Configuring Policing

About Policing

Policing is the monitoring of the data rates for a particular class of traffic. When the data rate exceeds user-configured values, marking or dropping of packets occurs immediately. Policing does not buffer the traffic; therefore, the transmission delay is not affected. When traffic exceeds the data rate, you instruct the system to either drop the packets or mark QoS fields in them.

You can define single-rate and dual-rate policers.

Single-rate policers monitor the committed information rate (CIR) of traffic. Dual-rate policers monitor both CIR and peak information rate (PIR) of traffic. In addition, the system monitors associated burst sizes. Three colors, or conditions, are determined by the policer for each packet depending on the data rate parameters supplied: conform (green), exceed (yellow), or violate (red).

You can configure only one action for each condition. For example, you might police for traffic in a class to conform to the data rate of 256000 bits per second, with up to 200 millisecond bursts. The system would apply the conform action to traffic that falls within this rate, and it would apply the violate action to traffic that exceeds this rate.

For more information about policers, see RFC 2697 and RFC 2698.

Shared Policers


Note

The shared policer feature is only supported on the Cisco Nexus 9508 switch (NX-OS 7.0(3)F3(3) and later 7.0(3)F3(x) releases).

QoS applies the bandwidth limits specified in a shared policer cumulatively to all flows in the matched traffic. A shared policer applies the same policer to more than one interface simultaneously.

For example, if you configure a shared policer to allow 1 Mbps for all Trivial File Transfer Protocol (TFTP) traffic flows on VLAN 1 and VLAN 3, the device limits the TFTP traffic for all flows combined on VLAN 1 and VLAN 3 to 1 Mbps.

The following are guidelines for configuring shared policers:

  • You create named shared policers by entering the qos shared-policer command. If you create a shared policer and create a policy using that shared policer and attach the policy to multiple ingress ports, the device polices the matched traffic from all the ingress ports to which it is attached.

  • You define shared policers in a policy map class within the police command. If you attach a named shared policer to multiple ingress ports, the device polices the matched traffic from all the ingress ports to which it is attached.

  • Shared policing works independently on each module.

  • When the shared policer is applied on interfaces or a VLAN with member ports that are across different cores or instances, the rate becomes two times the configured CIR rate.

  • Use the show qos shared-policer [type qos] [policer-name] command to display information about shared policers.

Prerequisites for Policing

Policing has the following prerequisites:

  • You must be familiar with using modular QoS CLI.

  • You are logged on to the device.

Guidelines and Limitations for Policing


Note

For scale information, see the release-specific Cisco Nexus 9000 Series NX-OS Verified Scalability Guide.

Common

The following are guidelines and limitations common to all policers:

  • PVLANs do not provide support for PVLAN QoS.

  • show commands with the internal keyword are not supported.

  • Each module applies policing independently, which can affect QoS features that are applied to traffic that is distributed across multiple modules. The following are examples of these QoS features:

    • Policers that are applied to a port channel interface.

    • Policers that are applied to a VLAN.

  • Policing only supports violated and nonviolated statistics when using either double width or single width TCAM with e-qos-lite.

  • Using the optional keyword, no-stats disables statistics and ensures that applicable policies are shared.

  • You can only use the set qos-group command in ingress policies.

  • Beginning with Cisco NX-OS Release 10.1(2), Policing is supported on the N9K-X9624D-R2 and N9K-C9508-FM-R2 platform switches. For R2, markdown action in policing is not supported.

  • Beginning with Cisco NX-OS Release 10.3(1)F, the following policer limitation applies on Cisco Nexus GX/GX2 platform switches:

    • For 25.6T ASIC, the policer limit is 282G.

    • For 12.2T ASIC, the policer limit is 300G.

Ingress Policing

The following are guidelines and limitations for ingress policing:

  • All policers in the ingress direction must use the same mode.

  • QoS Ingress policers can be enabled on subinterfaces.

Egress Policing

The following are guidelines and limitations for egress policing:

  • Egress QoS policing is not supported on Cisco Nexus 9500 platform switches with the following line cards:

    • Cisco Nexus 9636C-R

    • Cisco Nexus 9636Q-R

    • Cisco Nexus 9636C-RX

    • Cisco Nexus 96136YC-R

  • The egress RACL feature is not supported on the Cisco Nexus 9508 switch.

