QoS Policing Configuration Example

That’s fast!!

Well explained Rene!


Hi Rene, thanks for the good content.

I understand why we need a single rate(two color) vs a single rate(three color) but I am just struggling with these questions:
-Why do we need the dual rate (three color)?
-Is there a case where we prefer one from another?

  • is one “better” the the other? (dual rate three color vs single rate three color)

Thanks man!

Juan Pablo,
The difference between a single rate three color (1-3C) vs a dual rate three color (2-3C) is more apparent when you compare the traffic rates between them over the long term.

As the name implies, the 1-3C has just a single rate, the CIR. Your ability to send traffic at a rate higher than the CIR for a short time is only possible because you had NOT sent at the full CIR before–so you are allowed to “make up” the difference. Even though in some instances you can send traffic that exceeds the CIR, over the long run, the theoretic maximum is the CIR.

Unlike 1-3C, it is possible to send a higher average rate than the CIR, even over a long period of time. This is possible because of the second rate, the PIR. The PIR will allow you to exceed consistently the CIR, but it is up to your service provider as to what happens to the traffic that goes above the CIR. The reason a provider would give you a 2-3C connection is because the provider knows they have enough excess capacity that their customers could send more data than their CIR allows, but maybe not all customers doing this at once. From the Provider’s point of view, the PIR is a sort of bonus incentive for you to sign up with them.

However, the provider needs to protect itself should all of their customers decide to max out the PIR rate. Usually providers will say something like, “we will guarantee your traffic up to the CIR will get such and such a priority, but anything above the CIR will be best effort only.” This means providers can throw away the traffic between the CIR and PIR should their network get saturated.

Which is Better?
If you were given a choice between a 1-3C and a 2-3C, go for the 2-3C. As long as you are okay with the possibility of excess traffic not making it through the provider’s network in all cases, you gain two benefits:

  1. The ability to send at a higher rate than the CIR over the long run (free data!)
  2. The ability to deal with very bursty or chatting traffic more predictably. What happens if your application really needs to send extra data, but your Be buckets are empty with 1-3C? Too bad for you! With 2-3C you at least have the possibility of your traffic getting through.

I hope that makes sense!


Hi Andrew, thanks for the explanation.

I get it now, clearly the 2-3C have more benefits but it all depends of the ISP capabilities. And it makes sense because I have seen several ISPs with 1-3C configs and a few 2-3C, maybe these are some premium clients or something like that.

I will definitely try to get a 2-3C service from now on :smiley: (free dada is always welcome).


Hi Rene/ Andrew,

Is the policy map can be apply to the switch access port, trunk port, and SVI?


Hello Davis.

Keep in mind that the QoS policing that Rene has implemented in this lesson functions at Layer 3. You can see this by the fact that the configuration applied matches layer 3 protocols (such as ICMP). So this means that this policy map can be applied to a Router interface, or to a Routed interface on a switch, or an SVI on a switch. Access and trunk ports are layer 2 so this implementation cannot be applied.

However, as Cisco documentation states, “To police bridged (Layer 2 [L2]) traffic as well, you need to enable bridged microflow policing.” If you’re interested in reading more, check it out here: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/12493-102.html#parameters

I hope this has been helpful!


Hi Laz,



Hi Rene,

How can we validate the count of confirm/exceed/violate for a given CIR value. For eg , Single rate 2 color?

Can you pls provide an example?


Hello Rene,

Again a great article .
Is it correct way to read this example :

  1. customer can send 128K traffic without any issue but if it exceeds beyond 128, that is also allowed but with DSCP 0 (best effort). but then my doubt is - where is the limit on traffic , customer can send traffic as much as they want ?
  2. what exactly dscp 0 is doing here with traffic - can you just explain in a nut-shell please ?
  3. If customer has purchased 128K and with a burst up to 200K, what will be the below config ?
  4. Now as a customer, if I myself want to put policing on my outgoing interface , will same config work ?
R2(config)#policy-map SINGLE-RATE-THREE-COLOR
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police 128000 
R2(config-pmap-c-police)#conform-action transmit 
R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
R2(config-pmap-c-police)#violate-action drop



  1. The answer this depends on whether we are talking about two color or three color. If you are talking two color with 128K or less being within policy, and the provider is allowing excess traffic but remarking it as DSCP 0, then yes, you have the ability to transmit up to whatever your physical link bandwidth would be. Of course, who knows what would happen to exceeding traffic later within the provider’s network–it might get dropped later if there is congestion elsewhere. This leads in to your question #2

  2. The purpose of remarking exceeding traffic as DSCP 0 is so the provider will know what traffic it can “throw away” first if the ISP network starts to get congested. Presumably, the provider has an SLA with you that says they guarantee traffic will flow through their network with a certain kind of higher level treatment for any traffic below 128 K. Once you exceed 128Kbps, however, that guarantee no longer applies. So how can the ISP distinguish between normal and exceeding traffic? That is the purpose of their policer that marks the traffic as DSCP 0.

