QoS Policing Configuration Example

Hi Rene,

I have three questions :-

1- In your example of Single-Rate-Three-Color how much the the traffic will be exceed so the violate-action drop the packets ?
2- After police keyword we can specify bits per second directly and also we can specify it with cir !! what is the difference ?
3- You said that bc select a value based on the CIR rate, what the formula it’s used ? and I see 4000 bytes is not enough and give only 1/4 of CIR rate ??? and when we need to configure bc ourselves ?? can you please explain this in detail for me ??

Hello Hussein

The police CIR is set to 128000, the BC is set to 4000 and the BE is set to 4000.

So, any packets that are within the 128000 CIR limit plus the 4000 BC limit are conforming. These will be transmitted and their DSCP values will be unchanged.

Any packets arriving above the 128000 + 4000 limit and within the additional BE limit of 4000 fall into the exceed action category. These are transmitted but their DSCP values are modified to 0.

Finally, any packets arriving above the BE limit are violating, so these will be discarded.

The BE and BC values can be seen in the output of the show policy-map interface FastEthernet 0/0 command. These must be configured manually, otherwise the Cisco IOS will select them automatically based on the CIR rate.

The police cir command is always followed by a percent value. The value indicated is the percent of the CIR which will be used to determine conforming. The police bps command is a value in bytes per second.

By default the Cisco IOS will choose a BC that is 1/32 of the CIR. In this case, 128000/32 = 4000.

I hope this has been helpful!


1 Like

I don’t get the difference between exceeded-action and violate-drop

Hi Juan,

Three-Color Policing has three different actions that you can perform:

  • conform action
  • exceed action
  • violate action

These three are just names, they don’t define the action that the policer takes. If you wanted to, you could set a drop action for “conform-action”.

The main reason we use three different actions is that you can do something like this:

R2(config)#policy-map SINGLE-RATE-THREE-COLOR
    R2(config-pmap)#class ICMP
    R2(config-pmap-c)#police 128000 
    R2(config-pmap-c-police)#conform-action transmit 
    R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
    R2(config-pmap-c-police)#violate-action drop

When traffic conforms, we transmit it. When it exceeds…we don’t want to drop it but reset the DSCP to 0. When it’s in violation, that’s when we drop it.

When you use PIR, traffic is exceeding when it is above CIR but below the PIR. When traffic is above the PIR, then it’s violating.

Hope this helps!


thank you Rene.

Yes, i understand the concepts but,

following your example, conform action transmit for class ICMP i guess you previously had to match icmp traffic, then apply the policy for icmp traffic, so conform action transmit (if there exist icmp traffic) would be transmited and limited to 128Kbps, if the ICMP traffic exceed 128Kbps it won’t be dropped but remarked again, this time with dscp 0 (best-effort), and if there isn’t icmp traffic it will be dropped.

thats correct ?

Hi Juan,

When there is ICMP traffic, it will be forwarded (without alteration) up to 128 Kbps. Once it goes above 128 Kbps but is still below the PIR, it will indeed be remarked to DSCP 0 and still be forwarded.

ICMP traffic that is above the PIR is exceeding and will be dropped.

I didn’t show the class-map but if you only match ICMP traffic in the class-map then that’s the only traffic that the policy-map works for. All other non-ICMP traffic is not policed and gets forwarded at the interface rate.


Hi Rene,
I got this lesson as well, one point if we didn’t configure any confirm-action, exceeding-action or violation-action, just cir. what will router do when traffic out of cir we configure ?

Hello Heng

If you do not specify the conform-action, exceed-action and the violate-action, then the default behaviour is:

conform-action transmit
exceed-action drop
violate-action drop

So even if don’t configure these, the above actions will take place.

I hope this has been helpful!


Hi lagapides
Thank you so much, I got this well now.

Hello Rene,

Thanks for the article!
I understand that policing drops the packets unlike shaping stores the packets in a buffer, what actually does the DROP mean here, is packet discarded and will this trigger client to send a TCP retranmission (for suppose a TCP connection) and drop any UDP packet. Please clarify.

Sandeep Paul

Could you explain the difference between police and police rate?

policy-map PL2
class CL1
police 8000
policy-map PL1
class CL1
police rate 8000

I believe police on its own sets the CIR

Hello Sandeep

That is exactly what drop means. The packet is discarded completely. Remember that IP is an unreliable and best-effort protocol, and if any packet is dropped/lost/discarded, it depends on upper layer protocols to determine if a resend would be necessary (as you very correctly described for TCP) or if it will be completely ignored (as is the case for UDP).

I hope this has been helpful!


Thanks Laz, how are these drops different from Tail drops, do tail drops are buffered.

