QoS Policing Configuration Example

Hello Rene,

Thanks for the article!
I understand that policing drops the packets unlike shaping stores the packets in a buffer, what actually does the DROP mean here, is packet discarded and will this trigger client to send a TCP retranmission (for suppose a TCP connection) and drop any UDP packet. Please clarify.

Sandeep Paul

Could you explain the difference between police and police rate?

policy-map PL2
class CL1
police 8000
policy-map PL1
class CL1
police rate 8000

I believe police on its own sets the CIR

Hello Sandeep

That is exactly what drop means. The packet is discarded completely. Remember that IP is an unreliable and best-effort protocol, and if any packet is dropped/lost/discarded, it depends on upper layer protocols to determine if a resend would be necessary (as you very correctly described for TCP) or if it will be completely ignored (as is the case for UDP).

I hope this has been helpful!


Thanks Laz, how are these drops different from Tail drops, do tail drops are buffered.

Sandeep Paul

Hello Chris

The police 8000 command in the example you are giving is used to specify conformance to a specific policy of network traffic. Conversely the police rate 8000 command is used to configure traffic policing for traffic that is destined for the control plane.

Take a look at this Cisco command reference for more details about the differences between each:


I hope this has been helpful!


Hello Sandeep

A tail drop is a queue management algorithm which means that it functions when traffic shaping is configured. In this case we are talking about policing, so the drop here is not the same. With tail drop, when the queue is filled to its maximum capacity, the newly arriving packets are dropped until the queue has enough room to accept incoming traffic. With the drop in this scenario, there is no queue involved, so the drop just occurs.

I hope this has been helpful!


Hi Laz

This Cisco document uses “police rate” but it’s not for the control plane - https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/qos/configuration/guide/qc40asr9kbook/qc40hqos.pdf

The command “police rate 10 mbps” mentioned in that doc is also confusing as I’ve checked and it doesn’t seem to be possible in the latest IOS. I believe this should be “police 10000000”

Hello Chris

This is a good point you bring up. The lesson is referring to commands that are used in Cisco IOS devices such as routers. The links that I provided were of a command reference document for QoS commands of IOS systems. The document that you shared is of the ASR 9000 running the IOS XR version 4.0.0. This provides a slightly different set of commands and syntax for QoS. In the IOS XR 4.0.0 the command police rate is used to police data plane traffic. This is also the reason why the syntax ofpolice rate 10 mbps did not work in the IOS version that you tried.

This brings up a good point because it allows us to see some of the different IOS versions that are available for devices today and how they can sometimes be different based on the type (IOS or IOS XR), the version or the platform. Such differences are even more pronounced for systems such as ASAs.

I hope this has been helpful!


1 Like

Good Day ALL,
How can an access-list be attached to a policing policy ? An example of my configuration is listed below. Not sure if I would get the desired results. If I have a 200meg link , but only want to use a maximum of 50mbps for wireless users from a specific network. Would I use the 50mbps for the cir or the 200mbps for the cir ? Any guidance is greatly appreciated.

ip access-list extended 100
permit ip any

class-map TEST
match access-group 100

policy-map TEST2
class TEST
police 50 or 200 for cir ? conform-action transmit  exceed-action drop  exceed-action set-dscp-transmit 0 violate-action drop

int fa0/0 
service-policy input TEST2 


Hello Adam

You can add the access list as the matching criterion for the policy map. Here the policy map will be applied only to traffic that conforms to the access list, that is, to traffic that has a source address of 192.168.1.X with any destination address. If your wireless users are all using this specific network, and if this is what you want to match, then you’re OK there.

Next, you’ve created the class-map that performs that matching, and you’ve specified that it is the access list you will be using to match the packets. So far so good.

Now what you apply at the policy map really depends on what you’d like to do. Are you performing single rate two colour or single rate three colour policing? By the looks of it, it is the latter.

Really, you have to answer this question: Do you want your wireless users to use strictly 50 Mbps of the 200 Mbps link and no more or will you give them an occasional increase for bursty traffic up to a specific amount, say 55 or 60 Mpbs? If it is the former, you need to use the two colour approach, and if it is the latter, the three colour approach.

Let’s look at the three colour approach since your config seems to indicate this. Now your police command should be the following. I am placing the commands on separate lines for clarity, although your commands are just as valid:

police 50000000
conform action transmit 
exceed-action set-dscp-transmit 0 
violate-action drop

The first two commands set the CIR to 50 Mbps and any traffic that conforms to this, that is, that is less than the 50 Mbps is transmitted.

The exceed-action command states what will happen to traffic that exceeds this police value. The traffic will still be transmitted, but if there was any DSCP value set on that traffic, it will be set to 0, so any priority that was given to this traffic is removed, so it is a candidate to be dropped downstream. Remember, this traffic will still be transmitted.

Now before I go into the next command, it is important here to state that in a three colour approach, there is a BE value that is determined. The conform-action takes place below the 50Mbps mark, the exceed-action takes place between the 50Mbps mark and the BE value, and the violate-action takes place above the BE value. If it is not specified, the BE value will be chosen by default by the IOS itself.

Finally, the violate-action determines what happens to traffic beyond the BE value, which in this case is to be dropped.

I hope this has been helpful!


Hello Laz,

Thank you your explaination. I’ve just started the QoS lessons here. As for the Wifi network mentioned, it would be desired to have a a max of 50mbps. I do understand the option for bursting ( learned in the QoS lessons). However, when it comes to policing or shaping, wich value is used ? The data speed received via the provider (10megs , 1gig) or is it based on the actual interface capabilities ? Is there a best practice in choosing between the two ?

