The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Hierarchical Color-Aware Policing feature provides two levels of policing where the policer ordering is evaluated from child to parent, and there is preferential treatment of certain traffic at the parent level.
You must have Cisco IOS XE Release 3.15S or a later version installed and running on your router.
You must already be familiar with relevant features and technologies including modular QoS CLI (MQC) and the master control processor (MCP) software and hardware architecture. The Additional References section provides pointers to relevant feature and technology documents.
The following restrictions apply to the Hierarchical Color-Aware Policing feature:
Color-aware class maps support only QoS group matching.
Color-aware statistics are not supported, only existing policer statistics.
Color-aware class map removal (using the no class-map class-map-name command) is not allowed while the class map is being referenced in a color-aware policer. It must be removed from all color-aware policers (using either the no conform-color class-map-name or no exceed-color class-map-name command first).
By default, the child policer is color-blind. If any control traffic is classified as default class then it may be dropped.
For dual policers in HQoS policy, if parent policer is color-aware, child level policer cannot be configured as color-aware and is rejected.
When parent policer is color-aware, child cannot be configured with PIR, it can only be a 1R2C policer.
QoS-group can be set in child policer through tablemap, but complete child class classification should map either to conform class qos-group or exceed class qos-group.
When a parent has a color-aware policy, packets to the parent take the color marking of the child policer.
The colors for a parent policy using a single rate, three color-policer (1r3c) or dual rate three color-policer (2r3c) scheme are:
· green for conform-action
· yellow for exceed-action
· red for violate-action.
However, the policer at the child level only supports single rate, two color-policer (1r2c) scheme, and the colors are green for conform-action, and red for exceed-action.
So, even if the exceed action of a child policer is ‘transmit’, all exceed (red) packets from the child policer will always fall into the red bucket of the parent.
You must, therefore, ensure that the conform-color and exceed-color classes together form a superset of the respective class matches so as to avoid packets being treated as red and therefore, being dropped.
See the following images for more information.
Single-Rate, Color-Aware, Three-Color Policer
Dual-Rate, Color-Aware, Three-Color Policer
Policers are evaluated from child to parent in QoS policies. This ordering is not configurable for both ingress and egress directions.
The following sample configuration for a simple two-level policer would result in the changed behavior shown in the figure below:
policy-map child
class user1
police 100k
class user2
police 100k
policy-map parent
class class-default
police 150k
service-policy child
The following sample configuration for a simple two-level color-aware policer would result in the changed behavior shown in the figure below:
ip access-list extended user1-acl
permit ip host 192.168.1.1 any
permit ip host 192.168.1.2 any
ip access-list extended user2-acl
permit ip host 192.168.2.1 any
permit ip host 192.168.2.2 any
class-map match-all user1-acl-child
match access-group name user1-acl
class-map match-all user2-acl-child
match access-group name user2-acl
class-map match-all hipri-conform
match qos-group 5
policy-map child-policy
class user1-acl-child
police 10000 bc 1500
conform-action set-qos-transmit 5
class user2-acl-child
police 20000 bc 1500
conform-action set-qos-transmit 5
class class-default
police 50000 bc 1500
policy-map parent-policy
class class-default
police 50000 bc 3000
confirm-action transmit
exceed-action transmit
violate-action drop
conform-color hipri-conform
service-policy child-policy
 Note |
To avoid drops at the parent level for "conformed" child traffic, the parent policer must have a rate and burst that are equal to or greater than the sum of the child conform rates and burst sizes. There is no check for inappropriate (parent-to-child) rates and burst sizes in code. You must be aware of this limitation and configure appropriately. In the following example, explicit marking actions are supported in conjunction with color-aware policing and operate similarly color-aware policer marking actions. If these marking actions ("set qos-group," for example) are present in the child policies, the resulting bit values are evaluated by the parent color-aware policer (same as for child policer marking actions): 50k >= 10k (user1-acl-child) + 20k (user2-acl-child) |
Prior to the release of the Hierarchical Color-Aware Policing feature, policing and marking were typically used as input QoS options. For example, a voice customer was limited to 112 kb/s for voice control and 200 kb/s for voice traffic. The class-default class has no policer. The only limit is the physical bandwidth of the xDSL connection. As shown in the figure below, a customer could send up to 1000 kb/s. However, this involved sending more voice and voice-control packets, which required policing the traffic for both classes.
As shown in the figure below, it is important to control the overall input bandwidth. The important requirement is that the premium traffic in the overall limit is not affected. In the figure below, voice and voice-control packets are not dropped in the overall limit. Only packets from the child class-default class are dropped to fulfill the limit.
The first classes function the same way. Voice and voice-control are policed to the allowed level and the class-default class is not affected. In the next level, the overall bandwidth is forced to 500 kb/s and must only drop packets from the class-default class. Voice and voice-control must remain unaffected.
