To configure traffic policing, use the
police command in policy-map class configuration mode or policy-map class police configuration mode. To remove traffic policing
from the configuration, use the
no form of this command.
police bps [burst-normal] [burst-max] conform-action action exceed-action action [violate-action action]
no police bps [burst-normal] [burst-max] conform-action action exceed-action action [violate-action action]
Syntax Description
bps
|
Average rate, in bits per second. Valid values are 8000 to 128000000000 (128 Gb/s).
|
burst-normal
|
(Optional) Normal burst size in bytes. Valid values are 1000 to 2000000000 (2 Gb). Default normal burst size is 1500.
|
burst-max
|
(Optional) Maximum burst size, in bytes. Valid values are 1000 to 2000000000 (2 Gb). Default varies by platform.
|
conform-action
|
Specifies the action to take on packets that conform to the rate limit.
|
exceed-action
|
Specifies the action to take on packets that exceed the rate limit.
|
violate-action
|
(Optional) Specifies the action to take on packets that violate the normal and maximum burst sizes.
|
action
|
Action to take on packets. Specify one of the following keywords:
-
drop
—Drops the packet.
-
set-clp-transmit
value—Sets the ATM Cell Loss Priority (CLP) bit from 0 to 1 on the ATM cell and transmits the packet with the ATM CLP bit set to
1.
-
set-cos-inner-transmit
value—Sets the inner class of service field as a policing action for a bridged frame on the Enhanced FlexWAN module when using
bridging features on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router.
-
set-cos-transmit
value—Sets the class of service (CoS) packet value and sends it.
-
set-discard-class-transmit
—Sets the discard class attribute of a packet and transmits the packet with the new discard class setting.
-
set-dscp-transmit
value—Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value.
-
set-dscp-tunnel-transmit
value—Sets the DSCP value (0 to 63) in the tunnel header of a Layer 2 Tunnel Protocol Version 3 (L2TPv3) or Generic Routing Encapsulation
(GRE) tunneled packet for tunnel marking and transmits the packet with the new value.
-
set-frde-transmit
value—Sets the Frame Relay Discard Eligibility (DE) bit from 0 to 1 on the Frame Relay frame and transmits the packet with the
DE bit set to 1.
-
set-mpls-experimental-imposition-transmit
value —Sets the Multiprotocol Label Switching (MPLS) experimental (EXP) bits (0 to 7) in the imposed label headers and transmits
the packet with the new MPLS EXP bit value.
-
set-mpls-experimental-topmost
value —Rewrites the experimental value.
-
set-mpls-experimental-topmost-transmit
value—Sets the MPLS EXP field value in the topmost MPLS label header at the input and/or output interfaces.
-
set-prec-transmit
value—Sets the IP precedence and transmits the packet with the new IP precedence value.
-
set-prec-tunnel-transmit
value—Sets the precedence value (0 to 7) in the tunnel header of an L2TPv3 or GRE tunneled packet for tunnel marking and transmits
the packet with the new value.
-
set-qos-transmit
value—Sets the QoS group value and transmits the packet with the new QoS group value.
-
transmit
—Transmits the packet. The packet is not altered.
|
Command Default
Traffic policing is not configured.
Command Modes
Policy-map class configuration (config-pmap-c) when specifying a single action to be applied to a marked packet
Policy-map class police configuration (config-pmap-c-police) when specifying multiple actions to be applied to a marked packet
Command History
Release
|
Modification
|
12.0(5)XE
|
This command was introduced.
|
12.1(1)E
|
This command was integrated into Cisco IOS Release 12.1(1)E.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T. The
violate-action keyword was added.
|
12.2(2)T
|
This command was modified.
