About QoS Policing
Why Traffic Policing
Allowing you to control the maximum rate of traffic transmitted or received on an interface, traffic policing is typically configured on interfaces at the edge of a network to limit traffic into the network. In most traffic policing configurations, traffic that falls within the rate parameters is transmitted whereas traffic that exceeds the parameters is dropped or marked (and transmitted).
Note |
Unlike a shaper, a policer does not buffer packets. Rather, the specified action is taken immediately. |
Typically, we use policers for admission control: queue or network.
Queue Admission Control limits the amount of data that can enter a queue. A priority queue is representative of this category wherein we avoid latency by limiting the rate at which packets may be enqueued.
Network Admission Control enforces a contract between the network administrator (service provider) and his customers. Generally both will agree on the rate at which the provider should accept traffic. This could be the service-rate (max rate for all the traffic customer sends to provider) or a per-class restriction (e.g., the amount of priority traffic a customer may send).
-
Using network admission control, you may decide to either drop excess traffic immediately or mark that traffic as ‘out of contract.’ If the latter, you can either provide that traffic a lesser treatment or drop it first if (and when) congestion occurs within this network.
Policer Definitions
Note |
The terms Policer and Rate Limiter usually refer to the same QoS mechanism. Policer (Policing) will be used throughout this document. |
A policer is a device that allows you to define different treatments for packets within the same traffic class depending on whether packets are received above or below a specified rate(s).
In its simplest form, a policer indicates that traffic above a specified rate should be dropped:
policy-map police-all-traffic
class class-default
police 1m
Traffic through this class arriving at a rate less than 1 Mbps is considered conforming (adhering to the specified rate). The default action for conforming traffic is to forward packets.
Traffic arriving at a rate exceeding 1 Mbps is considered exceeding the configured rate. The default action for exceeding traffic is to drop packets.
The following definitions are relevant to understanding the sections that follow.
TERM | DEFINITION | ||
Bc (Conforming Burst Size) |
Defines a burst tolerance used in conjunction with the CIR to determine whether packets are considered conforming. |
||
Be (Excess Burst Size) |
Meaning depends on whether the three-color policer is single or dual rate:
|
||
Burst |
When numerous packets arrive closely together.
|
||
CIR (Committed Information Rate) |
The maximum amount of data that can be forwarded in a given interval. |
||
Conform |
Traffic that arrives at a rate less than the CIR (allowing for burst). |
||
Exceed |
Meaning depends on whether the type of policer is single or dual, two-or three-color:
|
||
PIR (Peak Information Rate) |
(only
relevant to dual-rate policers) Traffic below this rate is exceeding; above,
violating.
PIR is the higher rate configured in a dual rate policer. This rate is the differentiator between traffic designated Exceeding and Violating. |
||
Violate |
Meaning depends on policer type:
|
Policer Actions
In the previous example, copied below, we used a policer in its most basic form:
policy-map police-all-traffic
class class-default
police 1m
Conforming traffic was allowed to pass through the policer (transmitted traffic below 1m) whereas exceeding traffic was dropped. We took immediate action when we recognized that traffic had exceeded the specified rate. However, you may not want to always take immediate action. You might want to defer action rather than immediately drop traffic.
For example, you may decide that traffic above the predetermined rate should only be dropped if the network is congested. If so, you might choose to forward all traffic but mark something in the packet (e.g., DSCP) differently for conforming and exceeding traffic. The decision on whether or not to drop can then be made at the congestion point.
In the following example, we mark rather than drop traffic. We define a traffic class as any traffic arriving with a DSCP value of AF41 and demote traffic exceeding a specified rate to AF42:
policy-map ma
rk-out-of-contract
class AF41
police 1m conform-action transmit exceed-action set-dscp-transmit AF42
The conform-action is to transmit traffic (simply forward, default action) arriving at a rate less than or equal to the specified 1 Mbps rate.
The exceed-action for traffic exceeding 1 Mbps is to mark the packet's DSCP value rather than drop traffic.
Transmit and drop represent actions specified for traffic conforming to or exceeding the specified rate. You specify an action with the police command. Supported actions are listed in the following table.