  • Egress QoS policy statistics for CPU generated traffic are not supported on the following:

    • Cisco Nexus 9200, 9300-EX, and 9300-FX platform switches

    • Cisco Nexus 9500 platform switches with the following line cards:

      • Cisco Nexus 9732C-EX

      • Cisco Nexus 9736C-EX

      • Cisco Nexus 97160YC-EX

      • Cisco Nexus 9736C-FX

  • The total number of policers that can be successfully attached in the egress direction is only half the size of the qos-lite TCAM region.

  • When egress RACL and egress QoS are applied together, you can only enable statistics for one or the other, not both.

  • The egress policing feature does not support egress QoS policers on ALE uplink ports on top-of-rack (ToR) platforms.

  • When using egress QoS, we recommend using the appropriate match criteria to match data traffic. Avoid match criteria such as permit ip any any.

  • Remark action for violated packets in the egress direction is not supported on the following Cisco Nexus 9000 -EX platform switches and line cards:

    • Cisco Nexus 93180YC-EX

    • Cisco Nexus 93108TC-EX

    • Cisco Nexus 9736C-EX

    • Cisco Nexus 97160YC-EX

    • Cisco Nexus 9732C-EX

    They only support the drop action for violate in the egress direction.

  • VLAN Egress QoS and Egress QoS on Layer 2 Port Channel (L2PO) are not supported on the following Cisco Nexus 9000 EX-based line cards:

    • Cisco Nexus 97160YC-EX

    • Cisco Nexus 9732C-EX

    • Cisco Nexus 9736C-EX

  • Egress QoS policies are not supported on subinterfaces.

  • Egress QoS policies are not supported on Cisco Nexus 9200 platform switches.

1-Rate 2-Color and 2-Rate 3-Color Policing

The following are guidelines and limitations for 1-rate 2-color (1R2C) and 2-rate 3-color (2R3C) policing:

  • A 2-rate 3-color policer is not supported on Cisco Nexus 9200 platform switches.

  • Only 1R2C policing in the egress direction is supported on the following Cisco Nexus 9000 -EX and -FX platform switches and line cards:

    • Cisco Nexus 93180YC-EX

    • Cisco Nexus 93108TC-EX

    • Cisco Nexus 9736C-EX

    • Cisco Nexus 97160YC-EX

    • Cisco Nexus 9732C-EX

    • Cisco Nexus 93108TC-FX

    • Cisco Nexus 9348GC-FXP

    • Cisco Nexus 9736C-FX

  • Cisco Nexus 9200 platform switches only support 1R2C policing in the ingress direction.

  • A 2-rate 3-color policer is not supported at egress on Cisco Nexus 9300-FX/FX2/FX3/GX/GX2 platform switches. and Cisco Nexus 9700-EX/FX/GX line cards.

Shared Policers

The following are guidelines and limitations for shared policers:

  • When the shared policer is applied to interfaces or VLANs, with member ports that are across different cores or instances, the rate becomes two times the configured CIR rate.

UDE Policers

The following are guidelines and limitations for UDE policers:

  • UDE template should be enabled only on L2 interfaces and port should be in mode tap-aggregation.

  • Policy-map default-ndb-out-policy is not supported under system QoS.

  • To support this feature, you need to curve the egr-l2-qos TCAM region.

  • On reboot, switch takes some time to apply the default-ndb-out-policy to the configured interface. Due to this, few packets may get leaked. Subsequently, all egress control/flood traffic will be dropped.

  • Even if there is no data traffic, there is control traffic like cdp, lldp, arp, bpdu and so on from CPU. These will hit acl entry and get dropped, incrementing violated count. This is expected behavior when default-ndb-out-policy is configured.

Configuring Policing

You can configure a single or dual-rate policer.

Configuring Ingress Policing

You can apply the policing instructions in a QoS policy map to ingress packets by attaching that QoS policy map to an interface. To select ingress, you specify the input keyword in the service-policy command. For more information on attaching and detaching a QoS policy action from an interface, see the "Using Modular QoS CLI" section.

Configuring Egress Policing


Note

The egress policing feature is not supported on the Cisco Nexus 9508 switch (Cisco NX-OS Release 7.0(3)F3(3)).

