular QoS CLI
- Configuring Classification
- Configuring Marking
- Configuring Mutation Mapping
- Configuring Policing
- Configuring Queuing and Scheduling
- Network QoS Policy Configuration
- Configuring Queuing and Scheduling on F1 Modules
- Configuring Priority Control
- Monitoring QoS Statistics
- Limits Appendix
- Additional References Appendix
Configuring Policing
This chapter describes how to configure policing of traffic classes on the Cisco NX-OS device. This chapter includes the following sections:
Information About Policing
Policing is the monitoring of the data rates for a particular class of traffic. When the data rate exceeds user-configured values, marking or dropping of packets occurs immediately. Policing does not buffer the traffic; therefore, the transmission delay is not affected. When traffic exceeds the data rate, you instruct the system to either drop the packets or mark QoS fields in them.
You can define single-rate, dual-rate, and color-aware policers.
Single-rate policers monitor the committed information rate (CIR) of traffic. Dual-rate policers monitor both CIR and peak information rate (PIR) of traffic. In addition, the system monitors associated burst sizes. Three colors, or conditions, are determined by the policer for each packet depending on the data rate parameters supplied: conform (green), exceed (yellow), or violate (red).
You can configure only one action for each condition. For example, you might police for traffic in a class to conform to the data rate of 256000 bits per second, with up to 200 millisecond bursts. The system would apply the conform action to traffic that falls within this rate, and it would apply the violate action to traffic that exceeds this rate.
Color-aware policers assume that traffic has been previously marked with a color. This information is then used in the actions taken by this type of policer.
For more information about policers, see RFC 2697 and RFC 2698 .
Shared Policers
QoS applies the bandwidth limits specified in a shared policer cumulatively to all flows in the matched traffic. A shared policer applies the same policer to more than one interface simultaneously.
For example, if you configure a shared policer to allow 1 Mbps for all Trivial File Transfer Protocol (TFTP) traffic flows on VLAN 1 and VLAN 3, the device limits the TFTP traffic for all flows combined on VLAN 1 and VLAN 3 to 1 Mbps.
The following are guidelines for configuring shared policers:
- You create named shared policers by entering the qos shared-policer command. If you create a shared policer and create a policy using that shared policer and attach the policy to multiple ingress ports, the device polices the matched traffic from all the ingress ports to which it is attached.
- You define shared policers in a policy map class within the police command. If you attach a named shared policer to multiple ingress ports, the device polices the matched traffic from all the ingress ports to which it is attached.
- Shared policing works independently on each module.
Licensing Requirements for Policing
The following table shows the licensing requirements for this feature:
However, using virtual device contexts (VDCs) requires an Advanced Services license.
Prerequisites for Policing
Policing has the following prerequisites:
- You must be familiar with Chapter3, “Using Modular QoS CLI”
- You are logged on to the switch.
- You are in the correct VDC. A VDC is a logical representation of a set of system resources. You can use the switchto vdc command with a VDC number.
Guidelines and Limitations
Policing has the following guidelines and limitations:
- Each module polices independently, which might affect QoS features that are being applied to traffic that is distributed across more than one module. The following are examples of these QoS features:
– Policers applied to a port channel interface.
– Egress policers applied to a Layer 3 interface. The device performs egress policing decisions at the ingress interface, on the ingress module.
Configuring Policing
You can configure a single- or dual-rate policer.
This section includes the following topics:
- Configuring 1-Rate and 2-Rate, 2-Color and 3-Color Policing
- Configuring Color-Aware Policing
- Configuring Ingress and Egress Policing
- Configuring Markdown Policing
- Configuring Shared Policers
Configuring 1-Rate and 2-Rate, 2-Color and 3-Color Policing
The type of policer created by the device is based on a combination of the police command arguments described in Table 6-1 .
Note You must specify the identical value for pir and cir to configure 1-rate 3-color policing.
