Class Based Policing

When traffic policy must be enforced, and actions are to be performed when traffic complies, excee certain rates, you might consider using traffic policing. Traffic policing enables you to configure anc policies that can limit either inbound or outbound traffic with user-defined criteria. You define the t using class maps and policy maps, and applying the resulting traffic service policies to interfaces. Y policing to enforce a maximum traffic rate by transmitting, dropping, or marking packets.

Earlier in the chapter, you learned about traffic shaping and rate limiting with CAR. This section ex use traffic policing to enforce traffic rates, the same type of principles that applied to traffic shaping traffic shaping, for instance, when outbound traffic is being shaped, it is being buffered at the egre shaping and traffic policing both use a token-bucket algorithm; tokens are replenished at the traffii packet, there must be enough tokens in the token bucket. Traffic policing applies to incoming and t does not use buffering to enforce policies. With traffic shaping, tokens are added only to the bucket with traffic policing, tokens are always being added back into the bucket. If there are not enough t< the packet is dropped or classified; traffic policing does not queue packets. Traffic policing does no-from the bucket w hen either an exceed o r violate action take place.

During traffic bursts, traffic is either dropped or marked. Because traffic policing does not support I shaping, traffic policing drops packets that exceed the interface's bandwidth limits. That is why tra' the cla ssification of traffic upon actions. You can also use traffic policing to mark packets for later a QoS values , such as the ATM CLP bit, Frame Relay DE bit, IP precedence, or DSCP values. When tr usually at an edge device, other QoS methods, such as WFQ, WRED, or traffic shaping, can be app devices. So, if the interface has the bandwidth to forward a burst packet, and the traffic policy perr forwarded with the appropriate traffic policy. The traffic policy for the transmitted burst packet sho type of action; this action should mark the packet as a burst packet by setting a discard bit or mar normal and excess burst parameters are correctly configured, traffic policing should encourage enc their TCP window size whe n they realiz e pa ckets have been dropped, preventing global synchroniza does.

Another behavior that differs among traffic shaping, CAR, and traffic policing is the use of the two-traffic xhaping, when you define a wol ate actio n, yo u are actually definiug a socond bucket that wil that already exceed the normal and excess burst rate.

Traffir policing i s configured using) thb police statem ent in pol i cy map class configuration mode wit There are several ways to configure traffic policing in Cisco IOS Software using the police commar shown here, is to enter n 1 I tlae tcaf^-p olidng parametets, s^ul taneous^, which can be quite cum!

police {rate-bps {[normal-burst] [excess-burst] | [bc normal-burst] [bc excess-bu cir rate-bps [normal-burst] [excess-burst] [bc normal-burst] [be excess-burst | [peak-rate]excess-burst]} [conform-action {action | exceed-action} [exceed-actio action [violate-action action]

The other way to configure traffic policing is by entering the policy map police configuration mode command, as shown here:

police {raterbps {[normal-burst] [excess-burst] | [bc normal-burst] [bc excess cir rate-bpm [normal-burst] [excess-burst] [bc normal-burst] [be excess-burst [peak-rate]excess-burst]}

After the police command has been issued, you will be transferred into policy map police configura by the Ro/ter(config-pmap-c-police)# prompt. In this mode, you can issue or remove any conf violate actions, one at a time, without having to type long commands. The conform, exceed, and vi follows:

conform-action {drop | set-clp-transmit | set-dscp-transmit dscp-value | set frde-| set-mpls-exp-transmit mpls-experimental-value | set-prec-transmit precedence-v set-qos-group gos-group-index | transmit) exceed-action {drop | set-clp-transmit | set-dscp-transmit dscp-value | set frde-t | set-mpls-exp-transmit mpls-experimental-value | set-prec-transmit precedence-v set-qos-group gos-group-index | transmit) violate-action {drop | set-clp-transmit | set-dscp-transmit dscp-value | set frde-| set-mpls-exp-transmit mpls-experimental-value | set-prec-transmit precedence-v set-qos-group gos-group-index | transmit)

Table 6-23 shows the police command and policy map police configuration mode command argum descriptions.

Table 6-23. Traffic Policing Commands and Descriptions

Command Argument

Description

traffic-rate

The average traffic rate, under norm a period of time in bits/second, rang 2,000,000,000:

CIR = Tc/Bc in bps

normal-burst

(Optional) Specifies the normal burst ranging from 1000 to 512,000,000:

Note: 1.5 seconds is an average roui average round-trip time is not 1.5 se change this value to accurately reprr time.

excess-burst

(Optional) Specifies the excess burst i-anging f-om 1 000 to 512,000, m:

Be (in bytes) = Bc * 2

conform-action

(Optional) Ann packets connorming to wiM do the activity s peatied by the n

S gecifies the conrorm action to be pe

drop

Immediately drops the packet and ex

exceed-action

Skips redundant action configuration straight to exceed action. This is use and exceed actions are the same.

set-clp-transmit

Sets the ATM cell loss priority (CLP) the cell.

set-frde-transmit

Sets the Frame Relay discard eligible transmits the packet.

set-dscp-transmitdscp-value

Sets the DSCP value (ranging from 0 transmits the packet.

set-mpls-exp-transmitmpls-experinental-value

Sets the MPLS experimental value (r ard transmits the packet.

set-prec-tiransmitprecedence-value

Sets the IP precedence value (rangin transmits the packet.

set-qos-groupgos-group-index

Sets the QoS group number (ranging transmits the packet.

transmit

Transmits the packet.

