QoS Traffic Policing Explained


Just a small comment.
The formulas:
Packet arrival time - Previous packet arrival time * Police Rate / 8
should be replaced with:
(Packet arrival time - Previous packet arrival time) * Police Rate / 8

Thank you,

1 Like

Hi Stefanita,

I agree, just fixed this.


1 Like

Wanted to check why are we removing tokens from both the buckets if traffic confirms in case of dual rate three color model

Hello Ajai

This model works differently from the others. Where in the single rate, three colour model we have the Bc bucket spilling into the Be bucket, here, by definition, we have both the Bc bucket and the PIR bucket being filled and emptied at the same time. The difference is that the PIR bucket is replenished using the same forumula, but inputting the difference in the actual PIR in bps. Specifically in the example, the Be bucket will be filled

seconds * 128.000 / 8

while the PIR bucket will be filled

seconds * 256.000 / 8

As a result, the PIR bucket will have more tokens than the Bc bucket. In simplified terms:

  • If the number of bytes in the packet are less than the number of tokens in the Bc, the packet is conforming
  • If the number of bytes in the packet are more than the number of tokens in the Bc but less than those in the PIR, the packet is exceeding
  • If the number of byte sin the packet are more than the number of tokens in the PIR, the packet is violating

The difference here is that the buckets are filled and replenished at the same time, but in different amounts depending on the bucket sizes (CIR and PIR rates). This causes a difference in the number of tokens, and this is used to determine the conforming/exceeding/violating element

I hope this has been helpful!


1 Like


Still trying to get hold of it.
Can you please give me an example for this.I mean what will happen if we dint remove equal tokens from the be bucket.


Hello Ajai

Here’s an example I hope will help.

Let’s use the same values used by Rene. We have a CIR of 128000 bps and a PIR of 256000 bps. One second elapses between packets arriving, so the buckets will have:

  • Bc bucket = 1 * 128000/8 = 16000 tokens
  • PIR bucket = 1 * 256000/8 = 32000 tokens

The whole key to this algorithm is the fact that the Bc bucket and the PIR bucket are replenished at the same time, but at different rates, so you will always have a difference in the number of tokens in each bucket. Specifically, the difference between them is in direct proportion to the difference between the CIR and PIR.

Let’s assume that at a specific point in time, the buckets have the number of tokens calculated above. Let’s look at three scenarios:

  1. Let’s say that the very next packet arriving is 12000 bytes. Compare this value to the number of tokens in the buckets and we see that packet < Bc. Since this is true, the packet is considered conforming.
  2. Instead of 12000 bytes, let’s say the very next packet arriving is 24000 bytes. Here we see that Bc < packet < PIR, by definition this means that the packet is exceeding.
  3. Instead, let’s say the very next packet arriving is 36000 bytes. In this case PIR < packet so the packet is violating.

I hope this has been helpful!


1 Like

Dear Rene,

I have some thing to clarify,
Take the single rate, 2 color configured to CIR = 96 kbps
when we configure it, will the bucket be filled with 12K tokens before even start receiving the 1st packet?
Let’s say the 1st packet of 50 Bytes received after 0.1 seconds.
As per my understanding;
all 12k tokens are removed and 1200 tokens are put in to the bucket and if it conforms 50 tokens will be removed, so now only 1150 tokens available? am i ryt?

1 Like

Hello Roshan

At the very beginning, when the device is turned on and QoS policing mechanisms take place, the token bucket is full. Let’s say that the maximum capacity of the bucket is 24K tokens for argument’s sake.

Tokens are removed from the bucket every time a packet arrives. The size of the packet in bytes is the number of tokens that are removed.

So if a packet of 50 bytes arrives, it will remove (50x8=400 bits) 400 tokens from the bucket, resulting in 23600 tokens at that specific moment in time.

Remember that tokens are replenished based on the amount of time that has passed between packets. This is why we use the (packet arrival time - previous packet arrival time) formula. This can also be described as “as long as the circuit is idle”. If you set a CIR of 96kbps, then you are setting your token replenishing rate at 96000 bits per second as long as the circuit is idle.

Every time a packet comes, we remove tokens, and every time interval where the circuit is idle passes, the tokens are replenished at a rate of (idle time) * CIR.

I hope this has been helpful!


1 Like

Dear Laz,

Thanks for the reply.
In policing, 1 token = 1 byte ryt? I mean not a bit ryt? So if a packet of 50 bytes arrives, it will remove 50 tokens not 400 tokens ryt?
Also if the bit rate is set for 96kbps, the maximum capacity of the token bucket should be 12000 tokens ryt?

