CH A P T E R 4

Configuring QoS Policing

This chapter describes how to configure policing of traffic classes.

Information About Policing

Policing is the monitoring of data rates and burst sizes for a particular class of traffic.
QoS policing on a network determines whether network traffic is within a specified profile (contract).
This may cause out-of-profile traffic to drop or to be marked down to another differentiated services code
point (DSCP) value to enforce a contracted service level. DSCP is a measure of the QoS level of the
frame. Figure 4-1shows policing conditions and types.

Figure 4-1 Policing Conditions and Types

Policing Conditions: Policing Types:

Conforms to rate limits - Single rate (CIR)
Exceeds rate limit maximum - Dual rate (CIR and PIR)
Policing Violates rate limit

Traffic Marking

Traffic Classification

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-1
 Chapter 4 Configuring QoS Policing
Prerequisites for Policing

The following conditions, are recognized and trigger action by the policer depending on the defined data
rate:

Policer Action
Condition Color Description (only one allowed per condition)
Conform Green The packet traffic data rate is within The policer either transmits these
the defined boundaries. packets as is, or changes the value
in the header (DSCP, precedence,
or CoS) and then transmits these
packets.
Exceed Yellow The packet traffic data rate exceeds The policer can drop or markdown
the defined boundary. these packets.
Violate Red The packet traffic data rate violates The policer can drop or markdown
the defined boundaries. these packets.

You can define single-rate and dual-rate policers.

Single-rate policers monitor the specified committed information rate (CIR) of traffic. Dual-rate policers
monitor both CIR and peak information rate (PIR) of traffic.
For more information about policies, see RFC 2697, RFC 2698, and RFC 4115.

Prerequisites for Policing

Policing has the following prerequisites:
• You must be familiar with RFC 2698.
• You are logged on to the CLI in EXEC mode.

Guidelines and Limitations

Use the following guideline to configure policing:
• Each module polices independently, which might affect a a policer applied to traffic distributed
across more than one module, such as in the case of a port channel interface.

Configuring Policing
You can configure a single- or dual-rate policer.
This section includes the following topics:
• Configuring 1-Rate and 2-Rate, 2-Color and 3-Color Policing, page 4-3
• Configuring Ingress and Egress Policing, page 4-7
• Configuring Markdown Policing, page 4-7
• Verifying the Policing Configuration, page 4-8

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-2
 Chapter 4 Configuring QoS Policing
Configuring Policing

Configuring 1-Rate and 2-Rate, 2-Color and 3-Color Policing

The type of policer created by the device is based on a combination of the police command arguments
described in Table 4-1.

Note Specify the identical value for pir and cir to configure 1-rate 3-color policing.

Table 4-1 Arguments to the police Command

Argument Description
cir Committed information rate, or desired bandwidth, specified as a bit rate
or a percentage of the link rate. Although a value for cir is required, the
argument itself is optional. The range of values is 1 to 80000000000; the
range of policing values that are mathematically significant is 8000 to 80
Gbps.
percent Specifies the rate as a percentage of the interface rate. The range of values
is 1 to 100%.
bc Indication of how much the cir can be exceeded, either as a bit rate or an
amount of time at cir. The default is 200 milliseconds of traffic at the
configured rate. The default data rate units are bytes, and the Gigabit per
second (gbps) rate is not supported for this parameter.
pir Peak information rate, specified as a PIR bit rate or a percentage of the link
rate. There is no default. The range of values is 1 to 80000000000; the
range of policing values that are mathematically significant is 8000 to 80
Gbps. The range of percentage values is 1 to 100%.
be Indication of how much the pir can be exceeded, either as a bit rate or an
amount of time at pir. When the bc value is not specified, the default is
200 milliseconds of traffic at the configured rate. The default data rate
units are bytes, and the Gigabit per second (gbps) rate is not supported for
this parameter.
Note You must specify a value for pir before the device displays this
argument.
conform Single action to take if the traffic data rate is within bounds. The basic
actions are transmit or one of the set commands listed in Table 4-4. The
default is transmit.
exceed Single action to take if the traffic data rate exceeds the specified
boundaries. The basic actions are drop or markdown. The default is drop.
violate Single action to take if the traffic data rate violates the configured rate
values. The basic actions are drop or markdown. The default is drop.