Note
|
However, the
set-frde-transmit keyword is not supported for AToM traffic in this release. Also, the
set-frde-transmit keyword is supported only when Frame Relay is implemented on a physical interface without encapsulation.
|
|
12.2(8)T
|
This command was modified for the Policer Enhancement—Multiple Actions feature. This command can now accommodate multiple
actions for packets marked as conforming to, exceeding, or violating a specific rate.
|
12.2(13)T
|
This command was modified. In the
action argument, the
set-mpls-experimental-transmit keyword was renamed to
set-mpls-experimental-imposition-transmit .
|
12.2(28)SB
|
This command was modified. The
set-dscp-tunnel-transmit and
set-prec-tunnel-transmit keywords for the
action argument were added. These keywords are intended for marking Layer 2 Tunnel Protocol Version 3 (L2TPv3) tunneled packets.
|
12.2(33)SRA
|
This command was modified. The
set-cos-inner-transmit keyword for the action argument was added when using multipoint bridging (MPB) features on the Enhanced FlexWAN module and
when using MPB on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router.
|
12.2(31)SB2
|
This command was modified. Support for the
set-frde-transmit
action argument was added on the Cisco 10000 series router.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends
on your feature set, platform, and platform hardware.
|
12.2(33)SRC
|
This command was modified. Support for the Cisco 7600 series router was added.
|
12.4(15)T2
|
This command was modified to include support for marking Generic Routing Encapsulation (GRE) tunneled packets.
Note
|
For this release, marking GRE-tunneled packets is supported only on platforms equipped with a Cisco MGX Route Processor Module
(RPM-XF).
|
|
12.2(33)SB
|
This command was modified to include support for marking GRE-tunneled packets, and support for the Cisco 7300 series router
was added.
|
15.1(1)T
|
This command was modified to include support for policing on SVI interfaces for Cisco ISR 1800, 2800, and 3800 series routers.
|
12.2(50)SY
|
This command was modified. Support for the
set-mpls-experimental-topmost
value argument was added.
|
15.0(1)SY
|
This command was modified. The maximum value for the
bps ,
burst-normal , and
burst-max arguments was increased.
|
Cisco IOS XE Release 3.5S
|
This command was modified. Support was added for the Cisco ASR 903 Router.
|
Usage Guidelines
Use the
police command to mark a packet with different quality of service (QoS) values based on conformance to the service-level agreement.
In Cisco IOS release 12.2(50)SY, when you apply the
set-mpls-experimental-topmost
value in the egress direction the
set-mpls-experimental-imposition value is blocked.
Note
|
In Cisco IOS Release 15.0(1)SY and above, if you configure a policy map without specifying the burst size, then the default
burst size can reach 2 Gb/s.
|
If you configure a high rate or high burst size and then change to a Cisco IOS software release that does not support your
settings, the configuration is rejected on boot up and the
police command is removed from the policy map.
Specifying Multiple Actions
The
police command allows you to specify multiple policing actions. When specifying multiple policing actions when configuring the
police command, note the following points:
Using the police Command with the Traffic Policing Feature
The
police command can be used with the Traffic Policing feature. The Traffic Policing feature works with a token bucket algorithm.
Two types of token bucket algorithms are in Cisco IOS Release 12.1(5)T: a single-token bucket algorithm and a two-token bucket
algorithm. A single-token bucket system is used when the
violate-action option is not specified, and a two-token bucket system is used when the
violate-action option is specified.
The token bucket algorithm for the
police command that was introduced in Cisco IOS Release 12.0(5)XE is different from the token bucket algorithm for the
police command that was introduced in Cisco IOS Release 12.1(5)T. For information on the token bucket algorithm introduced in Release
12.0(5)XE, see the
Traffic Policing document for Release 12.0(5)XE. This document is available on the New Features for 12.0(5)XE documentation index (under Modular
QoS CLI-related feature modules) at www.cisco.com.
The following are explanations of how the token bucket algorithms introduced in Cisco IOS Release 12.1(5)T work.
Token Bucket Algorithm with Single-Token Bucket
The single-token bucket algorithm is used when the
violate-action option is not specified in the
police command CLI.
The conform bucket is initially set to the full size (the full size is the number of bytes specified as the normal burst
size).
When a packet of a given size (for example, “B” bytes) arrives at specific time (time “T”), the following actions occur:
(time between packets (which is equal to T - T1) * policer rate)/8 bytes
-
If the number of bytes in conform bucket B is greater than or equal to the packet size, the packet conforms and the conform
action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action
is completed for the packet.