-Thanks Again for your help !

Hello Adam

So if you would like to provide a hard limit of 50Mbps, then use the single rate two colour approach. This would require the following police configuration:

police 50000000
conform action transmit
exceed-action drop

This will allow all traffic under 50Mbps to go through, but if the traffic reaches above 50 Mbps, all exceeding packets will be dropped. No BE, no bursting capability, no tolerance to this level.

You would use the value that you desire the traffic to confirm to. This will also depend on the speed of the link to your ISP as well. There’s no sense in limiting Wi-Fi traffic to 50Mbps if your ISP connection is 30 Mbps. It depends on what you want to achieve, on what your network requirements are and on what the profile of your network traffic is.

Whenever you’re traffic shaping, especially to control traffic going to the ISP, a good rule of thumb is to use values as percentages of the total bandwidth that is available to you. In your previous scenario, you wanted to limit Wi-Fi traffic to 50 Mbps out of the 200Mbps ISP link, that is, one quarter of the ISP link. Look at the traffic generated by each network, see what their requirements are and how mission critical they are, and allocate the appropriate fraction of the total ISP bandwidth to that network.

Now one more thing that we may need to clarify is that policing and shaping are two different things. Policing will drop packets that exceed the set thresholds while shaping will attempt to store exceeding packets into queues or local memory to be sent as soon as bandwidth becomes available. In this lesson, it is policing that is being discussed and implemented. For traffic shaping, take a look at this lesson:

I hope this has been helpful!


Good Day Laz,

Thanks for clearing interface vs provider selection for QoS. The configuration guidance you provided gave the desired result. Thanks Again !!!


1 Like

I need some assistance working out how the police cir was calculated?
Here is a part of the config
the shape average is 94 percent of the offered data rate

policy-map ISP
 class real-time
  police cir 4096000
   conform-action set-dscp-transmit ef
   exceed-action set-dscp-transmit af41
   violate-action set-dscp-transmit af41
 class video
  bandwidth remaining percent 40............ 

policy-map 65.8Mbs
 class class-default
  shape average 65800000   
   service-policy ISP
policy-map MM
 class real-time


Hello David

There doesn’t seem to be a direct correlation between the policy map values of 94% of the offered data rate and the police cir that is configured in the policy-map ISP. Some general statements I can make about this based on the information you have given are the following:

  • The offered data rate is 70 Mbps
  • This offered data rate is shaped to an average of 65.8 Mbps
  • Of that shaped average, 4.096 Mbps are policed and this is a maximum bandwidth guarantee due to the priority keyword
  • In the event that there is traffic that exceeds or violates this CIR, the traffic is actually transmitted - so no packets will be dropped due to the CIR, but DSCP values may be adjusted accordingly
  • The remaining bandwidth that is made available is 65.8 Mbps - 4.096 Mbps = 61.704 Mbps
  • 40% of this bandwidth is made available to the class video which is 24.6816 Mbps, but traffic is allowed to exceed this allocated rate

Now the 4.096 Mbps data rate may have to do with the maximum number of real-time data streams that are to be transmitted depending on what traffic is being matched. If you are matching voice conversations using the G.711 codec which allows for 64 Kbps bandwidths per conversation, then 4096 Kbps / 64 Kbps = 64 conversations.

It comes down to what traffic is being matched in the real-time class map and how much of that traffic do you want to allow using the specified CIR before beginning to change the DSCP values on all exceeding/violating traffic…

I hope this has been helpful!


Hello guys,
I just wanted to point out that I labbed the three examples
1)Single Rate two color
2)Single Rate three color
3)Dual Rate three color

and all of the packets conformed. I did not have any exceed or violate.
I used the exact code provided in the example. Did I do anything wrong? I am attaching my running configuration:


Hello Martha

At first glance, your code looks good. If you’re sure that your pings are indeed traversing the link between the two routers, then the only other thing I can think of is that the rate at which the pings are being sent are not fast enough to reach the thresholds that you are setting. This could be due to the GNS3 setup, the CPU capabilities and other resource issues. I suggest you do one of the following:

  1. Reduce the police CIR and PIR to smaller values and see if you get exceeding and violating counts
  2. Use extended ping command to increase the size of each ping so that more bytes are being sent per ping.

Try one or both of those, and let us know your results!

I hope this has been helpful!


I need to try this again. Will let you know once I lab again.

1 Like

Hi all,

The police rate mentioned in the below class-map applies to the entire bandwidth or the bandwidth allocated to that queue?

In other words, if I have 100 Mbps circuits, the policing mentioned here will be 40% of the 100 Mbps or 2.X % of the 100 Mbps?

Any comments will be appreciated.

class TEST123
  bandwidth percent 5
  set ip dscp cs1
  random-detect ecn
    police cir percent 40
     exceed-action drop

Hello bhaskar

When using the police cir percent X command, the maximum rate of bandwidth available is used as the reference point for the calculation of the percentage. The maximum rate of bandwidth available is defined either as the bandwidth of the interface itself, which in your example is 100Mbps, or by the amount specified in a parent policy map, if the policy map in question is nested within another policy map.

In your particular example, the bandwidth percent 5 command that has been used in the same class does not represent the maximum rate of bandwidth available. So the policy will look to the next higher level, which in this case is the bandwidth of the interface itself to use as the reference for the calculation of the percentage.

You can find out more information about how this command behaves at this Cisco command reference documentation.

I hope this has been helpful!