Committed information rate, or desired bandwidth, specified as a bit rate or a percentage of the link rate. Although a value for cir is required, the argument itself is optional. The range of values is from 1 to 80000000000. The range of policing values that are mathematically significant is from 8000 to 80 Gbps. |
|
Rate as a percentage of the interface rate. The range of values is from 1 to 100 percent. |
|
Indication of how much the cir can be exceeded, either as a bit rate or an amount of time at cir . The default is 200 milliseconds of traffic at the configured rate. The default data rate units are bytes, and the Gigabit per second (gbps) rate is not supported for this parameter. |
|
Peak information rate, specified as a PIR bit rate or a percentage of the link rate. There is no default. The range of values is from 1 to 80000000000; the range of policing values that are mathematically significant is 8000 to 80 Gbps. The range of percentage values is from 1 to 100 percent. |
|
Indication of how much the pir can be exceeded, either as a bit rate or an amount of time at pir . When the bc value is not specified, the default is 200 milliseconds of traffic at the configured rate. The default data rate units are bytes, and the Gigabit per second (gbps) rate is not supported for this parameter. Note You must specify a value for pir before the device displays this argument. |
|
Single action to take if the traffic data rate is within bounds. The basic actions are transmit or one of the set commands listed in Table 6-4 . The default is transmit. |
|
Single action to take if the traffic data rate is exceeded. The basic actions are drop or markdown. The default is drop. |
|
Single action to take if the traffic data rate violates the configured rate values. The basic actions are drop or markdown. The default is drop. |
Note For information on the color-aware police command arguments, see the “Configuring Color-Aware Policing” section.
Although all the arguments in Table 6-1 are optional, you must specify a value for cir . In this section, cir indicates its value but not necessarily the keyword itself. The combination of these arguments and the resulting policer types and actions are shown in Table 6-2 .
The policer actions that you can specify are described in Table 6-3 and Table 6-4 .
Drops the packet. This is only available when the packet exceeds or violates the parameters. |
|
Sets the specified fields from a table map and transmits the packet. For more information on the system-defined, or default table maps, see Chapter4, “Configuring Marking” This is available only when the packet exceeds the parameters (use the cir-markdown-map) or violates the parameters (use the pir-markdown-map). |
Note The policer can only drop or mark down packets that exceed or violate the specified parameters. For information on marking down packets, see Chapter4, “Configuring Marking”
The data rates used in the police command are described in Table 6-5 .
Burst sizes used in the police command are described in Table 6-6 .
SUMMARY STEPS
You must specify the identical value for pir and cir to configure 1-rate 3-color policing.
2. policy-map [ type qos ] [ match-first ] { qos-policy-map-name | qos-dynamic }
3. class [ type qos ] { class-map-name | qos-dynamic | class-default} [ insert-before before-class-map-name ]
4. police [ cir ] { committed-rate [ data-rate ] | percent cir-link-percent } [ bc committed-burst-rate [ link-speed ]] [ pir ] { peak-rate [ data-rate ] | percent cir-link-percent } [ be peak-burst-rate [ link-speed ]] { conform { transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit | set-discard-class-transmit } [ exceed { drop | set dscp dscp table { cir-markdown-map }} [ violate { drop | set dscp dscp table { pir-markdown-map }}]]}
7. show policy-map [ type qos ] [ policy-map-name | qos-dynamic ]
8. copy running-config startup-config
Note A 1-rate 2-color policer with the violate markdown action is not supported.
DETAILED STEPS
policy-map [ type qos ] [ match-first ] [ qos-policy-map-name | qos-dynamic ] |
Creates or accesses the policy map named policy-map-name, and then enters policy-map mode. The policy-map name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters. |
|
class [ type qos ] { class-map-name | qos-dynamic | class-default } [ insert-before before-class-map-name ] |
Creates a reference to class-map-name, and enters policy-map class configuration mode. The class is added to the end of the policy map unless insert-before is used to specify the class to insert before. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map. |
|
police [ cir ] { committed-rate [ data-rate ] | percent cir-link-percent } [ bc committed- burst-rate [ link-speed ]][ pir ] { peak-rate [ data-rate ] | percent cir-link-percent } [ be peak-burst-rate [ link-speed ]] [ conform { transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit | set-discard-class-transmit } [ exceed { drop | set dscp dscp table { cir-markdown-map }} [ violate { drop | set dscp dscp table { pir-markdown-map }}]]} switch(config-pmap-c-qos)# police cir 256000 pir 256000 conform transmit exceed set dscp dscp table cir-markdown-map violate drop |
Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is ≤ cir . If be and pir are not specified, all other traffic takes the violate action. If be or violate are specified, the exceed action is taken if the data rate ≤ pir , and the violate action is taken otherwise. The actions are described in Table 6-3 and Table 6-4 . The data rates and link speeds are described in Table 6-5 and Table 6-6 . This example shows a 1-rate, 3-color policer that transmits if the data rate is within 200 milliseconds of traffic at 256000 bps, marks DSCP to 6 if the data rate is within 300 milliseconds of traffic at 256000 bps, and drops packets otherwise. |
|
Exits policy-map class configuration mode and enters policy-map mode. |
||
show policy-map [ type qos ] [ policy-map-name | qos-dynamic ] |
(Optional) Displays information about all configured policy maps or a selected policy map of type qos. |
|
(Optional) Saves the running configuration to the startup configuration. |
Use the show policy-map command to display the policy1 policy-map configuration as shown below:
Configuring Color-Aware Policing
Color-aware policing implies that the QoS DSCP field in a class of traffic has been previously marked with values that you can use in a policer. This feature allows you to mark traffic at one node in a network and then take action based on this marking at a subsequent node.
