Class Based Policing Configuration

CB policing performs policing using three separate actions for packets that conform, exceed, or violate the traffic contract. (The exact meanings of each of these three categories were covered in the "How Policing Works" section earlier in this chapter.) Generally speaking, CB policing considers packets that happen to arrive when enough Bc tokens are available as "conforming" packets. Packets that arrive when Bc is consumed, but Be is not, are considered "exceeding"; and packets that arrive after Bc and Be have been consumed are considered "violating" packets.

For each category (conform, exceed, violate), CB policing can use a variety of actions. Table 5-18 lists the action keywords used in the police command. In general, the choices are to drop the packet, transmit the packet, or to first re-mark some QoS field, and then transmit the packet.

CB policing uses MQC commands for configuration. Because it is class based, CB policing can police subsets of the traffic on the interface or subinterface on which it is enabled. CB policing uses the same familiar MQC classification commands that all the other MQC-based tools use; again, you only need to learn one more MQC command to know how to configure another MQC QoS feature.

The police command configures CB policing inside a policy map. On the police command, you define the policing rate in bps, the burst-normal in bytes, and the burst-max in bytes. Note that although Bc is represented by burst-normal in the command, the configured burst-max value is actually Bc + Be. To have no Be, you configure the burst-normal and burst-max values to the same number. To have a Be of x, configure the burst-max parameter to a value of x more than burst-normal. If neither burst-normal nor burst-max is configured, both values default to 1.5 second's worth of traffic at the police rate; because the two settings default to the same number, no excess burst capability exists with default settings. (These settings become more obvious after looking at show command output.)

Two examples of configuration for CB policing follow Tables 5-19 and 5-21. Table 5-19 lists the CB policing configuration commands. Table 5-20 lists the actions that you can configure on the police command. Table 5-21 lists the CB policing show commands.

Table 5-19 Command Reference for Class-Based Policing

Command

Mode and Function

police bps burst-normal burst-max conform-action action exceed-action action [violate-action action]

policy-map class subcommand; enables policing for the class, setting the police rate, Bc, and Bc + Be values, and actions taken. Actions are drop, set-clp-transmit, set-dscp-transmit, set-prec-transmit, set-qos-transmit, transmit.

service-policy {input | output} policy-map-name

Interface or subinterface configuration mode; enables CB shaping on the interface.

class-map class-map-name

Global config; names a class map, where classification options are configured.

Match ...

class-map subcommand; defines specific classification parameters.

match access-group {access-group | name access-group-name}

Access-control list (ACL).

match source-address mac address-destination

Source MAC address.

match ip precedence ip-precedence-value [ip-precedence-value ip-precedence-value ip-precedence-value]

IP precedence.

match mpls experimental number

MPLS Experimental.

match cos cos-value [cos-value cos-value cos-value]

CoS.

match destination-address mac address

Destination MAC address.

match input-interface interface-name

Input interface.

Table 5-19 Command Reference for Class-Based Policing (Continued)

Command

Mode and Function

match ip dscp ip-dscp-value [ip-dscp-value ip-dscp-value ip-dscp-value ip-dscp-value ip-dscp-value ip-dscp-value ip-dscp-value]

IP DSCP.

match ip rtp starting-port-number portrange

RTP's UDP port-number range.

match qos-group qos-group-value

QoS group.

match protocol protocol-name

NBAR protocol types.

match protocol citrix [app application-name-string].

NBAR Citrix applications.

match protocol http [url url-string | host hostname-string | mime MIME-type]

Host name and URL string.

match any

All packets.

policy-map policy-map-name

Global config; names a policy, which is a set of actions to perform.

class name

policy-map subcommand; identifies which packets on which to perform some action by referring to the classification logic in a class map.

Table 5-20 Options for Actions Taken with the police Command

Command

Mode and Function

drop

Drops the packet

set-dscp-transmit

Sets the DSCP and transmits the packet

set-prec-transmit

Sets the IP precedence (0 to 7) and sends the packet

set-qos-transmit

Sets the QoS group ID (1 to 99) and sends the packet

set-clp-transmit

Sets the ATM CLP bit (ATM interfaces only) and sends the packet

transmit

Sends the packet

Table 5-21 Exec Command Reference for Class-Based Policing

Command

Function

show policy-map policy-map-name

Lists configuration information about all MQC-based QoS tools

show policy-map interface-spec [input | output] [class class-name]

Lists statistical information about the behavior of all MQC-based QoS tools

Before diving in to the first configuration example, you may find it helpful to briefly review the basics of policing. CB policing categories traffic into three groups when policing—one when packets conform, one when packets exceed, and one when packets violate the traffic contract. The policer considers packets that happen to arrive when enough tokens exist in the Bc token bucket to conform. Packets that arrive and require tokens from the Be bucket are considered to exceed, and packets for which there are not enough tokens in either Bc or Be are considered to violate the contract. For each grouping, you can configure a separate action.