  3. For 128K SLA with bursting to 200K, you would see something like this on the provider’s end:

R2(config)#policy-map SINGLE-RATE-THREE-COLOR
R2(config-pmap)#class class-default
R2(config-pmap-c)#police 128000 200000
R2(config-pmap-c-police)#conform-action transmit 
R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
R2(config-pmap-c-police)#violate-action drop
  1. As a customer, it is generally not a good idea to police your own traffic, since you are simply dropping it. It is better to put a shaper on the other end of a policer. So in this case, the ISP would have the policer, and you would create a shaper based on the ISP’s police values. These should match as closely as possible. With a shaper, you are queuing your own traffic, but from your application’s point of view it is probably better to delay the traffic than to lose it.

There is a lesson on shaping here: https://networklessons.com/topic/traffic-shaping-on-cisco-ios/

1 Like

Thanks Andrew for correcting me.

SO lets say now I have this requirement as a customer.

ISP will give me a 50 MB link and they also allow me to burst upto 70 MBPS as a part of traffic contract. so they are going to put a policier on their end with similar config that you suggested .

Now on my end…I have to use shaping which means whenever my traffic reaches 70 MBPS i should be able to shape (buffer) it and not drop , hence i should use shaping config. but i am not able to figure out how to use these options for my case :

R1(config-pmap-c)#shape ?
  adaptive        Enable Traffic Shaping adaptation to BECN
  average         configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
                  send out Bc only per interval
  fecn-adapt      Enable Traffic Shaping reflection of FECN as BECN
  fr-voice-adapt  Enable rate adjustment depending on voice presence
  max-buffers     Set Maximum Buffer Limit
  peak            configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
                  send out Bc+Be per interval

Can you please give me a sample config , many thanks


Hi Rene,

I have three questions :-

1- In your example of Single-Rate-Three-Color how much the the traffic will be exceed so the violate-action drop the packets ?
2- After police keyword we can specify bits per second directly and also we can specify it with cir !! what is the difference ?
3- You said that bc select a value based on the CIR rate, what the formula it’s used ? and I see 4000 bytes is not enough and give only 1/4 of CIR rate ??? and when we need to configure bc ourselves ?? can you please explain this in detail for me ??

Hello Hussein

The police CIR is set to 128000, the BC is set to 4000 and the BE is set to 4000.

So, any packets that are within the 128000 CIR limit plus the 4000 BC limit are conforming. These will be transmitted and their DSCP values will be unchanged.

Any packets arriving above the 128000 + 4000 limit and within the additional BE limit of 4000 fall into the exceed action category. These are transmitted but their DSCP values are modified to 0.

Finally, any packets arriving above the BE limit are violating, so these will be discarded.

The BE and BC values can be seen in the output of the show policy-map interface FastEthernet 0/0 command. These must be configured manually, otherwise the Cisco IOS will select them automatically based on the CIR rate.

The police cir command is always followed by a percent value. The value indicated is the percent of the CIR which will be used to determine conforming. The police bps command is a value in bytes per second.

By default the Cisco IOS will choose a BC that is 1/32 of the CIR. In this case, 128000/32 = 4000.

I hope this has been helpful!


1 Like

I don’t get the difference between exceeded-action and violate-drop

Hi Juan,

Three-Color Policing has three different actions that you can perform:

  • conform action
  • exceed action
  • violate action

These three are just names, they don’t define the action that the policer takes. If you wanted to, you could set a drop action for “conform-action”.

The main reason we use three different actions is that you can do something like this:

R2(config)#policy-map SINGLE-RATE-THREE-COLOR
    R2(config-pmap)#class ICMP
    R2(config-pmap-c)#police 128000 
    R2(config-pmap-c-police)#conform-action transmit 
    R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
    R2(config-pmap-c-police)#violate-action drop

When traffic conforms, we transmit it. When it exceeds…we don’t want to drop it but reset the DSCP to 0. When it’s in violation, that’s when we drop it.

When you use PIR, traffic is exceeding when it is above CIR but below the PIR. When traffic is above the PIR, then it’s violating.

Hope this helps!


thank you Rene.

Yes, i understand the concepts but,

following your example, conform action transmit for class ICMP i guess you previously had to match icmp traffic, then apply the policy for icmp traffic, so conform action transmit (if there exist icmp traffic) would be transmited and limited to 128Kbps, if the ICMP traffic exceed 128Kbps it won’t be dropped but remarked again, this time with dscp 0 (best-effort), and if there isn’t icmp traffic it will be dropped.

thats correct ?

Hi Juan,

When there is ICMP traffic, it will be forwarded (without alteration) up to 128 Kbps. Once it goes above 128 Kbps but is still below the PIR, it will indeed be remarked to DSCP 0 and still be forwarded.

ICMP traffic that is above the PIR is exceeding and will be dropped.

I didn’t show the class-map but if you only match ICMP traffic in the class-map then that’s the only traffic that the policy-map works for. All other non-ICMP traffic is not policed and gets forwarded at the interface rate.


Hi Rene,
I got this lesson as well, one point if we didn’t configure any confirm-action, exceeding-action or violation-action, just cir. what will router do when traffic out of cir we configure ?

Hello Heng

If you do not specify the conform-action, exceed-action and the violate-action, then the default behaviour is:

conform-action transmit
exceed-action drop
violate-action drop

So even if don’t configure these, the above actions will take place.

I hope this has been helpful!


Hi lagapides
Thank you so much, I got this well now.