QoS Policing Configuration Example

in this lesson you will learn how to configure the different types of policing on Cisco IOS routers:

  • Single rate, two-color
  • Single rate, three-color
  • Dual rate, three-color

If you have no idea what the difference is between the different policing types then you should start with my QoS Traffic Policing Explained lesson. Having said that, let’s configure some routers. I’ll use the following topology for this:

R1 R2

We don’t need anything fancy to demonstrate policing. I will use two routers for this, R1 will generate some ICMP traffic and R2 will do the policing.

Let’s start with the first policer…

Single Rate Two-Color Policing

Configuration is done using the MQC (Modular QoS Command-Line Interface). First we need to create a class-map to “classify” our traffic:

R2(config)#class-map ICMP
R2(config-cmap)#match protocol icmp

To keep it simple, I will use NBAR to match on ICMP traffic. Now we can create a policy-map:

R2(config)#policy-map SINGLE-RATE-TWO-COLOR
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police 128000                                           
R2(config-pmap-c-police)#conform-action transmit 
R2(config-pmap-c-police)#exceed-action drop

The policy-map is called “SINGLE-RATE-TWO-COLOR” and we configure policing for 128000 bps (128 Kbps) under the class-map. When the traffic rate is below 128 Kbps the conform-action is to transmit the packet, when it exceeds 128 Kbps we will drop the packet.

Above I first configured the police CIR rate and then I configured the “actions” in the “policer configuration”. You can also configure everything on one single line, then it will look like this:

R2(config-pmap-c)#police 128000 conform-action transmit exceed-action drop

Both options achieve the same so it doesn’t matter which one you use. For readability reasons I selected the first option.

Let’s activate the policer on the interface and we’ll see if it works:

R2(config)#interface FastEthernet 0/0
R2(config-if)#service-policy input SINGLE-RATE-TWO-COLOR

You need to use the service-policy command to activate the policer on the interface.

Time to generate some traffic on R1:

R1#ping repeat 999999           
Type escape sequence to abort.
Sending 999999, 100-byte ICMP Echos to, timeout is 2 seconds:

You can already see some of the packets don’t make it to their destination. Let’s see what R2 thinks about all these pings:

R2#show policy-map interface FastEthernet 0/0

  Service-policy input: SINGLE-RATE-TWO-COLOR

    Class-map: ICMP (match-all)
      1603 packets, 314382 bytes
      5 minute offered rate 18000 bps, drop rate 0 bps
      Match: protocol icmp
          cir 128000 bps, bc 4000 bytes
        conformed 1499 packets, 199686 bytes; actions:
        exceeded 104 packets, 114696 bytes; actions:
        conformed 10000 bps, exceed 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

Above you can see that the policer is doing it’s job. The configured CIR rate is 128000 bps (128 Kbps) and the bc is set to 4000 bytes. If you don’t configure the bc yourself then Cisco IOS will automatically select a value based on the CIR rate. You can see that most of the packets were transmitted (conformed) while some of them got dropped (exceeded).

If you understand the theory about policing then the configuration and verification isn’t too bad right? Let’s move on to the next policer…

Single Rate Three-Color Policing

If you understood the previous configuration then this one will be easy. I’ll use the same class-map:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

503 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Forum Replies

  1. Hi Davis,

    It depends what you want to achieve.

    For example, the ISP will probably use policing since they don’t want to waste resources to buffer customer packets exceeding traffic.

    The customer however probably doesn’t want packet drops so they will configure shaping to match the rate that the ISP polices at.

    Also keep in mind that shaping adds delay so it’s not a good idea to use this for realtime traffic like VoIP.


  2. Hi Muhammad,

    Policing is typically implemented by ISPs to limit the traffic of their customers so it will depend on the traffic contract that they sell you.

    The single rate two color policer might be a bit unfair since it doesn’t allow bursting. With a CIR of 128kbps then you’ll only be able to reach 128kbps if you keep sending traffic non-stop.

    The single rate three color policer allows bursting. Since data traffic is “bursty” by nature, this is probably a bit more fair to use. When your connection is idle, you can accumulate up to the Be and spend your Bc+Be

    ... Continue reading in our forum

  3. Hi Rene

    I have 2 question pelase :

    1-Please which of the above three catagory is the common use ? as per my idea ( Single Rate, Three-color ) is the common type right ?, so how to change to other catagories in the router ?

    2-in this catagory(Dual-Rate, Three-Color ), when the first packet come it check the 1st bucket (BC) , for second packet it will check the (be) directly or it check again the BC if full then it will check BE ?


  4. Hi Rawa,

    I answered the first question a bit above this post.

    Here’s a configuration example for all types btw:

    Policing Configuration Example

    The dual-rate three-color policer will always check both buckets. It will try to take tokens from both buckets, if possible then the traffic is conforming. If the BC bucket is empty but the PIR bucket still has tokens then the traffic is exceeding. Keep in mind the PIR bucket is larger than the BC bucket.


  5. Hello,

    Just a small comment.
    The formulas:
    Packet arrival time - Previous packet arrival time * Police Rate / 8
    should be replaced with:
    (Packet arrival time - Previous packet arrival time) * Police Rate / 8

    Thank you,

41 more replies! Ask a question or join the discussion by visiting our Community Forum