The egress policing feature is supported on Cisco Nexus 9300-FX/FX2/FX3/GX/GX2 platform switches and Cisco Nexus 9700-EX/FX/GX line cards.


Note

Egress QoS policing is not supported on Cisco Nexus 9500 platform switches with the following line cards:

  • Cisco Nexus 9636C-R

  • Cisco Nexus 9636Q-R

  • Cisco Nexus 9636C-RX

  • Cisco Nexus 96136YC-R

You can apply the policing instructions in a QoS policy map to ingress or egress packets by attaching that QoS policy map to an interface. To select ingress or egress, you specify the input keyword or the output keyword in the service-policy command.

Configuring UDE policy: Beginning with Cisco NX-OS Release 10.3(3)F, you can configure default UDE policy template to block the egress traffic from NDB layer to production layer.

Before you begin

  • You must carve TCAM region for egress QoS before configuring policing.

  • For more information about attaching and detaching a QoS policy action from an interface, see the "Using Modular QoS CLI" section.

SUMMARY STEPS

  1. configure terminal
  2. policy-map [type qos] [match-first] [policy-map-name]
  3. class [type qos] {class-map-name | class-default} [insert-before before-class-name]
  4. police [cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate ] [conform {transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit} [ exceed { drop }[ violate {drop | set-cos-transmit | set-dscp-transmit | set-prec-transmit | set-qos-transmit }]]}
  5. exit
  6. exit
  7. show policy-map [type qos] [policy-map-name | qos-dynamic]
  8. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

policy-map [type qos] [match-first] [policy-map-name]

Example:

switch(config)# policy-map policy1
switch(config-pmap-qos)#

Creates or accesses the policy map named policy-map-name and then enters policy-map mode. The policy-map name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters.

Step 3

class [type qos] {class-map-name | class-default} [insert-before before-class-name]

Example:

switch(config-pmap-qos)# class class-default
switch(config-pmap-c-qos)#

Creates a reference to class-map-name and enters policy-map class configuration mode. The class is added to the end of the policy map unless insert-before is used to specify the class to insert before. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map.

Step 4

police [cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate ] [conform {transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit} [ exceed { drop }[ violate {drop | set-cos-transmit | set-dscp-transmit | set-prec-transmit | set-qos-transmit }]]}

Example:

switch(config-pmap-qos)# policy-map type qos egressqos
switch(config-pmap-qos)# class class-default
switch(config-pmap-c-qos)# police [ cir] {committed-rate [data-rate] |  percent cir-link-percent} 
[ bc committed-burst-rate][ conform { transmit |  set-prec-transmit | set-dscp-transmit | set-cos-transmit | 
set-qos-transmit}] [ violate { drop}]}
switch(config-pmap-c-qos)# exit
switch(config-pmap-qos)# exit
switch(config)#

Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is <= cir. The actions are described in the Policer Actions for Exceed or Violate table and the Policer Actions for Conform table. The data rates and link speeds are described in the Data Rates for the police Command table and the Burst Sizes for the police Command table. See Configuring 1-Rate for more information.

The following information describes the drop option for violate:

  • set-cos-transmit—Set dscp and send it.

  • set-prec-transmit—Set precedence and send it.

  • set-qos-transmit—Set qos-group and send it.

Note

 

For cir pps, the packet size is 64 bytes. So the pps to bps conversion is 64*8.

Step 5

exit

Example:

switch(config-pmap-c-qos)# exit
switch(config-pmap-qos)#

Exits policy-map class configuration mode and enters policy-map mode.

Step 6

exit

Example:

switch(config-pmap-qos)# exit
switch(config)#

Exits policy-map mode and enters global configuration mode.

Step 7

show policy-map [type qos] [policy-map-name | qos-dynamic]

Example:

switch(config)# show policy-map type qos egressqos

Example:

switch(config)# policy-map type qos egressqos
class class-default
police cir 10 mbs bc 200 ms conform transmit violate drop

(Optional) Displays information about the configured policy map of type qos.

Step 8

copy running-config startup-config

Example:

switch(config)# copy running-config
startup-config

(Optional) Saves the running configuration to the startup configuration.

Configuring 1-Rate and 2-Rate, 2-Color and 3-Color Policing

The type of policer created by the device is based on a combination of the police command arguments described in the following Arguments to the police Command table.


