Hierarchical Color-Aware Policing
The Hierarchical Color-Aware Policing feature provides two levels of policing where the policer ordering is evaluated from child to parent, and there is preferential treatment of certain traffic at the parent level.
Restrictions for Hierarchical Color-Aware Policing
The following restrictions apply to the Hierarchical Color-Aware Policing feature:
- Only dual policer where only the parent or child policer alone is color-aware is supported. Both parent and child policers cannot be color-aware at the same time and the configuration is rejected
- Color-classification at the parent-level is based on incoming packets on the wire and not the re-marked value at the child-level.
- Child and parent policers can have independent conform/exceed/violate marking actions at the child and parent-level. All restrictions/support of hierarchical policing continue to exist with respect to all police subcommand actions.
- Color-classification matches should already be part of policy heierachy’s classification match criteria.
- Color-classification matches not part of any policy-map classification criteria are ignored. They are not explicitly rejected
- For dual policers in HQoS policy, if parent policer is color-aware, the child level policer cannot be configured to be color-aware and is rejected. If child policer is color-aware, the parent policer must be color-blind.
- When a parent policer is color-aware, the child policer cannot be configured with PIR. It can only be a 1R2C policer, and it is rejected.
Information About Hierarchical Color-Aware Policing
Hierarchical Order Policing
The switch supports policers in hierarchical policies with an evaluation order of child to parent.
This is a sample configuration for a simple two-level policer:
Limited Color-Aware Policing
This is a sample configuration for a simple two-level color-aware policer would result in the behavior shown in Figure 36-1
ip access-list extended user1-acl
permit ip host 192.168.1.1 any
permit ip host 192.168.1.2 any
ip access-list extended user2-acl
permit ip host 192.168.2.1 any
permit ip host 192.168.2.2 any
class-map match-all user1-acl-child
match access-group name user1-acl
class-map match-all user2-acl-child
match access-group name user2-acl
class-map match-any user3-acl-child
match access-group name user2-acl
match access-group name user1-acl
conform-action set-qos-transmit 5
conform-action set-qos-transmit 5
conform-color user1-acl-child
service-policy child-policy
Figure 36-1 Simple Two-Level Color-Aware Policer
Note
To avoid drops at the parent level for “conformed” child traffic, the parent policer must have a rate and burst that are equal to or greater than the sum of the child conform rates and burst sizes. There is no check for inappropriate (parent-to-child) rates and burst sizes in code.
You must be aware of this limitation and configure appropriately. In the following example, explicit marking actions are supported in conjunction with color-aware policing; and with operations similar to the color-aware policer marking actions:
50k >= 10k (user1-acl-child) + 20k (user2-acl-child)
Note
Where color-aware policing is enabled there will be no difference in the output of the show policy-map output command.
How to Configure Hierarchical Color-Aware Policing
Configuring the Hierarchical Color-Aware Policing Feature
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
policy-map policy-map-name
4.
class { class-name | class-default [ fragment fragment-class-name ]} [ insert-before class-name ] [ service-fragment fragment-class-name ]
5.
police { cir cir {{ pir pir}[ bc conform-burst ] [ be peak-burst ] [ conform-action action [ exceed-action action [ violate-action action ]]] { conform-color class-map-name }[ exceed-color class-map-name ]
6.
service-policy policy-map-name
7.
end
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
policy-map policy-map-name
Router(config)# policy-map parent-policy |
Enters policy-map configuration mode and creates a policy map. |
Step 4 |
class { class-name | class-default }
Router(config-pmap)# class class-default |
Enters policy-map class configuration mode.
- Specifies the name of the class whose policy you want to create or change or specifies the default class (commonly known as the class-default class) before you configure its policy. Repeat this command as many times as necessary to specify the child or parent classes that you are creating or modifying:
- class name —Name of the class to be configured or whose policy is to be modified. The class name is used for both the class map and to configure a policy for the class in the policy map.
- class-default —Specifies the default class so that you can configure or modify its policy.
|
Step 5 |
police { cir cir }{ pir pir }[ bc conform-burst ] [ be peak-burst ] [ conform-action action [ exceed-action action [ violate-action action ]]]{ conform-color class-map-name }[ exceed-color class-map-name ]
Router(config-pmap-c)# police cir 50000000 pir 70000000 bc 3000
Router(config-pmap-c-police)# exceed-action transmit
Router(config-pmap-c-police)# violate-action drop
Router(config-pmap-c-police)# conform-color hipri-conform
|
Configures traffic policing and specifies multiple actions applied to packets marked as conforming to, exceeding, or violating a specific rate.
- Enters policy-map class police configuration mode. Use one line per action that you want to specify:
- cir —(Required) Committed information rate. Indicates that the CIR will be used for policing traffic.
- pir —(Required) Permitted information rate. Indicates that the PIR will be used for policing traffic.
- conform-action —(Optional) Action to take on packets when the rate is less than the conform burst.
- exceed-action —(Optional) Action to take on packets whose rate is within the conform and conform plus exceed burst.
- violate-action —(Optional) Action to take on packets whose rate exceeds the conform plus exceed burst. You must specify the exceed action before you specify the violate action.
- conform-color —(Required) Enables color-aware policing (on the policer being configured) and assigns the class map to be used for conform color determination. The class-map-name argument is the class map (previously configured via the class-map command) to be used.
- exceed-color —(Optional) Enables color-aware policing (on the policer being configured) and assigns the class map to be used for exceed color determination. The class-map-name argument is the class map (previously configured via the class-map command) to be used.
|
Step 6 |
service-policy policy-map-name
Router(config-pmap-c-police)# service-policy child-policy |
Specifies a service policy as a QoS policy within a policy map (called a hierarchical service policy).
- policy-map-name —Name of the predefined policy map to be used as a QoS policy. The name can be a maximum of 40 alphanumeric characters.
|
Step 7 |
end
Router(config-pmap-c-police)# end |
Exits the current configuration mode. |
Example
The following is a sample configuration for the Hierarchical Color-Aware Policing feature, policer (root) which have already passed though their respective child policers (child-policy):
police cir 70000000 pir 100000000
conform-color dscp_1_2 exceed-color dscp_3_4
service-policy child-policy
Configuration Examples for Hierarchical Color-Aware Policing
The examples provided in this section show how to configure the hierarchical color-aware policing feature:
Example: Enable the Hierarchical Color-Aware Policing Feature
This is a sample configuration that shows how to enables the hierarchical color-aware policing feature where packets with DSCP 1 & 2 will be treated as Green and packets with DSCP 3 & 4 will be treated as Yellow:
police cir 70000000 pir 100000000
conform-color dscp_1_2 exceed-color dscp_3_4
service-policy child-policy
Example: Hierarchical Color-Aware Policing
This is a sample configuration that shows how to enable the hierarchical color-aware policing feature on Cisco ME3600 and ME3800 switches:
police cir 70000000 pir 100000000
conform-color dscp_1_2 exceed-color dscp_3_4
service-policy child-policy