[exceed-action {drop | set-clp-transmit | set-frde-transmit | set-dscp-transmitdscp-value|

set-mpls-exp-transmitmpls-experimental-value| set-prec-transmitprecedence-value | set-qos-groupgos-group-index| transmit}]

(Optional) The exceed-action comn action to take when traffic is in the n burst range (Bc to Be). The exceed-accomp anied by an action to perform

[violate-action {drop | set-clp-transmit | set-frde-transmit | set-dscp-transmitdscp-value|

set-mpls-exp-transmitmpls-experimental-value| set-prec-transmitprecedence-value | set-qos-groupgos-group-index transmit}]

(Optional) The violate-action comm action to take when traffic has surpa burst range (Be). The violate-actioi accomp anied b y an action to perform

There are four or five steps (depending on whether you decide to use the long form of the comman policy map police mode form of the command) required in traffic policy configuration: defining the specify traffic characteristics, defining the policies that contain the police actions to take upon traffi the resulting service policy to an interface, and verifying and monitoring the configuration.

Step 1. Define the traffic class using the class-map command. The traffic class is used to de matched by the policy. In this example, class IP-traffic is used to match all IP traffic, and Cla matches dll I VX traffic:

Simpson(config)#class-map IP-traffic

Simpson(config-cmap)#match protocol ip Simpson(config-cmap)#exit Simpson(config)#class-map IPX-traffic

Simpson(config-cmap)# match protocol ipx Simpson(config-cmap)#exit

Step 2. Defi ne a policy to use for se i-vice poM cy conflgnration, and a ssign traffi c policies to cl exam ple, policy WANntraffic is used to limit oil pP traffic co 512 kbps with a 9)6,000- byte Isurs CIR d (1 byte) / ( 8 bits) * 1 .5 seconds fotm5la recommended by C iscOt Packets conforming to transmuted, and traffic exceeding the p olicy is dropped. The sa me type o° poMcy iu also confi using class I PX-tra ffio:

Simpson(config)#policy-map WAN-traffic

Simpson(config-pmap)#class IP-traffic

Simpson(config-pmap-c)#police 512000 96000 conform-action transmit exceed-action d

Simpson(config-pmap-c)#exit

Simpson(config)#policy-map WAN-traffic

Simpson(config-pmap)#class IPX

Simpson(config-pmap-c)#police 512000 96000 conform-action transmit exceed-action d

Simpson(config-pmap-c)#exit Simpson(config-pmap)#exit

Step 3. Or i f you useci the mod ular policy map police configuration mode method, you woulc 512000 96000 command to enter policy map police configuration mode. You would then er exceed actions in that mode, as shown here:

Simpson

config-

-pmap-

c

#police 512000 96000

Simpson

config-

-pmap-

-c-

-police)#

Simpson

config-

-pmap-

-c-

-police)#conform-action transmit

Simpson

config-

-pmap-

-c-

-police)#exceed-action drop

Simpson

config-

-pmap-

-c-

-police)#exit

Simpson

config-

pmap-

c

#class IPX-traffic

Simpson

config-

-pmap-

c)

#police 512000 96000

Simpson

config-

pmap-

-c-

-police)#

Simpson

config-

pmap-

-c-

-police)#conform-action transmit

Simpson

config-

pmap-

-c-

-police)#exceed-action drop

Simpson

config-

pmap-

c-

-police)#exit

Simpson

config-

-pmap-

-c)#exit

Step 4. Assign the policy map to an interface as a service policy:

Simpson(config)#interface serial 0/1

Simpson(config-if)#service-policy output WAN-traffic

Step 5. Verify the configuration. To verify and monitor the traffic-policing configuration, use map or show policy-map interface command. The show policy-map command displays the current traffic policy configuration, and the show policy-map interface command displ information about the state of the current traffic policies:

Simpson#show policy-map WAN-traffic

Policy Map WAN-traffic Class IP-traffic police cir 512000 bc 96000 conform-action transmit exceed-action drop Class IPX-traffic police cir 512000 bc 96000 conform-action transmit exceed-action drop Simpson#show policy-map interface serial 0/1 Serial0/1

Service-policy output: WAN-traffic

Class-map: IP-traffic (match-all) 6887 packets, 5241646 bytes

5 minute offered rate 121000 bps, drop rate 75000 bps

Match: protocol ip police:

cir 512000 bps, bc 96000 bytes conformed 4351 packets, 1857386 bytes; actions: transmit exceeded 2536 packets, 3384260 bytes; actions: drop conformed 46000 bps, exceed 75000 bps Class-map: IPX-traffic (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps Match: protocol ipx police:

cir 512000 bps, bc 96000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions:

dropons of the Routing and Switching, Security, and Service conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any) 19 packets, 1428 bytes

5 minute offered rate 0 bps, drop rate 0 bps Match: any

Example 6-32 shows how traffic policing is used to assign traffic policies to different types of traffic uses access list 101 to specify SNMP, DNS, DHCP, syslog, and TFTP traffic. Class user-traffic uses a specify NetBIOS and Telnet traffic as user traffic. And class internet uses access list 103 to define H passive FTP traffic to host 10.1.1.141 as Internet traffic. These classes are each assigned traffic pol police command for each class under policy traffic-policy. Class management is assigned a 2-Mbp: 375,000-byte normal burst and a 750,000-byte extended burst. Packets that conform to the norma to an IP precedence value of Flash-override (4) and transmitted. When traffic from class managem excess burst rate, it is still transmitted, but the IP precedence value for the packet is no longer cha the user-traffic class conforming to the normal traffic rate of 3 Mbps with a normal burst of 562,50 extended burst of 1,125,000 bytes has its IP precedence value set to Flash (3) and is still transmitt burst rate has been exceeded. Traffic from the internet class that conforms to the rate limit of 5 Mb burst of 937,500 bytes and an extended burst of 1,875,000 is transmitted; traffic exceeding that ra

Was this article helpful?

0 0

Post a comment