1 Like

Hello Roshan

Yes, you are correct, one token corresponds to 1 byte, not one bit. And yes the capacity should be 12000 tokens. Thanks for correcting that. The logic behind the example still stands.

Thanks again!


Dear Laz,

Thanks for your replies. My doubt still exists as I am trying to visualize this process of replenishing to bit rate. Let me be clear of what I think whats happening step by step. Please correct me where I am misunderstood. Assume this is for Single rate- Single bucket.

(1) Assume I configured the policing rate to be 96 Kbps. As soon as I applied it to an interface, the token bucket full of tokens (12,000) is created and waiting for packets.
(2) Let’s assume 1st Packet which has a packet size of 100 bytes comes after 0.5 seconds
(3) So 100 tokens will be removed from the bucket and at the same time it will put 6,000 tokens back into the bucket.
(4) But because the bucket capacity is 12,000, new 5,900 tokens will be spilled and discarded.
(5) Assume 2nd packet of 500 bytes comes after 0.2 seconds from the last packet received time
(6) 500 tokens removed from 12,000 and 2,400 tokens are added same time which will again full the bucket discarding new 1,900 tokens.
(7) Assume 3rd packet comes after 0.01 seconds from the second packet of 300 bytes
(8) Now 300 tokens will be removed and 120 tokens will be put into the bucket
(9) Now total number of tokens in the bucket is 11,820 and waiting for the next packet

Is this ryt or wrong?

Hello Roshan

I believe that you’ve got the idea!! You can really see how this functions especially if you imagine an example where you have large numbers of packets arriving and the bucket gets empty. If you imagine 1500 byte packets arriving every 0.05 seconds, you’d have a situation where 1500 tokens would be removed and be replenished with 600 every time… the bucket would eventually become empty…

I hope this has been helpful!


1 Like

Policer in the topic with 128 000 bps. Packet will be dropped when If the number of bytes in the packet is more than the number of tokens in the bucket, does it means, that it allowes maximum half of the bitrate? That is 64 000 bps? for example 1 second no traffic 1 second traffic, whatever…

Hello Jan

The purpose of the token bucket and of all of these different algorithms is to allow for a smooth distribution of traffic over time. This means that if you are policing at 128000 bps, then over a long period of time, say 10 minutes, the maximum average of throughput you can achieve is 128000 bps. If your traffic is smooth and consistent, then you will achieve this. If it is bursty and irregular, then you will achieve something much smaller.

If your traffic is so irregular that the bucket is often emptied completely, then you will have many packets that are dropped. If your traffic is smooth enough so that the bucket is replenished at regular intervals, then fewer packets will be dropped.

Depending on the algorithm you use, you will have a hard upper limit (single rate two colour) or will allow for bursting (single rate, three colour and dual rate three colour) to accommodate this bursty nature of traffic.

I hope this has been helpful!


Hi, i’m a bit confused with the Single rate, two color (one token bucket) explanation, this is what I’ve gathered so far…

Every time a packet comes in the formula adds more tokens (bytes) to the bucket, if the bucket is full then the packets are dropped.
Each packet that goes into the router the bytes from the formula are added to the bucket in bytes (NOT the actual size of the packet in bytes itself). If the number of bytes in the ACTUAL packet is equal to or less than the number of tokens (bytes) in the bucket then conforming is done and the policer takes the tokens out of the bucket (? What does it take out and what in bytes?)

For the sizes that are being put into the bucket, 1 single packet cannot be that big as well so no packets will ever be dropped so how does the traffic dropping occur then? When the bucket is full? How does it get full and what is the limit on the bucket, is it the CIR?


Hello Michael

First of all, at some specific rate (which we will clarify shortly) tokens are replenished into the bucket. Tokens are replenished as a function of time. As time goes on, tokens are added. I’ll talk a little more about this shortly.

When a packet arrives, one of two things take place:

  1. If the bucket has a number of tokens greater than or equal to the number of bytes of the packet, then:
  • The packet is considered conforming
  • A number of tokens equal to the number of bytes of the packet, are removed from the bucket.
  1. If the bucket has a number of tokens less than the number of bytes of the packet, then
  • The packet is considered exceeding
  • The policer doesn’t remove any packets from the bucket

The above process only classifies a packet as conforming or exceeding. What happens to the packet when it is conforming or exceeding depends upon the action that is configured to be taken.

Now replenishing takes place over time. Replenishing essentially takes place at the rate at which the policer has been set. If it is set to 128000 bps, then the replenishing rate is 128000/8 = 16000 bytes or tokens per second.

I hope this has been helpful! Stay safe and healthy!


