Cisco IOS Implementations
Cisco IOS implements policing/marking functionality with two unrelated mechanisms:
- The rate-limit command implements per-interface input- and output-rate limiting.
- The police command implements the traffic measurement within the scope of the Modular QoS Command Line Interface (MQC).
Rate-limit commands and QoS policy-maps containing the police command can measure inbound or outbound packets on physical or logical interfaces (tunnels, subinterfaces). They introduce no delay (apart from slightly increased CPU load on the router) in the packet forwarding mechanism.
Rate-limit command
The rate-limit interface configuration command can match packets based on IP access lists, IP precedence settings, DSCP settings, QoS groups or source MAC addresses. It can set the IP precedence, DSCP or MPLS QoS bits in the measured packets, or group the packets into QoS groups.
The rate-limit command uses dual token bucket mechanism and drops all packets that exceed the excess burst size.
Police action
The police action specified within a class in a policy-map can use three different measurement mechanisms:
- Single token bucket measurement is used when the police command specifies only the conform and exceed actions.
- Dual token bucket measurement is used to support conform, exceed and violate actions.
- Dual-rate dual token bucket measurement is used when the police command specifies cir and pir rates.
As the traffic measurement takes place within a traffic class defined by a class-map, any criteria supported by the class-map configuration command can be used to define the traffic class.
Each police command can specify three types of actions:
- The conform action is executed for packets within the average rate and burst size.
- The exceed action for a police command specifying traffic rate is executed for packets within the average rate and excess burst size.
- The exceed action for a police command specifying pir rate is executed for packets within the excess rate and excess burst size.
- The violate action is executed for packets that exceed excess rate/burst size.
The actions executed by the police command can pass the packet unmodified, drop it or mark it. The following QoS attributes of a packet can be modified:
- IP precedence;
- IP Differentiated Services Control Point (DSCP);
- Discard class (within the DSCP field);
- ATM Cell Loss Priority (CLP) – used only for packets transmitted over an ATM interface;
- Ethernet 802.1q Class of Services (CoS) marking;
- MPLS QoS (experimental) bits – used only for MPLS-encapsulated packets;
- Frame Relay Discard Eligibility (DE) bit – used only for packets transmitted over an outbound Frame Relay interface;
- QoS group (an extra marker internal to the router).
Example: the following router configuration measures the web traffic received through a serial interface and drops all packets exceeding the 512000 bps average rate:
class-map match-any Web
match protocol http
match protocol secure-http
!
policy-map MeasureWeb
class Web
police rate 512000 bps
conform-action transmit
exceed-action drop
!
interface Serial1/0
service-policy input MeasureWeb
Example: The following router configuration allows e-mails to be sent at line speed if the size of the transfer does not exceed 100 kilobytes. However, the packets exceeding the 128kbps average rate and the 16 kilobytes initial burst size will be marked with a different DSCP value.
class-map match-any Mail
match protocol smtp
!
policy-map LimitEmails
class Mail
police rate 128000 burst 16000 peak-burst 100000
conform-action transmit
exceed-action set-dscp-transmit af13
violate-action drop