The actions to take on each packet, whether it conforms, exceeds, or violates the contract, boil down to either dropping the packet, transmitting the packet, or re-marking and transmitting the packet. The drop and transmit options are pretty obvious. However, CB policing includes keywords such as set-prec-transmit and set-dscp-transmit, which allow the policer to transmit the packet, but first mark the IP Precedence or DSCP field with a lower value. You may recall from the "How Policing Works" section that marking down a packet can be useful because the marked-down packet can have a higher likelihood for discard later, but if no congestion occurs, the packet can be delivered.

You can use CB policing to police all traffic entering or exiting an interface. In the first example, router ISP-edge polices ingress traffic from an enterprise network. The criteria for the first CB policing example is as follows:

• All traffic policed at 96 kbps at ingress to the ISP-edge router.

• Bc of 1 second's worth of traffic is allowed.

• Be of 0.5 second's worth of traffic is allowed.

• Traffic that violates the contract is discarded.

• Traffic that exceeds the contract is marked down to DSCP Be.

• Traffic that conforms to the contract is forwarded with no re-marking.

Figure 5-22 shows the network in which the configuration is applied, and Example 5-11 shows the configuration.

Figure 5-22 Example Network for Policing Examples

PB Tents Enterprise Network

Figure 5-22 Example Network for Policing Examples

Example 5-11 CB Policing at 96 kbps at ISP-edge Router

ISP-edge#show running-config

Building configuration... !

!Lines omitted for brevity !

ip cef

!

policy-map police-all class class-default ! note: the police command wraps around to a second line.

police cir 96000 bc 12000 be 18000 conform-action transmit exceed-action transmit 0 violate-action drop

set-dscp-

interface Serial1/0 description connected to FRS port S1. Single PVC to R3. no ip address encapsulation frame-relay load-interval 30 service-policy input police-all no fair-queue clockrate 1300000

!

Example 5-11 CB Policing at 96 kbps at ISP-edge Router (Continued)

interface Serial1/0.1 point-to-point description point-point subint global DLCI 101, connected via PVC to Ent-edge ip address 192.168.2.251 255.255.255.0 frame-relay interface-dlci 103

! Lines omitted for brevity

ISP-edge#show policy-map

Policy Map police-all Class class-default ! note: the next output lines describes the police command, which ! wraps around to a second line.

police cir 96000 conform-burst 12000 excess-burst 18000 conform-action transmit exceed-action set-dscp-transmit 0 violate-action drop

ISP-edge#show policy-map interface s 1/0

Serial1/0

Service-policy input: police-all

Class-map: class-default (match-any) 8375 packets, 1446373 bytes

30 second offered rate 113000 bps, drop rate 15000 bps

Match: any police:

cir 96000 bps, conform-burst 12000, excess-burst 18000 conformed 8077 packets, 1224913 bytes; action: transmit exceeded 29 packets, 17948 bytes; action: set-dscp-transmit 0 violated 269 packets, 203512 bytes; action: drop conformed 95000 bps, exceed 0 bps violate 20000 bps

The example takes advantage of the fact that in any policy map, all traffic that does not match a class gets placed into the class-default class. Because one design goal was to police all traffic, no explicit class maps were needed—all traffic matches the class-default class inside every policy map by default. Therefore, inside new policy map police-all, the police cir 96000 conform-burst 12000 excess-burst 18000 conform-action transmit exceed-action set-dscp-transmit 0 violate-action drop command enables policing for the class-default class.

The parameters of the police command set the policing rate to 96,000 bps, with 12,000 bytes of burst capability. The shaping tools configure Bc and Be as a number of bits; IOS policers configure these values as a number of bytes. The requirements for this example stated 1 second's worth of Bc, and 12,000 bytes can be sent in 1 second with a CIR of 96,000 bps. The excess-burst configuration parameter actually defines the Bc and Be value combined, in bytes. So, the value is configured at 18,000, which is 6000 bytes more than Bc. The stated goals asked for a Be of 0.5 seconds of traffic, and it does indeed take 0.5 seconds to send 6000 bytes at 96 kbps.

NOTE All IOS shapers use bits as the unit when setting Bc and Be; both policers use bytes as the unit.

In Example 5-11, the police command transmits packets that conform, marks down packets that exceed to a DSCP value of zero, and drops packets that violate the values. The show policy-map command repeats the same details as shown in the configuration command, as highlighted in the example. The show policy-map interface s1/0 command lists statistics about the number of packets that conformed, exceeded, and violated the contract.