Sandeep Paul

Hello Chris

The police 8000 command in the example you are giving is used to specify conformance to a specific policy of network traffic. Conversely the police rate 8000 command is used to configure traffic policing for traffic that is destined for the control plane.

Take a look at this Cisco command reference for more details about the differences between each:


I hope this has been helpful!


Hello Sandeep

A tail drop is a queue management algorithm which means that it functions when traffic shaping is configured. In this case we are talking about policing, so the drop here is not the same. With tail drop, when the queue is filled to its maximum capacity, the newly arriving packets are dropped until the queue has enough room to accept incoming traffic. With the drop in this scenario, there is no queue involved, so the drop just occurs.

I hope this has been helpful!


Hi Laz

This Cisco document uses “police rate” but it’s not for the control plane - https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/qos/configuration/guide/qc40asr9kbook/qc40hqos.pdf

The command “police rate 10 mbps” mentioned in that doc is also confusing as I’ve checked and it doesn’t seem to be possible in the latest IOS. I believe this should be “police 10000000”

Hello Chris

This is a good point you bring up. The lesson is referring to commands that are used in Cisco IOS devices such as routers. The links that I provided were of a command reference document for QoS commands of IOS systems. The document that you shared is of the ASR 9000 running the IOS XR version 4.0.0. This provides a slightly different set of commands and syntax for QoS. In the IOS XR 4.0.0 the command police rate is used to police data plane traffic. This is also the reason why the syntax ofpolice rate 10 mbps did not work in the IOS version that you tried.

This brings up a good point because it allows us to see some of the different IOS versions that are available for devices today and how they can sometimes be different based on the type (IOS or IOS XR), the version or the platform. Such differences are even more pronounced for systems such as ASAs.

I hope this has been helpful!


1 Like

Good Day ALL,
How can an access-list be attached to a policing policy ? An example of my configuration is listed below. Not sure if I would get the desired results. If I have a 200meg link , but only want to use a maximum of 50mbps for wireless users from a specific network. Would I use the 50mbps for the cir or the 200mbps for the cir ? Any guidance is greatly appreciated.

ip access-list extended 100
permit ip any

class-map TEST
match access-group 100

policy-map TEST2
class TEST
police 50 or 200 for cir ? conform-action transmit  exceed-action drop  exceed-action set-dscp-transmit 0 violate-action drop

int fa0/0 
service-policy input TEST2 


Hello Adam

You can add the access list as the matching criterion for the policy map. Here the policy map will be applied only to traffic that conforms to the access list, that is, to traffic that has a source address of 192.168.1.X with any destination address. If your wireless users are all using this specific network, and if this is what you want to match, then you’re OK there.

Next, you’ve created the class-map that performs that matching, and you’ve specified that it is the access list you will be using to match the packets. So far so good.

Now what you apply at the policy map really depends on what you’d like to do. Are you performing single rate two colour or single rate three colour policing? By the looks of it, it is the latter.

Really, you have to answer this question: Do you want your wireless users to use strictly 50 Mbps of the 200 Mbps link and no more or will you give them an occasional increase for bursty traffic up to a specific amount, say 55 or 60 Mpbs? If it is the former, you need to use the two colour approach, and if it is the latter, the three colour approach.

Let’s look at the three colour approach since your config seems to indicate this. Now your police command should be the following. I am placing the commands on separate lines for clarity, although your commands are just as valid:

police 50000000
conform action transmit 
exceed-action set-dscp-transmit 0 
violate-action drop

The first two commands set the CIR to 50 Mbps and any traffic that conforms to this, that is, that is less than the 50 Mbps is transmitted.

The exceed-action command states what will happen to traffic that exceeds this police value. The traffic will still be transmitted, but if there was any DSCP value set on that traffic, it will be set to 0, so any priority that was given to this traffic is removed, so it is a candidate to be dropped downstream. Remember, this traffic will still be transmitted.

Now before I go into the next command, it is important here to state that in a three colour approach, there is a BE value that is determined. The conform-action takes place below the 50Mbps mark, the exceed-action takes place between the 50Mbps mark and the BE value, and the violate-action takes place above the BE value. If it is not specified, the BE value will be chosen by default by the IOS itself.

Finally, the violate-action determines what happens to traffic beyond the BE value, which in this case is to be dropped.

I hope this has been helpful!


Hello Laz,

Thank you your explaination. I’ve just started the QoS lessons here. As for the Wifi network mentioned, it would be desired to have a a max of 50mbps. I do understand the option for bursting ( learned in the QoS lessons). However, when it comes to policing or shaping, wich value is used ? The data speed received via the provider (10megs , 1gig) or is it based on the actual interface capabilities ? Is there a best practice in choosing between the two ?

-Thanks Again for your help !