Class-based policing observes the bit rate of packets that match a specific class. When the class exceeds the metered rate, the policer will take an action such as discarding or re-marking the packet with a different IPP or DSCP value. IOS command options for the policer follow.
- drop – will discard the packet
- set-dscp-transmit – sets the DSCP value and forwards
- set-prec-transmit – sets the IPP and forwards
- set-qos-transmit – sets the QoS Group ID (a value between 1 and 99) and forwards
- set-clp-transmit – sets the CLP bit and forwards the cell (ATM only)
- set-fr-de – sets the frame-relay discard-eligible bit and forwards the frame (frame only)
- transmit – simply forwards the packet
Class-based policing will classify packets into either 2 categories, or 3 categories, dependent upon how the policing is set up. The possible categories are conforming, exceeding and violating. Token buckets are used, as with shaping. With policing, a token equals one byte, rather than bit. And the token bucket is not filled on a static time-interval basis. Rather, the bucket is filled with tokens based on how much time has elapsed since the last packet showed up. If you were policing to a rate of 256Kbps, the bucket could be replenished at a 32,000 token per second rate. If there was 0.1 seconds in between the last packet and the current one, 3,200 tokens would be put into the bucket.
- Single-rate, Two-Color Policing (with One Bucket)
- 1 rate, with no excess burst
- 2 categories, either conform (usually transmit) or exceed (usually mark down or drop)
- Conforming packets cause a corresponding drain in the token bucket.
- Exceeding tokens cause no drain in the bucket.
- Single-rate, Three-Color Policing (with Two Buckets)
- 1 rate, with an excess burst
- 3 categories, conform, exceed and violate.
- Conforming packets cause a corresponding drain in the token bucket.
- Excess/leftover tokens can spill over into an excess bucket.
- Exceeding packets cause a corresponding drain in the excess token bucket.
- Violating tokens (not enough tokens available) don’t drain any tokens.
- Two-rate, Three-Color Policing (with two buckets)
- This is the same as single-rate, three-color policing, except that you can sustain a burst, as the peak rate bucket is refilled of its own accord, and does not rely on spillage from the main token bucket.
- Conforming packets cause a drain in both the main token bucket and peak token bucket.
- Exceeding packets cause a drain in the peak token bucket.
- Violating packets don’t drain any tokens.
- Inside of a policy-map, the “police <bps> <burst-normal> <burst-max> conform-action <action> exceed-action <action> [violate-action <action>]” command enables policing for a particular class of traffic. You can police different classes of traffic different ways, by using unique police statements per class.
- Single rate, two color, there will no “violate-action”.
- Single rate, three color, there will be a “violate-action”.
- Dual rate, three color is a slightly different police command.
- police {cir <cir>} [bc <conform-burst>] {pir <pir>} [be <peak-burst>] [conform-action <action> [exceed-action <action> [violate-action <action>]]]
- You can also go into a police sub-paragraph interface if you wish to assign multiple actions for certain packet categories.
Committed access rate is a single-rate, two color policer. It is not the same as, or a type of, class-based policing. CAR differs from CB policing in these ways:
- CAR uses a rate-limit command.
- CAR allows for cascading/nested rate-limit statements. In this scenario, multiple rate-limit statements may apply to the same packet.
- CAR only supports categories of conform and exceed. There is no concept of violate.
- CAR supports burst, but uses logic different from CB policing to determine whether a packet is a “conform” or an “exceed”.
- The “rate-limit {input|output} [access-group [rate-limit] <acl-index>] <bps> <burst-normal> <burst-max> conform-action <action> exceed-action <action> command implements CAR.
- CAR supports the use of a rate-limit ACL, in addition to the normal IP ACL. A rate-limit ACL support matching against IPP, MAC-address and MPLS EXP bits.