Traffic Policing
Traffic policing drops excess traffic to control traffic flow within specified rate limits. Traffic policing does not introduce any delay to traffic that conforms to traffic policies. Traffic policing can cause more TCP retransmissions, because traffic in excess of specified limits is dropped.
Single Token Bucket/Single Rate
Note
Traffic policing is configured in a traffic policy in the policy-map class configuration mode.
The command syntax for the police command is:
Router(config-pmap-c)# police bps [burst-normal] [burst-max]
conform-action action exceed-action action [violate-action action]
The following explains the syntax:
bps | Average rate in bits per second. Valid values are 8000 to 200000000. |
burst-normal | Normal burst size in bytes. Valid values are 1000 to 51200000. The default normal burst size is 1500 bytes. |
burst-max | Excess burst size in bytes. Valid values are 1000 to 51200000. |
conform-action action | Action to take on packets that conform to the rate limit. |
exceed-action action | Action to take on packets that exceed the rate limit. |
violate-action action | Action to take on packets that violate the normal and maximum burst sizes. |
Note
The command syntax of the police command allows you to specify the action to be taken on a packet when you enable the action keyword. The resulting action corresponding to the keyword choices are as follows:
action Keyword | Resulting Action |
drop | Drops the packet. |
set-prec-transmit new-prec | Sets the IP precedence and sends the packet. |
set-qos-transmit new-qos | Sets the QoS group and sends the packet. |
set-dscp-transmit new-dscp | Sets the differentiated services code point (DSCP) value and sends the packet. |
transmit | Sends the packet. |
Note
A single-token bucket system is used when the violate-action option is not specified, and a two-token bucket system is used when the violate-action option is specified.
Router(config)# class-map BWHUNGRY-1 | Creates class map BWHUNGRY-1. |
Router(config-cmap)# match access-group 99 | Chooses traffic using access list 99. |
Router(config-cmap)# exit | Exits class map mode. |
Router(config)# policy-map NOUDONT-1 | Creates a policy named NOUDONT-1. |
Router(config-pmap)# class BWHUNGRY-1 | Chooses a class to apply policy. |
Router(config-pmap-c)# police 10000 5000 10000 conform-action transmit exceed-action set-qos-transmit 4 | Sets the average data rate at 10 kbps for forwarding with a normal burst of 5 kbps and maximum burst of 10 kbps. The conform action is transmit and the non-conforming action sets the qos group value to 4 and then transmits. |
Router(config-pmap-c)# exit | Returns to config-pmap mode. |
Router(config-pmap)# exit | Returns to global configuration mode. |
Router(config)# interface fastethernet 0/0 | Enters interface mode where the policy will be applied. |
Router(config-if)# service-policy input NOUDONT-1 | Applies policy NOUDONT-1. |
Router(config-if)# end | Returns to privileged mode. |
Router# show policy-map | Displays all configured policy maps on the device. |
Router# show policy-map NOUDONT-1 | Displays the policy map NOUDONT-1. |
Router# show policy-map interface fastethernet 0/0 | Displays the configurations and statistics of policy maps applied at fastethernet 0/0. |
Two Token Bucket/Two Rate
The two rate policer polices both committed information rate (CIR) and peak information rate (PIR) using two token buckets. In this case, the command syntax is
Router(config-pmap-c)# police cir cir [bc conform-burst] pir pir [be
peak-burst]
[conform-action action [exceed-action action [violate-action
action]]]
The following explains the syntax:
cir cir | CIR value in bits per second (8000 to 200,000,000). |
bc conform-burst | Conform burst (bc) size used by the first token bucket for policing. |
pir pir | Peak information rate (PIR) at which the second token bucket is updated. |
be peak-burst | Peak burst (be) size in bytes. |
conform-action action | Action to take on packets that conform to the CIR and PIR. |
exceed-action action | Action to take on packets that conform to the PIR but not the CIR. |
violate-action action | Action to take on packets that exceed the PIR. |
Note
Traffic policing is configured in a traffic policy in the policy-map class configuration mode.
A single-token bucket system is used when the violate-action option is not specified, and a two-token bucket system is used when the violate-action option is specified.
Router(config)# class-map BWHUNGRY-2 | Creates class map BWHUNGRY-2. |
Router(config-cmap)# match access-group 101 | Chooses traffic using access list 101. |
Router(config-cmap)# exit | Exits class map mode. |
Router(config)# policy-map NOUDONT-2 | Creates a policy named NOUDONT-2. |
Router(config-pmap)# class BWHUNGRY-2 | Chooses a class to apply policy. |
Router(config-pmap-c)# police cir 200000 bc 10000 pir 700000 be 10000 conform-action transmit exceed-action set-prec-transmit 2 violate-action drop | Sets cir data rate at 200 kbps for forwarding with policing. There is a burst overage of 10 kbps. A pir data rate is set to 700 kbps and peak burst of 10 kbps. Nonconformance of either cir or pir resets precedence value to 2 and violation of either bc or be forces a packet drop. |
Router(config-pmap-c)# exit | Returns to config-pmap mode. |
Router(config-pmap)# exit | Returns to global configuration mode. |
Router(config)# interface fastethernet 0/0 | Enters interface mode where the policy will be applied. |
Router(config-if)# service-policy input NOUDONT-2 | Applies policy NOUDONT-2. |
Router(config-if)# end | Returns to privileged mode. |
Router# show policy-map | Displays all configured policy maps on the device. |
Router# show policy-map NOUDONT-2 | Displays the policy map NOUDONT-2. |
Router# show policy-map interface fastethernet 0/0 | Displays the configurations and statistics of policy maps applied at fastethernet 0/0. |