Note For information on the police command, see the “Configuring 1-Rate and 2-Rate, 2-Color and 3-Color Policing” section.
You can use one or more of the four police command class maps conform-color or exceed-color to perform color-aware policing. These keywords require a class-map name that is used to classify packets. Based on the match criteria that you specify in the class maps, the traffic is classified into one of these two classes or class-default if there is no match. The policer then takes the following action:
- Packets that belong to the conform-color class are policed with the cir and pir arguments to the police command.
- Packets that belong to the exceed-color class are policed only against the pir argument to the police command. If pir is not specified, the cir values are used.
- Packets that end up in class-default because they fail to match either the conform-color or exceed-color class will immediately take the violate action.
Note A color other than class-default cannot be assigned to the violate action because according to RFC 2697 and RFC 2698, all packets must be assigned a color.
You can set the DSCP value for color-aware policing to a specified value. The list of valid DSCP values is shown in Table 6-7 .
After you apply color-aware policing, all matching packets in the device will be policed according to the specifications of the color-aware policer.
To configure color-aware policing, follow these steps:
Step 1 Create the class map. For information about configuring class maps, see Chapter2, “Configuring Classification”
Step 2 Create a policy map. For information about policy maps, see this chapter and Chapter3, “Using Modular QoS CLI”
Step 3 Configure the color-aware class map as described in this section.
Step 4 Apply the service policy to the interfaces. For information about attaching policies to interfaces, see Chapter3, “Using Modular QoS CLI”
Note The rates specified in the shared policer are shared by the number of interfaces to which you apply the service policy. Each interface does not have its own dedicated rate as specified in the shared policer.
SUMMARY STEPS
2. class-map { conform-color-in | conform-color-out | exceed-color-in | exceed-color-out }
4. policy-map [ type qos ] [ match-first ] { qos-policy-map-name | qos-dynamic }
5. class [ type qos ] { class-map-name | qos-dynamic | class-default} [ insert-before before-class-map-name ]
6. police [ cir ] { committed-rate [ data-rate ] | percent cir-link-percent } [ bc committed-burst-rate [ link-speed ]] [ pir ] { peak-rate [ data-rate ] | percent cir-link-percent } [ be peak-burst-rate [ link-speed ]] { conform { transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit | set-discard-class-transmit } [ exceed { drop | set dscp dscp table { cir-markdown-map }} [ violate { drop | set dscp dscp table { pir-markdown-map }}]]}
DETAILED STEPS
class-map { conform-color-in | conform-color-out | exceed-color-in | exceed-color-out } |
Accesses the color-aware class map, and enters color-map mode. When you enter this command, the system returns the following message:
|
|
Specifies the DSCP value to match for color-aware policers. See Table 6-7 for a list of valid values. |
||
policy-map [ type qos ] [ match-first ] [ qos-policy-map-name | qos-dynamic ] |
Creates or accesses the policy-map named policy-map-name, and then enters policy-map mode. The policy-map name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters. |
|
class [ type qos ] { class-map-name | qos-dynamic | class-default } [ insert-before before-class-map-name ] |
Creates a reference to class-map-name and enters policy-map class configuration mode. The class is added to the end of the policy map unless insert-before is used to specify the class to insert before. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map. |
|
police [ cir ] { committed-rate [ data-rate ] | percent cir-link-percent } [ bc committed- burst-rate [ link-speed ][ pir ] { peak-rate [ data-rate ] | percent cir-link-percent } [ be peak-burst-rate [ link-speed ] [ conform { transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit | set-discard-class-transmit } [ exceed { drop | set dscp dscp table { cir-markdown-map }} [ violate { drop | set dscp dscp table { pir-markdown-map }}]]] switch(config-pmap-c-qos)# police cir 256000 be 300 ms conform-class my_conform_class_map exceed-class my_exceed_class_map conform transmit exceed set dscp dscp table cir-markdown-map violate drop switch(config-pmap-c-qos)# police cir 256000 pir 512000 conform-class my_conform_class_map exceed-class my_exceed_class_map conform transmit exceed set dscp dscp table cir-markdown-map violate drop |
Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is ≤ cir . If be and pir are not specified, all other traffic takes the violate action. If be or violate are specified, the exceed action is taken if the data rate ≤ pir , and the violate action is taken otherwise. The actions are described in Table 6-3 and Table 6-4 . The data rates and link speeds are described in Table 6-5 and Table 6-6 . This first example shows a 1-rate, 3-color color-aware policer that transmits if the conform-class data rate is within 200 milliseconds of traffic at 256000 bps, marks DSCP to 6 if the exceed-class data rate is within 300 milliseconds of traffic at 256000 bps, and drops packets otherwise. This second example shows a 2-rate, 3-color color-aware policer that transmits if the data rate is within 200 milliseconds of traffic at 256000 bps, marks CoS to 5 if the data rate exceeds 200 milliseconds of traffic at 512 bps, and drops packets otherwise. |
|
show policy-map [ type qos ] [ policy-map-name | qos-dynamic ] |
(Optional) Displays information about all configured policy maps or a selected policy map of type qos. |
|
(Optional) Saves the running configuration to the startup configuration. |
This example shows how to display the policy1 policy-map configuration:
Configuring Ingress and Egress Policing
You can apply the policing instructions in a QoS policy map to ingress or egress packets by attaching that QoS policy map to an interface. To select ingress or egress, you specify either the input or output keyword in the service-policy command. For more information on attaching and detaching a QoS policy action from an interface, see the Chapter3, “Using Modular QoS CLI”
Configuring Markdown Policing
Markdown policing is the setting of a QoS field in a packet when traffic exceeds or violates the policed data rates. You can configure markdown policing by using the set commands for policing action described in Table 6-3 and Table 6-4 .
The example in this section shows you how to use a table map to perform a markdown.
SUMMARY STEPS
2. policy-map [ type qos ] [ match-first ] { qos-policy-map-name | qos-dynamic }
3. class [ type qos ] { class-map-name | qos-dynamic | class-default} [ insert-before before-class-map-name ]
4. police [ cir ] { committed-rate [ data-rate ] | percent cir-link-percent } [ bc committed-burst-rate [ link-speed ]] [ pir ] { peak-rate [ data-rate ] | percent cir-link-percent } [ be peak-burst-rate [ link-speed ]] { conform conform-action [ exceed { drop | set dscp dscp table cir-markdown-map } [ violate { drop | set dscp dscp table pir-markdown-map }]]}}
7. show policy-map [ type qos ] [ policy-map-name | qos-dynamic ]
DETAILED STEPS
policy-map [ type qos ] [ match-first ] [qos-policy-map-name | qos-dynamic ] |
Creates or accesses the policy-map named policy-map-name, and then enters policy-map mode. The policy-map name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters. |
|
class [ type qos ] { class-map-name | qos-dynamic | class-default } [ insert-before before-class-map-name ] |
Creates a reference to class-map-name, and enters policy-map class configuration mode. The class is added to the end of the policy map unless insert-before is used to specify the class to insert before. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map. |
|
|
police [ cir ] { committed-rate [ data-rate ] | percent cir- link-percent } [[ bc | burst ] burst-rate [ link-speed ]] [[ be | peak-burst ] peak-burst-rate [ link-speed ]] [ conform conform-action [ exceed set dscp dscp table cir-markdown-map [ violate drop set dscp dscp table pir-markdown-map ]]} switch(config-pmap-c-qos)# police cir 256000 be 300 ms conform transmit exceed set dscp dscp table cir-markdown-map violate drop |
Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is ≤ cir . If be and pir are not specified, all other traffic takes the violate action. If be or violate are specified, the exceed action is taken if the data rate ≤ pir , and the violate action is taken otherwise. The actions are described in Table 6-3 and Table 6-4 . The data rates and link speeds are described in Table 6-5 and Table 6-6 . This example shows a 1-rate, 3-color policer that transmits if the data rate is within 200 milliseconds of traffic at 256000 bps; marks down DSCP using the system-defined table map if the data rate is within 300 milliseconds of traffic at 256000 bps, and drops packets otherwise. |
|
Exits policy-map class configuration mode and enters policy-map mode. |
||
show policy-map [ type qos ] [ policy-map-name | qos-dynamic ] |
(Optional) Displays information about all configured policy maps or a selected policy map of type qos. |
|
(Optional) Saves the running configuration to the startup configuration. |
Use the show policy-map command to display the policy1 policy-map configuration as shown below:
Configuring Shared Policers
The shared-policer feature allows you to apply the same policing parameters to several interfaces simultaneously. You create a shared policer by assigning a name to a policer, and then applying that policer to a policy map that you attach to the specified interfaces. The shared policer is also referred to as the named aggregate policer in other Cisco documentation.
