QoS Policing Configuration Example

Hi Rene/ Andrew,

Is the policy map can be apply to the switch access port, trunk port, and SVI?

Davis

Hello Davis.

Keep in mind that the QoS policing that Rene has implemented in this lesson functions at Layer 3. You can see this by the fact that the configuration applied matches layer 3 protocols (such as ICMP). So this means that this policy map can be applied to a Router interface, or to a Routed interface on a switch, or an SVI on a switch. Access and trunk ports are layer 2 so this implementation cannot be applied.

However, as Cisco documentation states, “To police bridged (Layer 2 [L2]) traffic as well, you need to enable bridged microflow policing.” If you’re interested in reading more, check it out here: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/12493-102.html#parameters

I hope this has been helpful!

Laz

Hi Laz,

Thanks.

Davis

Hi Rene,

How can we validate the count of confirm/exceed/violate for a given CIR value. For eg , Single rate 2 color?

Can you pls provide an example?

Regards,
Ananth

Hello Rene,

Again a great article .
Is it correct way to read this example :

  1. customer can send 128K traffic without any issue but if it exceeds beyond 128, that is also allowed but with DSCP 0 (best effort). but then my doubt is - where is the limit on traffic , customer can send traffic as much as they want ?
  2. what exactly dscp 0 is doing here with traffic - can you just explain in a nut-shell please ?
  3. If customer has purchased 128K and with a burst up to 200K, what will be the below config ?
  4. Now as a customer, if I myself want to put policing on my outgoing interface , will same config work ?
R2(config)#policy-map SINGLE-RATE-THREE-COLOR
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police 128000 
R2(config-pmap-c-police)#conform-action transmit 
R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
R2(config-pmap-c-police)#violate-action drop

Thanks
Abhishek

Abhishek,

  1. The answer this depends on whether we are talking about two color or three color. If you are talking two color with 128K or less being within policy, and the provider is allowing excess traffic but remarking it as DSCP 0, then yes, you have the ability to transmit up to whatever your physical link bandwidth would be. Of course, who knows what would happen to exceeding traffic later within the provider’s network–it might get dropped later if there is congestion elsewhere. This leads in to your question #2

  2. The purpose of remarking exceeding traffic as DSCP 0 is so the provider will know what traffic it can “throw away” first if the ISP network starts to get congested. Presumably, the provider has an SLA with you that says they guarantee traffic will flow through their network with a certain kind of higher level treatment for any traffic below 128 K. Once you exceed 128Kbps, however, that guarantee no longer applies. So how can the ISP distinguish between normal and exceeding traffic? That is the purpose of their policer that marks the traffic as DSCP 0.

  3. For 128K SLA with bursting to 200K, you would see something like this on the provider’s end:

R2(config)#policy-map SINGLE-RATE-THREE-COLOR
R2(config-pmap)#class class-default
R2(config-pmap-c)#police 128000 200000
R2(config-pmap-c-police)#conform-action transmit 
R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
R2(config-pmap-c-police)#violate-action drop
  1. As a customer, it is generally not a good idea to police your own traffic, since you are simply dropping it. It is better to put a shaper on the other end of a policer. So in this case, the ISP would have the policer, and you would create a shaper based on the ISP’s police values. These should match as closely as possible. With a shaper, you are queuing your own traffic, but from your application’s point of view it is probably better to delay the traffic than to lose it.

There is a lesson on shaping here: https://networklessons.com/topic/traffic-shaping-on-cisco-ios/

1 Like

Thanks Andrew for correcting me.

SO lets say now I have this requirement as a customer.

ISP will give me a 50 MB link and they also allow me to burst upto 70 MBPS as a part of traffic contract. so they are going to put a policier on their end with similar config that you suggested .

Now on my end…I have to use shaping which means whenever my traffic reaches 70 MBPS i should be able to shape (buffer) it and not drop , hence i should use shaping config. but i am not able to figure out how to use these options for my case :

R1(config-pmap-c)#shape ?
  adaptive        Enable Traffic Shaping adaptation to BECN
  average         configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
                  send out Bc only per interval
  fecn-adapt      Enable Traffic Shaping reflection of FECN as BECN
  fr-voice-adapt  Enable rate adjustment depending on voice presence
  max-buffers     Set Maximum Buffer Limit
  peak            configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
                  send out Bc+Be per interval

Can you please give me a sample config , many thanks

Abhishek

Hi Rene,

I have three questions :-

1- In your example of Single-Rate-Three-Color how much the the traffic will be exceed so the violate-action drop the packets ?
2- After police keyword we can specify bits per second directly and also we can specify it with cir !! what is the difference ?
3- You said that bc select a value based on the CIR rate, what the formula it’s used ? and I see 4000 bytes is not enough and give only 1/4 of CIR rate ??? and when we need to configure bc ourselves ?? can you please explain this in detail for me ??