Hi Laz

I understand what you’re saying, but by this logic the bucket would always be empty or have bytes lower than the packet size coming in because if every second 16,000 bytes (which is an average packet transmission rate of 10 ms per packet) is going into the bucket and you have a max packet size of 1514 bytes then every 10ms that means 160 bytes is going into the bucket and it’s taking 1514 bytes out of the bucket that means that within 1 second 151,400 bytes will be taken out the bucket and only 16,000 bytes put in so how would anything get allowed/conformed?

Also one more thing, the replenishing formula that is on the page is slightly confusing to and is a bit different to yours, you don’t mention anything about “packet time arrival - previous packet arrival time”, on the one on the page what if you’ve a packet that is 10ms apart? That would be (10 -10) x 128,000 ÷ 8 = 0. So that’s a bit confusing as well. Hopefully you can shed some light on these things because I don’t think I’m getting it at the moment.

Thanks and stay safe too

I’ve been reading a bit more and this is what I’ve gathered so far, maybe I’m right in what I’m saying here I’m not sure.

A packet flow of every 5-10ms which means around 80-160 bytes are going into the bucket (on a 128kbps line) regardless of what is taken out if the packet is conformed because of the replenishing formula. And if you have a packet that is coming in that is 1514 bytes in size then depending on if there is enough tokens in the bucket from the replenishing formula, the packet will either be dropped or conformed and those packets are taken out of the bucket if the packet is conformed. If the packet is dropped then the policer doesn’t remove any packets and the packet is more than likely dropped.

So you’re putting less into the bucket on slower lines and taking more out if you hammer the bandwidth with large packets to the maximum packet size whereas with a 500mb line for example if you had one packet coming in with 4ms and the next one came in at 6ms then that would be (0.002) × 500000000 ÷ 8 = 125,000 bytes into the bucket and only taking out 1514 bytes which means that most packets will be allowed/conformed.

But then I have to ask if that is correct then how would that 500Mb line ever drop packets since most packets would be conformed.
If the ISP has set a CIR of 500Mb and the user is on a physical 1Gb link with no shaping their end then surely there would be more packets sent at that speed than should be allowed to be conformed at the ISP end so how does the ISP and a policer of 500mb drop packets if it’s getting to many off the 1Gb link from the customers end? How does it work it out?

Thanks again Laz

Hello Michael

I apologize, I wasn’t quite clear in my previous posts, and I was missing an important piece of information. Let me try to respond to both of your posts:

Yes, let me clarify. The replenishing of the token bucket occurs over time, but I neglected to indicate that the replenishing takes place during idle time. So replenishing will take place at a rate of 16000 bytes per second of idle time. This is another way of looking at the formula. Notice the replenishing shown in the diagram in the lesson (as seen below) occurs during the interval between the arrival of packets:

Think about it this way. If the bucket is at maximum capacity (16000 bytes), and a steady flow of packets arrive, with no idle time at all, then eventually (after about 10 packets) 16000 bytes would be emptied from the bucket. The next packet would be exceeding, and thus would be dropped. This creates some idle time, giving the opportunity for the bucket to be refilled. Once it is refilled enough, the next packet that arrives will be conforming. The corresponding number of tokens will be removed. The next packet that arrives will be evaluated in the same way, and so on…

Note here that the key to policing is that this process, the dropping of the packets, creates idle time. It is this idle time that limits the traffic to the appropriate level even if the physical interface is capable of transmitting at higher throughputs.

The same is the case for a 1 Gbps physical link that is policed at 500 Mbps, it’s simply a matter of scale. The token bucket will have a capacity of about 62.5 million tokens. If the stream of packets is steady, the bucket will eventually empty, forcing idle time between incoming packets (by dropping the exceeding ones). Once the bucket refills sufficiently, subsequent packets will conform, removing the appropriate number of tokens from the bucket, and so on, resulting in a policed link.

(Once again, remember, that this whole procedure is a matter of classification. Packets are classified as either conforming or exceeding. If they conform, tokens are removed from the bucket, if they exceed, tokens are not removed. If they are actually dropped or forwarded depends on the configured action).

I hope this has been helpful! Stay healthy and safe!


Right I think (finally! haha) I’m starting to understand it a bit more now after your last message Laz. I’ll take another go at explaining it too see if I understand it now.

The police rate of 128,000kbps will create a 16000 byte bucket size and if there are a steady stream of packets sizes 1514 bytes and no packet time interval time over 1 second then this will empty the bucket after around 10 packets due to the packet sizes being deducted from the bucket. When the bucket has been emptied the bucket then refills during the idle time (1 second) were no packets are being sent because the bucket is empty and has been used up. The dropping of packets creates idle time for the bucket to be replenished up to its CIR again.
The bucket does NOT fill up during per packet intervals unless the interval is 1 second.

Thanks again Laz, I look forward to your response