From the blog.

Managing Digital Racket
The more I tune out, the less I miss it. But that has presented me with some complex choices for a nuanced approach to curb
Complexity – My Friend, My Enemy
Over my years of network engineering, I've learned that the fewer features you can implement while still achieving a business goal, the better. Why? Fewer

OECG – Chapter 16

671 Words. Plan about 4 minute(s) to read this.

Class-based policing observes the bit rate of packets that match a specific class. When the class exceeds the metered rate, the policer will take an action such as discarding or re-marking the packet with a different IPP or DSCP value. IOS command options for the policer follow.

  • drop – will discard the packet
  • set-dscp-transmit – sets the DSCP value and forwards
  • set-prec-transmit – sets the IPP and forwards
  • set-qos-transmit – sets the QoS Group ID (a value between 1 and 99) and forwards
  • set-clp-transmit – sets the CLP bit and forwards the cell (ATM only)
  • set-fr-de – sets the frame-relay discard-eligible bit and forwards the frame (frame only)
  • transmit – simply forwards the packet

Class-based policing will classify packets into either 2 categories, or 3 categories, dependent upon how the policing is set up. The possible categories are conforming, exceeding and violating. Token buckets are used, as with shaping. With policing, a token equals one byte, rather than bit. And the token bucket is not filled on a static time-interval basis. Rather, the bucket is filled with tokens based on how much time has elapsed since the last packet showed up. If you were policing to a rate of 256Kbps, the bucket could be replenished at a 32,000 token per second rate. If there was 0.1 seconds in between the last packet and the current one, 3,200 tokens would be put into the bucket.

  • Single-rate, Two-Color Policing (with One Bucket)
    • 1 rate, with no excess burst
    • 2 categories, either conform (usually transmit) or exceed (usually mark down or drop)
    • Conforming packets cause a corresponding drain in the token bucket.
    • Exceeding tokens cause no drain in the bucket.
  • Single-rate, Three-Color Policing (with Two Buckets)
    • 1 rate, with an excess burst
    • 3 categories, conform, exceed and violate.
    • Conforming packets cause a corresponding drain in the token bucket.
    • Excess/leftover tokens can spill over into an excess bucket.
    • Exceeding packets cause a corresponding drain in the excess token bucket.
    • Violating tokens (not enough tokens available) don’t drain any tokens.
  • Two-rate, Three-Color Policing (with two buckets)
    • This is the same as single-rate, three-color policing, except that you can sustain a burst, as the peak rate bucket is refilled of its own accord, and does not rely on spillage from the main token bucket.
    • Conforming packets cause a drain in both the main token bucket and peak token bucket.
    • Exceeding packets cause a drain in the peak token bucket.
    • Violating packets don’t drain any tokens.
  • Inside of a policy-map, the “police <bps> <burst-normal> <burst-max> conform-action <action> exceed-action <action> [violate-action <action>]” command enables policing for a particular class of traffic. You can police different classes of traffic different ways, by using unique police statements per class.
    • Single rate, two color, there will no “violate-action”.
    • Single rate, three color, there will be a “violate-action”.
    • Dual rate, three color is a slightly different police command.
      • police {cir <cir>} [bc <conform-burst>] {pir <pir>} [be <peak-burst>] [conform-action <action> [exceed-action <action> [violate-action <action>]]]
    • You can also go into a police sub-paragraph interface if you wish to assign multiple actions for certain packet categories.

Committed access rate is a single-rate, two color policer. It is not the same as, or a type of, class-based policing. CAR differs from CB policing in these ways:

  • CAR uses a rate-limit command.
  • CAR allows for cascading/nested rate-limit statements. In this scenario, multiple rate-limit statements may apply to the same packet.
  • CAR only supports categories of conform and exceed. There is no concept of violate.
  • CAR supports burst, but uses logic different from CB policing to determine whether a packet is a “conform” or an “exceed”.
  • The “rate-limit {input|output} [access-group [rate-limit] <acl-index>] <bps> <burst-normal> <burst-max> conform-action <action> exceed-action <action> command implements CAR.
  • CAR supports the use of a rate-limit ACL, in addition to the normal IP ACL. A rate-limit ACL support matching against IPP, MAC-address and MPLS EXP bits.