The order of policer execution is as follows:
Police the traffic in the child classes, as shown in the figure above, police VoIP-Control class to 112 kb/s, police VoIP class to 200 kb/s, and police class-default to 500 kb/s.
Police the traffic in the class default of the parent policy map, but only drop the traffic from the child class default, and do not drop the remaining child classes. As shown in the figure above, 112 kb/s VoIP-Control and 200 kb/s VoIP traffic are unaffected at the parent policer, but 500 kb/s class default from the child is policed to 188kb/s to meet the overall police policy of 500 kb/s at the parent level.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
policy-map policy-map-name Example: |
Enters policy-map configuration mode and creates a policy map. |
| Step 4 |
class {class-name | class-default} Example: |
Enters policy-map class configuration mode. Specifies the name of the class whose policy you want to create or change or specifies the default class (commonly known as the class-default class) before you configure its policy. Repeat this command as many times as necessary to specify the child or parent classes that you are creating or modifying:
|
| Step 5 |
conform-color class-map-name [exceed-color class-map-name] Example: |
Enables color-aware traffic policing and creates the conform-color and exceed-color class-maps used for color-aware traffic policing. The conform-color class-map-name command creates the conform-color class. The exceed-color class-map-name option creates the exceed-color class. |
| Step 6 |
police [cir cir ] [bc conform-burst ] [pir pir ] [be peak-burst ] [conform-action action [exceed-action action [violate-action action ]]] [conform-color hipri-conform ] [exceed-color lipri-exceed ] Example:Example: |
Configures traffic policing and specifies multiple actions applied to packets marked as conforming to, exceeding, or violating a specific rate. Enters policy-map class police configuration mode. Use one line per action that you want to specify:
|
| Step 7 |
service-policy policy-map-name Example: |
Specifies a service policy as a QoS policy within a policy map (called a hierarchical service policy).
|
| Step 8 |
end Example: |
Exits the current configuration mode. |
The following is a sample configuration for the Hierarchical Color-Aware Policing feature:
class-map qos_group1
match qos_group 1
class-map qos_group2
match qos_group 2
Class-map cos1
match cos 1
class-map cos 2
match cos 2
policy-map tc001_ch
class cos1
police cir 20000000 bc 625000
conform-action set-qos-transmit 1
exceed-action drop
class cos2
police cir 50000000 bc 1562500
conform-action set-qos-transmit 2
exceed-action drop
policy-map tc001_parent
class class-default
police cir 70000000 bc 2187500 pir 100000000 be 3125000
conform-color qos_group1 exceed-color qos_group2
conform-action transmit
exceed-action transmit
violate-action drop
service-policy tc001_child
The following example shows a sample configuration that enables the Hierarchical Color-Aware Policing feature:
class-map qos_group1
match qos_group 1
class-map qos_group2
match qos_group 2
class-map cos1
match cos 1
class-map cos 2
match cos 2
policy-map tc001_ch
class cos1
police cir 20000000 bc 625000
conform-action set-qos-transmit 1
exceed-action drop
class cos2
police cir 50000000 bc 1562500
conform-action set-qos-transmit 2
exceed-action drop
policy-map tc001_parent
class class-default
police cir 70000000 bc 2187500 pir 100000000 be 3125000
conform-color qos_group1 exceed-color qos_group2
conform-action transmit
exceed-action transmit
violate-action drop
service-policy tc001_childThe following example shows that an active color-aware class map cannot be disallowed:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no class-map hipri-conform
Class-map hipri-conform is being used
The following example shows how to dismantle the configuration of the Hierarchical Color-Aware Policing feature:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no policy-map parent-policy
Router(config)# no policy-map child-policy
Router(config)# no class-map hipri-conform
Router(config)# no class-map user1-acl-child
Router(config)# no class-map user2-acl-child
The following is sample output from the show policy-map interface command when a policy with hierarchical color-aware policing is applied:
Router# show policy-map interface
GigabitEthernet0/0/0
Service-policy input: parent-policy
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
police:
cir 50000 bps, bc 3000 bytes, be 3000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
transmit
violated 0 packets, 0 bytes; actions:
drop
No color-aware policing statistics available
conformed 0000 bps, exceed 0000 bps, violate 0000 bps
Service-policy : child-policy
Class-map: user1-acl-child (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name user1-acl
police:
cir 10000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
set-qos-transmit 5
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceed 0000 bps
Class-map: user2-acl-child (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name user2-acl
police:
cir 20000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
set-qos-transmit 5
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceed 0000 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
police:
cir 50000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceed 0000 bps| Related Topic | Document Title |
|---|---|
|
Cisco IOS commands |
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mcl/allreleasemcl/all-book.html |
| Standard/RFC | Title |
|---|---|
|
No specific Standards and RFCs are supported by the features in this document. |
— |
| MIB | MIBs Link |
|---|---|
| — |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feedback