Note

You must specify the identical value for pir and cir to configure 1-rate 3-color policing.


Note

A 1-rate 2-color policer with the violate markdown action is not supported.


Note

Cisco Nexus 9200 Series switches only support 1-rate 2-color policing.

Table 1. Arguments to the police Command

Argument

Description

cir

Committed information rate, or desired bandwidth, specified as a bit rate or a percentage of the link rate. Although a value for cir is required, the argument itself is optional. The range of values is from 1 to 80000000000. The range of policing values is from 8000 to 80 Gbps.

percent

Rate as a percentage of the interface rate. The range of values is from 1 to 100 percent.

bc

Indication of how much the cir can be exceeded, either as a bit rate or an amount of time at cir. The default is 200 milliseconds of traffic at the configured rate. The default data rate units are bytes.

pir

Peak information rate, specified as a PIR bit rate or a percentage of the link rate. There is no default. The range of values is from 1 to 80000000000; the range of policing values is from 8000 bps to 480 Gbps. The range of percentage values is from 1 to 100 percent.

be

Indication of how much the pir can be exceeded, either as a bit rate or an amount of time at pir. When the bc value is not specified, the default is 200 milliseconds of traffic at the configured rate. The default data rate units are bytes.

Note

 

You must specify a value for pir before the device displays this argument.

conform

Single action to take if the traffic data rate is within bounds. The basic actions are transmit or one of the set commands listed in the following Policer Actions for Conform table. The default is transmit.

exceed

Single action to take if the traffic data rate is exceeded. The basic actions are drop or markdown. The default is drop.

violate

Single action to take if the traffic data rate violates the configured rate values. The basic actions are drop or markdown. The default is drop.

Although all the arguments in the above Arguments to the police Command table are optional, you must specify a value for cir . In this section, cir indicates its value but not necessarily the keyword itself. The combination of these arguments and the resulting policer types and actions are shown in the following Policer Types and Actions from Police Arguments Present table.

Table 2. Policer Types and Actions from Police Arguments Present

Police Arguments Present

Policer Type

Policer Action

cir, but not pir, be, or violate

1-rate, 2-color

<= cir, conform; else violate

cir and pir

2-rate, 3-color

<= cir, conform; <= pir, exceed; else violate

The policer actions that you can specify are described in the following Policer Actions for Exceed or Violate table and the following Policer Actions for Conform table.


Note

Only drop and transmit actions are supported on the Cisco Nexus 9508 switch (NX-OS 7.0(3)F3(3) and later).

Table 3. Policer Actions for Exceed or Violate

Action

Description

drop

Drops the packet. This action is available only when the packet exceeds or violates the parameters.

set-cos-transmit

Sets CoS and transmits the packet.

set-dscp-transmit

Sets DSCP and transmits the packet.

set-prec-transmit

Sets precedence and transmits the packet.

set-qos-transmit

Sets qos-group and transmits the packet.

Table 4. Policer Actions for Conform

Action

Description

transmit

Transmits the packet. This action is available only when the packet conforms to the parameters.

set-prec-transmit

Sets the IP precedence field to a specified value and transmits the packet. This action is available only when the packet conforms to the parameters.

set-dscp-transmit

Sets the differentiated service code point (DSCP) field to a specified value and transmits the packet. This action is available only when the packet conforms to the parameters.

set-cos-transmit

Sets the class of service (CoS) field to a specified value and transmits the packet. This action is available only when the packet conforms to the parameters.

set-qos-transmit

Sets the QoS group internal label to a specified value and transmits the packet. This action can be used only in input policies and is available only when the packet conforms to the parameters.


Note

The policer can only drop or mark down packets that exceed or violate the specified parameters. For information on marking down packets, see the Configuring Marking section.

The data rates used in the police command are described in the following Data Rates for the police Command table.

Table 5. Data Rates for the police Command

Rate

Description

bps

Bits per second (default)

kbps

1,000 bits per seconds

mbps

1,000,000 bits per second

gbps

1,000,000,000 bits per second

Burst sizes used in the police command are described in the following Burst Sizes for the police Command table.

Table 6. Burst Sizes for the police Command

Speed

Description

bytes

bytes

kbytes

1,000 bytes

mbytes

1,000,000 bytes

ms

milliseconds

us

microseconds

.