One of the advantages of CB policing is the ability to perform policing per class. The next example, Example 5-12, shows CB policing with web traffic classified and policed differently than the rest of the traffic. The criteria for the first CB policing example is as follows:

• Police web traffic at 80 kbps at ingress to the ISP-edge router. Transmit conforming and exceeding traffic, but discard violating traffic.

• Police all other traffic at 16 kbps at ingress to the ISP-edge router. Mark down exceeding and violating traffic to DSCP 0.

• Bc of 1 second's worth of traffic is allowed.

• Be of 0.5 second's worth of traffic is allowed. Example 5-12 shows the configuration.

Example 5-12 CB Policing 80 kbps for Web Traffic, 16 kbps for the Rest with Markdown to Be, at ISP-edge Router

• Be of 0.5 second's worth of traffic is allowed. Example 5-12 shows the configuration.

Example 5-12 CB Policing 80 kbps for Web Traffic, 16 kbps for the Rest with Markdown to Be, at ISP-edge Router

Example 5-12 CB Policing 80 kbps for Web Traffic, 16 kbps for the Rest with Markdown to Be, at ISP-edge Router (Continued)

encapsulation frame-relay load-interval 30

service-policy input police-web no fair-queue clockrate 1300000

interface Serial1/0.1 point-to-point description point-point subint global DLCI 101, connected via PVC to DLCI 103 (R3) ip address 192.168.2.251 255.255.255.0 frame-relay interface-dlci 103

!Lines omitted for brevity

ISP-edge#show policy-map

Policy Map police-web Class match-web ! note: the police command wraps around to a second line.

police cir 80000 conform-burst 10000 excess-burst 15000 conform-action transmit exceed-action transmit violate-action drop

Class class-default ! note: the police command wraps around to a second line.

police cir 16000 conform-burst 2000 excess-burst 3000 conform-action transmit exceed-action transmit violate-action set-dscp-transmit 0

ISP-edge#show policy-map interface s 1/0

Serial1/0

Service-policy input: police-web

Class-map: match-web (match-all) 736 packets, 900505 bytes

30 second offered rate 90000 bps, drop rate 14000 bps

Match: protocol http police:

cir 80000 bps, conform-burst 10000, excess-burst 15000 conformed 625 packets, 748645 bytes; action: transmit exceeded 13 packets, 14268 bytes; action: transmit violated 98 packets, 137592 bytes; action: drop conformed 75000 bps, exceed 0 bps violate 17000 bps

Class-map: class-default (match-any) 3751 packets, 241636 bytes

30 second offered rate 26000 bps, drop rate 0 bps

Match: any police:

cir 16000 bps, conform-burst 2000, excess-burst 3000

Example 5-12 CB Policing 80 kbps for Web Traffic, 16 kbps for the Rest with Markdown to Be, at ISP-edge Router (Continued)

conformed 2330 packets, 149928 bytes; action: transmit exceeded 46 packets, 2944 bytes; action: transmit violated 1376 packets, 88808 bytes; action: set-dscp-transmit 0 conformed 16000 bps, exceed 0 bps violate 9000 bps

If you are becoming comfortable with MQC configurations now, this configuration should be relatively easy to decipher. The class-map match-all match-web command creates a new class, which matches all web traffic using NBAR. The policy-map police-web command creates a new policy map, which uses class match-web to classify web traffic, and class class-default to classify all other traffic. Inside each class, a police command is used, setting the parameters as outlined in the stated goals. For instance, the police cir 80000 bc 10000 be 15000 conformation transmit exceed-action transmit violate-action drop command sets the rate at 80 kbps, with a 1-second Bc value of 10,000 bytes, and a configured Be of 15,000 bytes, which means that the actual Be, in terms of the additional amount beyond Bc, is 5000 bytes.

The show policy-map interface s1/0 command lists statistics as always, in this case showing the two classes in the policy map police-web. As you would expect, separate policing statistics are shown per class, because CB policing is enabled per class.

Table 5-22 summarizes the features of CB policing.

Table 5-22 CB Policing Features

Table 5-22 summarizes the features of CB policing.

Table 5-22 CB Policing Features

Feature

CB Policing

Allows conform and exceed action categories

Yes

Allows violate action category

Yes

Polices either all traffic, or a subset through classification

Yes

Uses MQC for configuration

Yes

Allows nested or cascaded policing logic

No

Can be enabled per subinterface

Yes

Can be enabled per DLCI on multipoint subinterfaces

No

Advance SEO Techniques

Advance SEO Techniques

Turbocharge Your Traffic And Profits On Auto-Pilot. Would you like to watch visitors flood into your websites by the 1,000s, without expensive advertising or promotions? The fact is, there ARE people with websites doing exactly that right now. How is that possible, you ask? The answer is Advanced SEO Techniques.

Get My Free Ebook


Post a comment