Although all the arguments in Table 4-1 are optional, you must specify a value for cir. In this section,
cir indicates what is its value but not necessarily the keyword itself. The combination of these arguments
and the resulting policer types and actions are shown in Table 4-2.

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-3
 Chapter 4 Configuring QoS Policing
Configuring Policing

Table 4-2 Policer Types and Actions

Police Arguments Present Policer Type Policer Action

cir, but not pir, be, or violate 1-rate, 2-color <= cir, then conform; else violate
cir and pir 1-rate, 3-color <= cir, then conform; <= pir, then exceed;
else violate
Note You must specify identical values for
cir and pir.
cir and pir 2-rate, 3-color <= cir, then conform; <= pir, then exceed;
else violate

The policer actions that you can specify are described in Table 4-3 and Table 4-4.

Table 4-3 Policer Actions for Exceed or Violate

Action Description
drop Drops the packet. This is only available when the packet exceeds or
violates the parameters.
set dscp dscp table Sets the specified fields from a table map and transmits the packet. For
{cir-markdown-map | more information on the system-defined, or default table maps, see
pir-markdown-map} Chapter 3, “Configuring QoS Marking Policies.” This is available only
when the packet exceeds the parameters (use the cir-markdown-map) or
violates the parameters (use the pir-markdown-map).

Table 4-4 Policer Actions for Conform

Action Description
transmit Transmits the packet. This is available only when the packet conforms
to the parameters.
set-prec-transmit Sets the IP precedence field to a specified value and transmits the
packet. This is available only when the packet conforms to the
parameters.
set-dscp-transmit Sets the DSCP field to a specified value and transmits the packet. This
is available only when the packet conforms to the parameters
set-cos-transmit Sets the CoS field to a specified value and transmits the packet. This is
available only when the packet conforms to the parameters
set-qos-transmit Sets the QoS group internal label to specified value and transmits the
packet. This action can be used only in input policies and is available
only when the packet conforms to the parameters
set-discard-class-transmit Sets the discard-class internal label to a specified value and transmits
the packet. This action can be used only in ingress policies and is
available only when the packet conforms to the parameters

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-4
 Chapter 4 Configuring QoS Policing
Configuring Policing

Note The policer can only drop or markdown packets that exceed or violate the specified parameters. See
Chapter 3, “Configuring QoS Marking Policies” for information on marking down packets.

The data rates used in the police command are described in Table 4-5.

Table 4-5 The Data Rates for the police Command

Rate Description
bps Bits per second (default)
kbps 1,000 bits per seconds
mbps 1,000,000 bits per second
gbps 1,000,000,000 bits per second

Burst sizes used in the police command are described in Table 4-6.

Table 4-6 Burst Sizes for the police Command

Speed Description
bytes bytes
kbytes 1,000 bytes
mbytes 1,000,000 bytes
ms milliseconds
us microseconds

SUMMARY STEPS

Note Specify the identical value for pir and cir to configure 1-rate 3-color policing.

1. config t
2. policy-map [type qos] [match-first] policy-map-name
3. class [type qos] {class_map_name | class-default}
4. police [cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate
[link-speed]] [pir] {peak-rate [data-rate] | percent cir-link-percent} [be peak-burst-rate
[link-speed]] {conform {transmit | set-prec-transmit | set-dscp-transmit | set-cos-transmit |
set-qos-transmit | set-discard-class-transmit} [exceed {drop | set dscp dscp table
{cir-markdown-map}} [violate {drop | set dscp dscp table {pir-markdown-map}}]]}
5. show policy-map [type qos] [policy-map-name]
6. copy running-config startup-config

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-5
 Chapter 4 Configuring QoS Policing
Configuring Policing