SUMMARY STEPS

  1. configure terminal
  2. policy-map [type qos] [match-first] [policy-map-name]
  3. class [type qos] {class-map-name | class-default} [insert-before before-class-name]
  4. police [cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate [link-speed]][pir] {peak-rate [data-rate] | percent cir-link-percent} [be peak-burst-rate [link-speed]] [conform {transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit} [exceed {drop} [violate {drop | set-cos-transmit | set-dscp-transmit | set-prec-transmit | set-qos-transmit}]]}
  5. [ violate {drop | set-cos-transmit | set-dscp-transmit | set-prec-transmit | set-qos-transmit}]
  6. exit
  7. exit
  8. show policy-map [type qos] [policy-map-name | qos-dynamic]
  9. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

policy-map [type qos] [match-first] [policy-map-name]

Example:

switch(config)# policy-map policy1
switch(config-pmap-qos)#

Creates or accesses the policy map named policy-map-name and then enters policy-map mode. The policy-map name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters.

Step 3

class [type qos] {class-map-name | class-default} [insert-before before-class-name]

Example:

switch(config-pmap-qos)# class class-default
switch(config-pmap-c-qos)#

Creates a reference to class-map-name and enters policy-map class configuration mode. The class is added to the end of the policy map unless insert-before is used to specify the class to insert before. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map.

Step 4

police [cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate [link-speed]][pir] {peak-rate [data-rate] | percent cir-link-percent} [be peak-burst-rate [link-speed]] [conform {transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit | set-qos-transmit} [exceed {drop} [violate {drop | set-cos-transmit | set-dscp-transmit | set-prec-transmit | set-qos-transmit}]]}

Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is <= cir. If be and pir are not specified, all other traffic takes the violate action. If be or violate are specified, the exceed action is taken if the data rate <= pir , and the violate action is taken otherwise. The actions are described in the Policer Actions for Exceed or Violate table and the Policer Actions for Conform table. The data rates and link speeds are described in the Data Rates for the police Command table and the Burst Sizes for the police Command table.

Step 5

[ violate {drop | set-cos-transmit | set-dscp-transmit | set-prec-transmit | set-qos-transmit}]

set-cos-transmit —Set cos and send it.

set-dscp-transmit —Set dscp and send it.

set-prec-transmit —Set precedence and send it.

set-qos-transmit —Set qos-group and send it.

Step 6

exit

Example:

switch(config-pmap-c-qos)# exit
switch(config-pmap-qos)#

Exits policy-map class configuration mode and enters policy-map mode.

Step 7

exit

Example:

switch(config-pmap-qos)# exit
switch(config)#

Exits policy-map mode and enters global configuration mode.

Step 8

show policy-map [type qos] [policy-map-name | qos-dynamic]

Example:

switch(config)# show policy-map

(Optional) Displays information about all configured policy maps or a selected policy map of type qos.

Step 9

copy running-config startup-config

Example:

switch(config)# copy running-config
startup-config

(Optional) Saves the running configuration to the startup configuration.

Example

This example shows how to display the policy1 policy-map configuration: 

switch# show policy-map policy1

Configuring Markdown Policing

Markdown policing is the setting of a QoS field in a packet when traffic exceeds or violates the policed data rates. You can configure markdown policing by using the set commands for policing action described in the Policer Actions for Exceed or Violate table and the Policer Actions for Conform table.


Note

You must specify the identical value for pir and cir to configure 1-rate 3-color policing.

SUMMARY STEPS

  1. configure terminal
  2. policy-map [type qos] [match-first] [policy-map-name]
  3. class [type qos] {class-name | class-default} [insert-before before-class-name]
  4. police [cir] {committed-rate [data-rate] | percent cir-link-percent} [[bc | burst] burst-rate [link-speed]] [[be | peak-burst] peak-burst-rate [link-speed]] [conform conform-action [exceed [violate drop set dscp dscp table pir-markdown-map]]}
  5. exit
  6. exit
  7. show policy-map [type qos] [policy-map-name]
  8. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

policy-map [type qos] [match-first] [policy-map-name]

Example:

switch(config)# policy-map policy1
switch(config-pmap-qos)#

Creates or accesses the policy map named policy-map-name and then enters policy-map mode. The policy-map name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters.