-
If the number of bytes in conform bucket B (minus the packet size to be limited) is fewer than 0, the exceed action is taken.
Token Bucket Algorithm with a Two-Token Bucket
The two-token bucket algorithm is used when the
violate-action option is specified in the
police command.
The conform bucket is initially full (the full size is the number of bytes specified as the normal burst size).
The exceed bucket is initially full (the full exceed bucket size is the number of bytes specified in the maximum burst size).
The tokens for both the conform and exceed token buckets are updated based on the token arrival rate, or committed information
rate (CIR).
When a packet of given size (for example, “B” bytes) arrives at specific time (time “T”) the following actions occur:
-
Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current arrival of the
packet is at T, the bucket is updated with T -T1 worth of bits based on the token arrival rate. The refill tokens are placed
in the conform bucket. If the tokens overflow the conform bucket, the overflow tokens are placed in the exceed bucket.
The token arrival rate is calculated as follows:
(time between packets (which is equal to T-T1) * policer rate)/8 bytes
-
If the number of bytes in conform bucket B is greater than or equal to the packet size, the packet conforms and the conform
action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action
is taken. The exceed bucket is unaffected in this scenario.
-
If the number of bytes in conform bucket B is less than the packet size, the excess token bucket is checked for bytes by
the packet. If the number of bytes in exceed bucket B is greater than or equal to 0, the exceed action is taken and B bytes
are removed from the exceed token bucket. No bytes are removed from the conform bucket.
-
If the number of bytes in exceed bucket B is less than the packet size, the packet violates the rate and the violate action
is taken. The action is complete for the packet.
Using the set-cos-inner-transmit Action for SIPs and SPAs on the Cisco 7600 Series Router
The
set-cos-inner-transmit keyword action was introduced in Cisco IOS Release 12.2(33)SRA to support marking of the inner CoS value as a policing action
when using MPB features on the Enhanced FlexWAN module and when using MPB features on SPAs with the Cisco 7600 SIP-200 and
Cisco 7600 SIP-400 on the Cisco 7600 series router.
This command is not supported on the Cisco 7600 SIP-600.
For more information about QoS and the forms of
police commands supported by the SIPs on the Cisco 7600 series router, see the
Cisco 7600 Series SIP, SSC, and SPA Software Configuration Guide.
Using the police command on the Cisco ASR 903 Router
The following restrictions apply when using the
police command on the Cisco ASR 903 router:
-
Class-based policing on subinterfaces is not supported.
-
Policing is supported for ingress policy maps only.
-
Hierarchical policing (policing at both parent level and child level) is not supported.
-
The Cisco ASR 903 router supports the following action keywords only:
- drop
- set-cos-transmit
- set-discard-class-transmit
- set-dscp-transmit
- set-mpls-exp-imposition-transmit
- set-mpls-exp-topmost-transmit
- set-precp-transmit
- set-qos-transmit
- transmit
Examples
The following example shows how to define a traffic class (using the
class-map command) and associate the match criteria from the traffic class with the traffic policing configuration, which is configured
in the service policy (using the
policy-map command). The
service-policy command is then used to attach this service policy to the interface.
In this particular example, traffic policing is configured with the average rate at 8000 bits per second and the normal burst
size at 1000 bytes for all packets leaving Fast Ethernet interface 0/0:
Router(config)# class-map access-match
Router(config-cmap)# match access-group 1
Router(config-cmap)# exit
Router(config)# policy-map police-setting
Router(config-pmap)# class access-match
Router(config-pmap-c)# police 8000 1000 conform-action transmit exceed-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface fastethernet 0/0
Router(config-if)# service-policy output police-setting
In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because
enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet and 450 bytes are
removed from the conform token bucket (leaving 550 bytes).
If the next packet arrives 0.25 seconds later, 250 bytes are added to the token bucket ((0.25 * 8000)/8), leaving 800 bytes
in the token bucket. If the next packet is 900 bytes, the packet exceeds and the exceed action (drop) is taken. No bytes are
taken from the token bucket.