Note After you configure the shared policer, you can use the shared-policer name to configure any type of shared policing, as described in the “Configuring 1-Rate and 2-Rate, 2-Color and 3-Color Policing” section, the “Configuring Color-Aware Policing” section, the “Configuring Ingress and Egress Policing” section, and the “Configuring Markdown Policing” section.
To configure shared policing, follow these steps:
Step 1 Configure the shared policer as described in this section.
Step 2 Create the class map. For information about configuring class maps, see Chapter2, “Configuring Classification”
Step 3 Create a policy map. For information about policy maps, see this chapter and Chapter3, “Using Modular QoS CLI”
Step 4 Reference the shared policer to the policy map as described in this section.
Step 5 Apply the service policy to the interfaces. For information about attaching policies to interfaces, see Chapter3, “Using Modular QoS CLI”
Note The rates specified in the shared policer are shared by the number of interfaces to which you apply the service policy. Each interface does not have its own dedicated rate as specified in the shared policer.
SUMMARY STEPS
2. qos shared-policer [ type qos ] shared-policer-name [ cir ] { committed-rate [ data-rate ] | percent cir-link-percent } [ bc committed-burst-rate [ link-speed ]] [ pir ] { peak-rate [ data-rate ] | percent cir-link-percent } [ be peak-burst-rate [ link-speed ]] {{ conform conform-action [ exceed { drop | set dscp dscp table cir-markdown-map } [ violate { drop | set dscp dscp table pir-markdown-map }]]}
3. policy-map [ type qos ] [ match-first ] { qos-policy-map-name | qos-dynamic }
4. class [ type qos ] { class-map-name | qos-dynamic | class-default} [ insert-before before-class-map-name ]
5. police aggregate shared-policer-name
DETAILED STEPS
qos shared-policer [ type qos ] shared-policer-name [ cir ] { committed-rate [ data-rate ] | percent cir-link-percent } [ bc committed- burst-rate [ link-speed ]][ pir ] { peak-rate [ data-rate ] | percent cir-link-percent } [ be peak-burst-rate [ link-speed ]] [ conform conform-action [ exceed { drop | set dscp dscp table cir-markdown-map [ violate set dscp dscp table pir-markdown-map }]]} |
Creates or accesses the shared policer. The shared-policer-name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters. Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is ≤ cir . If be and pir are not specified, all other traffic takes the violate action. If be or violate are specified, the exceed action is taken if the data rate ≤ pir , and the violate action is taken otherwise. The actions are described in Table 6-3 and Table 6-4 . The data rates and link speeds are described in Table 6-5 and Table 6-6 . |
|
policy-map [ type qos ] [ match-first ] [ qos-policy-map-name | qos-dynamic ] |
Creates or accesses the policy-map named policy-map-name, and then enters policy-map mode. The policy-map name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters. |
|
class [ type qos ] { class-map-name | qos-dynamic | class-default } [ insert-before before-class-map-name ] |
Creates a reference to class-map-name and enters policy-map class configuration mode. The class is added to the end of the policy map unless insert-before is used to specify the class to insert before. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map. |
|
police aggregate shared-policer-name |
Creates a reference in the policy map to shared-policer-name . |
|
Exits policy-map class configuration mode and enters policy-map mode. |
||
(Optional) Displays information about the configuration of all shared policers. |
||
(Optional) Saves the running configuration to the startup configuration. |
Use the show qos shared-policer command to display the test1 shared-policer configurations as shown below:
Verifying the Policing Configuration
To display the policing configuration information, perform one of these tasks:
Examples for Policing
The following example shows how to configure policing for a 1-rate, 2-color policer:
The following example shows how to configure policing for a 1-rate, 2-color policer with DSCP markdown:
The following example shows how to configure policing for a 1-rate, 3-color policer:
police cir 256000 pir 256000 conform transmit exceed set dscp dscp table cir-markdown-map violate drop
The following example shows how to configure policing for a 2-rate, 3-color policer:
police cir 256000 pir 256000 conform transmit exceed set dscp dscp table cir-markdown-map violate drop
The following example shows how to configure policing for a color-aware policer for specified DSCP values:
The following example shows how to configure policing for a shared policer:
Feedback