Step 3

class [type qos] {class-name | class-default} [insert-before before-class-name]

Example:

switch(config-pmap-qos)# class class-default
switch(config-pmap-c-qos)#

Creates a reference to class-name and enters policy-map class configuration mode. The class is added to the end of the policy map unless insert-before is used to specify the class to insert before. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map.

Step 4

police [cir] {committed-rate [data-rate] | percent cir-link-percent} [[bc | burst] burst-rate [link-speed]] [[be | peak-burst] peak-burst-rate [link-speed]] [conform conform-action [exceed [violate drop set dscp dscp table pir-markdown-map]]}

Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is <= cir. If be and pir are not specified, all other traffic takes the violate action. If be or violate are specified, the exceed action is taken if the data rate <= pir , and the violate action is taken otherwise. The actions are described in the Policer Actions for Exceed or Violate table and the Policer Actions for Conform table. The data rates and link speeds are described in the Data Rates for the police Command table and the Burst Sizes for the police Command table.

Step 5

exit

Example:

switch(config-pmap-c-qos)# exit
switch(config-pmap-qos)#

Exits policy-map class configuration mode and enters policy-map mode.

Step 6

exit

Example:

switch(config-pmap-qos)# exit
switch(config)#

Exits policy-map mode and enters global configuration mode.

Step 7

show policy-map [type qos] [policy-map-name]

Example:

switch(config)# show policy-map

(Optional) Displays information about all configured policy maps or a selected policy map of type qos.

Step 8

copy running-config startup-config

Example:

switch(config)# copy running-config
startup-config

(Optional) Saves the running configuration to the startup configuration.

Configuring UDE Policers

In certain cases, it's required to block all the control traffic egressing out of the interface to avoid network outage. Unidirectional Ethernet is a default QoS template used to block all the egress traffic on selected Ethernet ports.

SUMMARY STEPS

  1. hardware access-list tcam region egr-l2-qos 256 copy run start reload
  2. interface type slot/port
  3. interface Ethernet1/22 service-policy type qos output default-ndb-out-policy

DETAILED STEPS

  Command or Action Purpose

Step 1

hardware access-list tcam region egr-l2-qos 256 copy run start reload

Example:

art does not have any config

TCAM carving.

Step 2

interface type slot/port

Example:

switch(config)# interface ethernet 2/5
switch(config-if)#

Enters interface mode on the interface specified.

Step 3

interface Ethernet1/22 service-policy type qos output default-ndb-out-policy

Block all the egress traffic on selected Ethernet ports.

Example

Execute the following command to see default-ndb-out-policy output:


switch# show policy-map type qos default-ndb-out-policy
Type qos policy-maps
====================
policy-map type qos default-ndb-out-policy
class class-ndb-default
police cir 0 bps conform transmit violate drop
N9K#

Execute the following command to get the UDE policer stats:


switch# sh policy-map interface ethernet 1/6 output type qos
Global statistics status : enabled
Ethernet1/6
Service-policy (qos) output: default-ndb-out-policy
SNMP Policy Index: 285213501
Class-map (qos): class-ndb-default (match-any)
Slot 1
61211339 packets 15669992128 bytes
5 minute offered rate 17721223780 bps
Aggregate forwarded :
61211339 packets 110848 bytes
police cir 0 bps
conformed 0 bytes, n/a bps action: transmit
violated 15669881280 bytes, n/a bps action: drop
UDE-CF#

Configuring Shared Policers

The shared policer feature allows you to apply the same policing parameters to several interfaces simultaneously. You create a shared policer by assigning a name to a policer, and then applying that policer to a policy map that you attach to the specified interfaces. The shared policer is also referred to as the named aggregate policer in other Cisco documentation.


Note

The shared policer feature is only supported on the Cisco Nexus 9508 switch (NX-OS 7.0(3)F3(3) and later).


Note

When the shared policer is applied on interfaces or VLANs with member ports that are across different cores or instances, the rate becomes two times the configured cir rate.

