QoS Policing Configuration Example

in this lesson you will learn how to configure the different types of policing on Cisco IOS routers:

  • Single rate, two-color
  • Single rate, three-color
  • Dual rate, three-color

If you have no idea what the difference is between the different policing types then you should start with my QoS Traffic Policing Explained lesson. Having said that, let’s configure some routers. I’ll use the following topology for this:

R1 R2

We don’t need anything fancy to demonstrate policing. I will use two routers for this, R1 will generate some ICMP traffic and R2 will do the policing.

Let’s start with the first policer…

Single Rate Two-Color Policing

Configuration is done using the MQC (Modular QoS Command-Line Interface). First we need to create a class-map to “classify” our traffic:

R2(config)#class-map ICMP
R2(config-cmap)#match protocol icmp

To keep it simple, I will use NBAR to match on ICMP traffic. Now we can create a policy-map:

R2(config)#policy-map SINGLE-RATE-TWO-COLOR
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police 128000                                           
R2(config-pmap-c-police)#conform-action transmit 
R2(config-pmap-c-police)#exceed-action drop

The policy-map is called “SINGLE-RATE-TWO-COLOR” and we configure policing for 128000 bps (128 Kbps) under the class-map. When the traffic rate is below 128 Kbps the conform-action is to transmit the packet, when it exceeds 128 Kbps we will drop the packet.

Above I first configured the police CIR rate and then I configured the “actions” in the “policer configuration”. You can also configure everything on one single line, then it will look like this:

R2(config-pmap-c)#police 128000 conform-action transmit exceed-action drop

Both options achieve the same so it doesn’t matter which one you use. For readability reasons I selected the first option.

Let’s activate the policer on the interface and we’ll see if it works:

R2(config)#interface FastEthernet 0/0
R2(config-if)#service-policy input SINGLE-RATE-TWO-COLOR

You need to use the service-policy command to activate the policer on the interface.

Time to generate some traffic on R1:

R1#ping 192.168.12.2 repeat 999999           
Type escape sequence to abort.
Sending 999999, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!

You can already see some of the packets don’t make it to their destination. Let’s see what R2 thinks about all these pings:

R2#show policy-map interface FastEthernet 0/0
 FastEthernet0/0 

  Service-policy input: SINGLE-RATE-TWO-COLOR

    Class-map: ICMP (match-all)
      1603 packets, 314382 bytes
      5 minute offered rate 18000 bps, drop rate 0 bps
      Match: protocol icmp
      police:
          cir 128000 bps, bc 4000 bytes
        conformed 1499 packets, 199686 bytes; actions:
          transmit 
        exceeded 104 packets, 114696 bytes; actions:
          drop 
        conformed 10000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

Above you can see that the policer is doing it’s job. The configured CIR rate is 128000 bps (128 Kbps) and the bc is set to 4000 bytes. If you don’t configure the bc yourself then Cisco IOS will automatically select a value based on the CIR rate. You can see that most of the packets were transmitted (conformed) while some of them got dropped (exceeded).

If you understand the theory about policing then the configuration and verification isn’t too bad right? Let’s move on to the next policer…

Single Rate Three-Color Policing

If you understood the previous configuration then this one will be easy. I’ll use the same class-map:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

528 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hello Davis.

    Keep in mind that the QoS policing that Rene has implemented in this lesson functions at Layer 3. You can see this by the fact that the configuration applied matches layer 3 protocols (such as ICMP). So this means that this policy map can be applied to a Router interface, or to a Routed interface on a switch, or an SVI on a switch. Access and trunk ports are layer 2 so this implementation cannot be applied.

    However, as Cisco documentation states, “To police bridged (Layer 2 [L2]) traffic as well, you need to enable bridged microflow policing.”

    ... Continue reading in our forum

  2. Abhishek,

    1. The answer this depends on whether we are talking about two color or three color. If you are talking two color with 128K or less being within policy, and the provider is allowing excess traffic but remarking it as DSCP 0, then yes, you have the ability to transmit up to whatever your physical link bandwidth would be. Of course, who knows what would happen to exceeding traffic later within the provider’s network–it might get dropped later if there is congestion elsewhere. This leads in to your question #2

    2. The purpose of remarking exceeding tra

    ... Continue reading in our forum

  3. Hello Hussein

    The police CIR is set to 128000, the BC is set to 4000 and the BE is set to 4000.

    So, any packets that are within the 128000 CIR limit plus the 4000 BC limit are conforming. These will be transmitted and their DSCP values will be unchanged.

    Any packets arriving above the 128000 + 4000 limit and within

    ... Continue reading in our forum

  4. Hello Chris

    This is a good point you bring up. The lesson is referring to commands that are used in Cisco IOS devices such as routers. The links that I provided were of a command reference document for QoS commands of IOS systems. The document that you shared is of the ASR 9000 running the IOS XR version 4.0.0. This provides a slightly different set of commands and syntax for QoS. In the IOS XR 4.0.0 the command police rate is used to police data plane traffic. This is also the reason why the syntax ofpolice rate 10 mbps did not work in the IOS version th

    ... Continue reading in our forum

  5. Good Day ALL,
    How can an access-list be attached to a policing policy ? An example of my configuration is listed below. Not sure if I would get the desired results. If I have a 200meg link , but only want to use a maximum of 50mbps for wireless users from a specific network. Would I use the 50mbps for the cir or the 200mbps for the cir ? Any guidance is greatly appreciated.

    ip access-list extended 100
    permit ip 192.168.1.0 0.0.0.255 any
    
    class-map TEST
    match access-group 100
    
    policy-map TEST2
    class TEST
    police 50 or 200 for cir ? conform-action transmit  excee
    ... Continue reading in our forum

43 more replies! Ask a question or join the discussion by visiting our Community Forum