Rate-Limited Connection to Headquarters
As long as the traffic flow does not exceed 64,000 bytes per second, the police policy will
transmit the data. The conform-rate syntax sets the maximum rate of traffic in bits per
second. The traffic that never exceeds the rate limit can be either transmitted or dropped.
This is assigned by the conform-action attribute within the police command. If the traffic
flow exceeds the rate limit, that traffic would normally be dropped. The problem with this is
that IP traffic is inherently bursty, and dropping the bursty traffic might not be the correct
action. It is common for a traffic flow to burst beyond its average sustained rate for a very
short time. To allow for bursty traffic, you can configure the police command with a burst
size set in the conform-burst syntax. This new burst rate specifies the maximum amount of
bytes that can exceed the set rate limit during any one instance. Traffic might still exceed the
burst rate, and the security administrator must determine what action should apply to the
excess traffic. Using the exceed-action command within the police command allows the
traffic either to continue to be transmitted or to be dropped.
Priority Policy Overview
With video and audio streaming, as well as voice over IP (VoIP) services becoming more
mainstream, the need for high-quality bandwidth connections is critical due to jitter and
latency restrictions. Many national and international companies rely on VoIP traffic to
communicate between offices that run over the Internet. VPNs over the Internet between
offices are becoming more prevalent, requiring QoS features. The Security Appliance can use
low-latency queuing (LLQ) to prioritize egress packet transmission, enabling a form of QoS
for the prioritized packets. This can be done within a policy map using the priority
command. The priority command assigns the class map to the low-latency queue, while all
egress traffic not assigned the priority command will be sent into the default, best-effort
NOTE When deciding the burst size for a police policy, you should use the following
formula:
(conform-rate/8) * 1.5
For example, if you use a conform rate of 80 kbps, use the formula to get the following as
your burst size:
(80/8) * 1.5 = 15 kbps