Examples
In this example, traffic policing is configured with the average rate at 8000 bits per second, the normal burst size at 1000
bytes, and the excess burst size at 1000 bytes for all packets leaving Fast Ethernet interface 0/0.
Router(config)# class-map access-match
Router(config-cmap)# match access-group 1
Router(config-cmap)# exit
Router(config)# policy-map police-setting
Router(config-pmap)# class access-match
Router(config-pmap-c)# police 8000 1000 1000 conform-action transmit exceed-action set-qos-transmit 1 violate-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface fastethernet 0/0
Router(config-if)# service-policy output police-setting
In this example, the initial token buckets starts full at 1000 bytes. If a 450-byte packet arrives, the packet conforms because
enough bytes are available in the conform token bucket. The conform action (send) is taken by the packet, and 450 bytes are
removed from the conform token bucket (leaving 550 bytes).
If the next packet arrives 0.25 seconds later, 250 bytes are added to the conform token bucket ((0.25 * 8000)/8), leaving
800 bytes in the conform token bucket. If the next packet is 900 bytes, the packet does not conform because only 800 bytes
are available in the conform token bucket.
The exceed token bucket, which starts full at 1000 bytes (as specified by the excess burst size), is then checked for available
bytes. Because enough bytes are available in the exceed token bucket, the exceed action (set the QoS transmit value of 1)
is taken and 900 bytes are taken from the exceed bucket (leaving 100 bytes in the exceed token bucket).
If the next packet arrives 0.40 seconds later, 400 bytes are added to the token buckets ((.40 * 8000)/8). Therefore, the
conform token bucket now has 1000 bytes (the maximum number of tokens available in the conform bucket) and 200 bytes overflow
the conform token bucket (because only 200 bytes were needed to fill the conform token bucket to capacity). These overflow
bytes are placed in the exceed token bucket, giving the exceed token bucket 300 bytes.
If the arriving packet is 1000 bytes, the packet conforms because enough bytes are available in the conform token bucket.
The conform action (transmit) is taken by the packet, and 1000 bytes are removed from the conform token bucket (leaving 0
bytes).
If the next packet arrives 0.20 seconds later, 200 bytes are added to the token bucket ((.20 * 8000)/8). Therefore, the conform
bucket now has 200 bytes. If the arriving packet is 400 bytes, the packet does not conform because only 200 bytes are available
in the conform bucket. Similarly, the packet does not exceed because only 300 bytes are available in the exceed bucket. Therefore,
the packet violates and the violate action (drop) is taken.
Examples
The following example shows that if packets conform to the rate limit, the MPLS EXP field is set to 5. If packets exceed
the rate limit, the MPLS EXP field is set to 3.
Router(config)# policy-map input-IP-dscp
Router(config-pmap)# class dscp24
Router(config-pmap-c)# police 8000 1500 1000 conform-action set-mpls-experimental-imposition-transmit 5 exceed-action set-mpls-experimental-imposition-transmit 3
Router(config-pmap-c)# violate-action drop
Examples
The following example shows configuration of a QoS class that filters all traffic for virtual LAN (VLAN) 100 into a class
named “vlan-inner-100” and establishes a traffic shaping policy for the vlan-inner-100 class. The service policy limits traffic
to an average rate of 500 kb/s, with a normal burst of 1000 bytes and a maximum burst of 1500 bytes, and sets the inner CoS
value to 3. Since setting of the inner CoS value is supported only with bridging features, the configuration also shows the
service policy being applied as an output policy for an ATM SPA interface permanent virtual circuit (PVC) that bridges traffic
into VLAN 100 using the
bridge-domain command.
Router(config)# class-map match-all vlan-inner-100
Router(config-cmap)# match vlan inner 100
Router(config-cmap)# exit
Router(config)# policy-map vlan-inner-100
Router(config-pmap)# class vlan-inner-100
Router(config-pmap-c)# police 500000 1000 1500 conform-action set-cos-inner-transmit 3
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface atm3/0/0
Router(config-if)# pvc 100/100
Router(config-if-atm-vc)# bridge-domain 100 dot1q
Router(config-if-atm-vc)# service-policy output vlan-inner-100
Router(config-if-atm-vc)# end