Hello Hussein

The police CIR is set to 128000, the BC is set to 4000 and the BE is set to 4000.

So, any packets that are within the 128000 CIR limit plus the 4000 BC limit are conforming. These will be transmitted and their DSCP values will be unchanged.

Any packets arriving above the 128000 + 4000 limit and within the additional BE limit of 4000 fall into the exceed action category. These are transmitted but their DSCP values are modified to 0.

Finally, any packets arriving above the BE limit are violating, so these will be discarded.

The BE and BC values can be seen in the output of the show policy-map interface FastEthernet 0/0 command. These must be configured manually, otherwise the Cisco IOS will select them automatically based on the CIR rate.

The police cir command is always followed by a percent value. The value indicated is the percent of the CIR which will be used to determine conforming. The police bps command is a value in bytes per second.

By default the Cisco IOS will choose a BC that is 1/32 of the CIR. In this case, 128000/32 = 4000.

I hope this has been helpful!

Laz

1 Like

I don’t get the difference between exceeded-action and violate-drop

Hi Juan,

Three-Color Policing has three different actions that you can perform:

  • conform action
  • exceed action
  • violate action

These three are just names, they don’t define the action that the policer takes. If you wanted to, you could set a drop action for “conform-action”.

The main reason we use three different actions is that you can do something like this:

R2(config)#policy-map SINGLE-RATE-THREE-COLOR
    R2(config-pmap)#class ICMP
    R2(config-pmap-c)#police 128000 
    R2(config-pmap-c-police)#conform-action transmit 
    R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
    R2(config-pmap-c-police)#violate-action drop

When traffic conforms, we transmit it. When it exceeds…we don’t want to drop it but reset the DSCP to 0. When it’s in violation, that’s when we drop it.

When you use PIR, traffic is exceeding when it is above CIR but below the PIR. When traffic is above the PIR, then it’s violating.

Hope this helps!

Rene

thank you Rene.

Yes, i understand the concepts but,

following your example, conform action transmit for class ICMP i guess you previously had to match icmp traffic, then apply the policy for icmp traffic, so conform action transmit (if there exist icmp traffic) would be transmited and limited to 128Kbps, if the ICMP traffic exceed 128Kbps it won’t be dropped but remarked again, this time with dscp 0 (best-effort), and if there isn’t icmp traffic it will be dropped.

thats correct ?

Hi Juan,

When there is ICMP traffic, it will be forwarded (without alteration) up to 128 Kbps. Once it goes above 128 Kbps but is still below the PIR, it will indeed be remarked to DSCP 0 and still be forwarded.

ICMP traffic that is above the PIR is exceeding and will be dropped.

I didn’t show the class-map but if you only match ICMP traffic in the class-map then that’s the only traffic that the policy-map works for. All other non-ICMP traffic is not policed and gets forwarded at the interface rate.

Rene

Hi Rene,
I got this lesson as well, one point if we didn’t configure any confirm-action, exceeding-action or violation-action, just cir. what will router do when traffic out of cir we configure ?

Hello Heng

If you do not specify the conform-action, exceed-action and the violate-action, then the default behaviour is:

conform-action transmit
exceed-action drop
violate-action drop

So even if don’t configure these, the above actions will take place.

I hope this has been helpful!

Laz

Hi lagapides
Thank you so much, I got this well now.

Hello Rene,

Thanks for the article!
I understand that policing drops the packets unlike shaping stores the packets in a buffer, what actually does the DROP mean here, is packet discarded and will this trigger client to send a TCP retranmission (for suppose a TCP connection) and drop any UDP packet. Please clarify.

Thanks
Sandeep Paul

Could you explain the difference between police and police rate?

policy-map PL2
class CL1
police 8000
policy-map PL1
class CL1
police rate 8000

I believe police on its own sets the CIR

Hello Sandeep

That is exactly what drop means. The packet is discarded completely. Remember that IP is an unreliable and best-effort protocol, and if any packet is dropped/lost/discarded, it depends on upper layer protocols to determine if a resend would be necessary (as you very correctly described for TCP) or if it will be completely ignored (as is the case for UDP).

I hope this has been helpful!

Laz

Thanks Laz, how are these drops different from Tail drops, do tail drops are buffered.

Rgds
Sandeep Paul