Specified Action |
Result |
---|---|
drop |
Drops the packet. |
set-clp-transmit |
Sets the ATM Cell Loss Priority (CLP) bit of the ATM cell and transmits the packet. |
set-cos-inner-transmit cos-value |
For Q-in-Q deployments, sets the packet inner Class of Service (CoS) value and transmits the packet. CoS value ranges from 0 to 7. |
set-cos-transmit cos-value |
Sets the packet Class of Service (CoS) value and transmits the packet. CoS value ranges from 0 to 7. |
set-discard-class-transmit discard-class-value |
Sets the discard-class value and transmits the packet. Discard-class value ranges from 0 to 7. |
set-dscp-transmit dscp-value |
Sets the IP differentiated services code point (DSCP) value and transmits the packet. Valid values range from 0 to 63. |
set-dscp-tunnel-transmit dscp-value |
Stores a differentiated services code point (DSCP) value that will be written to a tunnel header if and when such a header is added to the current packet. |
set-frde-transmit |
Sets the Frame Relay discard eligibility (DE) bit and transmits the frame. |
set-mpls-exp-imposition-transmit mpls-exp-value |
Sets the MPLS EXP bits in the imposed label headers and transmits the packet if and when MPLS labels are imposed. Valid values range from 0 to 7. |
set-mpls-exp-topmost-transmit mpls-exp-value |
Sets the MPLS EXP bit on topmost label and transmits the packet. Valid values range from 0 to 7. |
set-prec-transmit precedence-value |
Sets the IP Precedence level and transmits the packet. Valid values range from 0 to 7. |
set-prec-tunnel-transmit precedence-value |
Stores an tunnel IP Precedence value that will be written to a tunnel header if and when such a header is added to the current packet. Valid values range from 0 to 7. |
set-qos-transmit qroup-id |
Sets the "qos-group" value and transmits the packet. Valid values range from 0 to 99. |
transmit |
Transmits the packet without modifying any field therein. |
Note |
The rules for policer actions are very similar to those for the set command. You can only mark Layer 2 and outer Layer 3 headers. |
Multi-Action Policer
In the previous section we saw how a policer can be configured to mark some field in the packet. In fact, we can mark multiple fields in the packet.
You can apply multiple actions to traffic within each rate designation, analogous to how you configure multiple set actions within a traffic class. For example, if you know a packet will be transmitted through both a TCP/IP and a Frame Relay environment, you can change the DSCP value of the exceeding or violating packet, and also set the Frame Relay Discard Eligibility (DE) bit from 0 to 1 to indicate lower priority.
When specifying multiple policing actions, observe the following:
-
You must enter policy-map class police configuration (config-pmap-c-police) submode.
-
You can specify a maximum of four actions simultaneously, one line per action.
-
You cannot specify contradictory actions such as conform-action transmit and conform-action drop .
Analogous to the set command, you can either configure multiple actions on the same packet (e.g., marking Layer 2 and Layer 3 fields) or define actions for different traffic types (e.g., marking the DSCP value in IPv4 packets and experimental (EXP) bits in MPLS packets).
In the following example, we cap RTP traffic (rtp-traffic
) at 1 Mbps and drop traffic exceeding that rate (exceed-action drop
). For conforming traffic, we mark both the COS and DSCP values in IPv4 packets and the COS and EXP bits in MPLS packets:
class rtp-traffic
police cir 1000000
conform-action set-cos-transmit 4
conform-action set-dscp-transmit af41
conform-action set-mpls-exp-topmost-transmit 4
exceed-action drop
All packets in a traffic class count towards the rate seen by that class but actions are applied only to applicable traffic. For example, imagine that IPv4 and MPLS packets are classified into the same traffic class and a policer is configured to mark a specific DSCP value. Both IPv4 and MPLS packets count towards the observed rate, but only IPv4 packets can be marked.
Note |
Configuring multiple actions is supported for single and dual-rate policers. (See Single-Rate, Two-Color Policer and Dual-Rate, Three-Color Policer.) |
A Note on CLI Variants
This section shows how multiple variants of the CLI can achieve the same result.
Context
The variations have emerged in different Cisco IOS software releases over time and as software trains have merged. Within the same software release, three equivalent variants exist. To avoid backwards compatibility issues, we decided to retain the variants. Please note, however, that the software implementing the policing is identical regardless of the CLI variant used.
Illustration
For the following examples, we set police to 10 Mbps, conform action to transmit (default), and exceed action to drop (default). At a "high" level we have three variants of the police command that achieve the same result: police value , police cir value , and police rate value . This set of variants is equivalent to: police [cir|rate] value , where cir and rate are optional. With a rate of 10 Mbps, we can build the following command: police [cir|rate] 10m .
Using each variant to configure policing:
policy-map policer-cli-example
class class-default
police 10000000
policy-map policer-cli-example
class class-default
police cir 10m
policy-map policer-cli-example
class class-default
police rate 10m
To verify that the three variants yield the same result, you can use two stages of verification:
-
Issue show policy-map interface to display the configuration within IOS.
-
Issue show platform hardware qfp active feature qos interface to illustrate how we program hardware. This display is unchanged regardless of the CLI variant used.
Let's run Step 1:
show policy-map int GigabitEthernet1/0/0
Service-policy input: policer-cli-example
Class-map: class-default (match-any)
162 packets, 9720 bytes
5 minute offered rate 2000 bps, drop rate 0000 bps
Match: any
police:
cir 10000000 bps, bc 312500 bytes
conformed 212 packets, 12720 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 2000 bps, exceeded 0000 bps
Next, let's run Step 2:
show platform hardware qfp active feature qos int g1/0/0
Interface: GigabitEthernet1/0/0, QFP interface: 12
Direction: Input
Hierarchy level: 0
Policy name: policer-cli-example
Class name: class-default, Policy name: policer-cli-example
Police:
cir: 10000000 bps, bc: 315392 bytes
pir: 0 bps, be: 315392 bytes
rate mode: Single Rate Mode
conformed: 16 packets, 960 bytes; actions:
transmit
exceeded: 0 packets, 0 bytes; actions:
drop
violated: 0 packets, 0 bytes; actions:
drop
color aware: No
green_qos_group: 0, yellow_qos_group: 0