To configure a shared policer:

  1. Create the class map.

  2. Create a policy map.

  3. Reference the shared policer to the policy map as described in this section.

  4. Apply the service policy to the interfaces.


Note

The rates specified in the shared policer are shared by the number of interfaces to which you apply the service policy. Each interface does not have its own dedicated rate as specified in the shared policer.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# qos shared-policer [type qos] shared-policer-name [cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate [link-speed]] [pir] {peak-rate [data-rate] | percent cir-link-percent} [be peak-burst-rate [link-speed]] {{conform conform-action [exceed {drop | set dscp dscp table cir-markdown-map} [violate {drop | set dscp dscp table pir-markdown-map}]]}}
  3. switch(config)# policy-map [type qos] [match-first] {qos-policy-map-name | qos-dynamic}
  4. switch(config-pmap-qos)# class [type qos] {class-map-name | qos-dynamic | class-default} [insert-before before-class-map-name]
  5. switch(config-pmap-c-qos)# police aggregate shared-policer-name
  6. switch(config-pmap-c-qos)# exit
  7. switch(config-pmap-qos)# exit
  8. (Optional) switch(config)# show policy-map [type qos] [policy-map-name | qos-dynamic]
  9. (Optional) switch(config)# copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# qos shared-policer [type qos] shared-policer-name [cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate [link-speed]] [pir] {peak-rate [data-rate] | percent cir-link-percent} [be peak-burst-rate [link-speed]] {{conform conform-action [exceed {drop | set dscp dscp table cir-markdown-map} [violate {drop | set dscp dscp table pir-markdown-map}]]}}

Creates or accesses the shared policer. The shared-policer-name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters. Polices cir in bits or as a percentage of the link rate. The conform action is taken if the data rate is ≤ cir. If be and pir are not specified, all other traffic takes the violate action. If be or violate are specified, the exceed action is taken if the data rate ≤ pir, and the violate action is taken otherwise.

Note

 

A 64 byte packet size is used for the case of cir pps .This results in a 64*8 pps to bps conversion.

Note

 

The cir-markdown-map and pir-markdown-map maps are not supported on the Cisco Nexus 9508 switch (NX-OS 7.0(3)F3(3)).

Step 3

switch(config)# policy-map [type qos] [match-first] {qos-policy-map-name | qos-dynamic}

Creates or accesses the policy map named qos-policy-map-name , and then enters policy-map mode. The policy-map name can contain alphabetic, hyphen, or underscore characters, is case sensitive, and can be up to 40 characters.

Step 4

switch(config-pmap-qos)# class [type qos] {class-map-name | qos-dynamic | class-default} [insert-before before-class-map-name]

Creates a reference to class-map-name , and enters policy-map class configuration mode. The class is added to the end of the policy map unless insert-before is used to specify the class to insert before. Use the class-default keyword to select all traffic that is not currently matched by classes in the policy map.

Step 5

switch(config-pmap-c-qos)# police aggregate shared-policer-name

Creates a reference in the policy map to shared-policer-name .

Step 6

switch(config-pmap-c-qos)# exit

Exits policy-map class configuration mode and enters policy-map mode.

Step 7

switch(config-pmap-qos)# exit

Exits policy-map mode and enters global configuration mode.

Step 8

(Optional) switch(config)# show policy-map [type qos] [policy-map-name | qos-dynamic]

(Optional)

Displays information about all configured policy maps or a selected policy map of type qos.

Step 9

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the running configuration to the startup configuration.

Example

This example shows how to display the test1 shared-policer configurations: 


switch# show qos shared-policer test1

Verifying the Policing Configuration

To display the policing configuration information, perform one of the following tasks:

Command

Purpose

show policy-map

Displays information about policy maps and policing.

Configuration Examples for Policing

The following example shows how to configure policing for a 1-rate, 2-color policer: 

configure terminal
  policy-map policy1
    class one_rate_2_color_policer
      police cir 256000 conform transmit violate drop

The following example shows how to configure policing for a 1-rate, 2-color policer with DSCP markdown: 

configure terminal
  policy-map policy2
    class one_rate_2_color_policer_with_dscp 
      police cir 256000 conform transmit violate drop

The following example shows how to configure policing for a shared policer: 


configure terminal
 qos shared-policer type qos udp_10mbps cir 10 mbps pir 20 mbps conform transmit exceed
set dscp dscp table cir-markdown-map violate drop
 policy-map type qos udp_policy
  class type qos udp_qos
   police aggregate udp_10mbps