DETAILED STEPS

Command Purpose
Step 1 config t Places you into CLI Global Configuration mode.
Example:
switch# config t
switch(config)#
Step 2 policy-map [type qos] [match-first] Creates or accesses the policy map named
policy-map-name policy-map-name, and then enters policy-map mode.
Example:
The policy-map name can contain alphabetic, hyphen,
switch(config)# policy-map policy1 or underscore characters, is case sensitive, and can be
switch(config-pmap-qos)# up to 40 characters.
Step 3 class [type qos] {class_map_name | Creates a reference to class_map_name, and enters
class-default} policy-map class configuration mode. The class is
Example:
added to the end of the policy map. Specify
switch(config-pmap-qos)# class class-default to select all traffic that is not matched by
class-default classes in the policy map so far.
switch(config-pmap-c-qos)#
Step 4 police [cir] {committed-rate Polices cir in bits or as a percentage of the link rate.
[data-rate] | percent cir-link-percent} The conform action is taken if the data rate is <= cir.
[[bc committed-burst-rate
[link-speed]][pir] {peak-rate
If be and pir are not specified, all other traffic takes the
[data-rate] | percent cir-link-percent} violate action. If be or violate are specified, then the
[[be peak-burst-rate [link-speed]] exceed action is taken if the data rate <= pir, and the
[conform {transmit | set-prec-transmit | violate action is taken otherwise. The actions are
set-dscp-transmit | set-cos-transmit | described in Table 4-3 and Table 4-4. The data rates
set-qos-transmit |
set-discard-class-transmit} [exceed
and link speeds are described in Table 4-5 and
{drop | set dscp dscp table Table 4-6.
{cir-markdown-map}} [violate {drop |
set dscp dscp table
{pir-markdown-map}}]]]

Example #1: This first example shows a 1-rate, 2-color policer that
switch(config-pmap-c-qos)# police cir transmits if the data rate is within 200 milliseconds of
256000 conform transmit violate set dscp
dscp table pir-markdown-map
traffic at 256000 bps and marks DSCP to the values
switch(config-pmap-c-qos)# that are configured in table map if the data rate is
violated.
Example #2: This second example shows a 1-rate, 3-color policer
switch(config-pmap-c-qos)# police cir that transmits if the data rate is within 200
256000 pir 256000 conform transmit
exceed set dscp dscp table
milliseconds of traffic at 256000 bps, and marks DSCP
cir-markdown-map violate drop to the values that are configured in table map if the data
switch(config-pmap-c-qos)# rate is violated.
Note You must specify identical values for cir and
pir.
Step 5 show policy-map [type qos] (Optional) Displays information about all configured
[policy-map-name] policy maps or a selected policy map of type QoS.
Example:
switch(config-pmap-c-qos)# show
policy-map

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-6
 Chapter 4 Configuring QoS Policing
Configuring Policing

Command Purpose
Step 6 copy running-config startup-config (Optional) Saves the running configuration
persistently through reboots and restarts by copying it
Example:
switch(config-pmap-c-qos)# copy
to the startup configuration.
running-config startup-config

Configuring Ingress and Egress Policing

You can apply the policing instructions in a QoS policy map to ingress or egress packets by attaching
that QoS policy map to an interface or port profile. To select ingress or egress, you specify either the
input or output keyword in the service-policy command. For an example of how to use the
service-policy command, see the “Creating Ingress and Egress Policies” procedure on page 3-12.

Configuring Markdown Policing

Markdown policing is the setting of a QoS field in a packet when traffic exceeds or violates the policed
data rates. You can configure markdown policing by using the set commands for policing action
described in Table 4-3 and Table 4-4.
The example in this section shows you how to use a table map to perform markdown.

SUMMARY STEPS

1. config t
2. policy-map [type qos] [match-first] policy-map-name
3. class [type qos] {class_map_name | class-default}
4. police [cir] {committed-rate [data-rate] | percent cir-link-percent} [bc committed-burst-rate
[link-speed]] [pir] {peak-rate [data-rate] | percent cir-link-percent} [be peak-burst-rate
[link-speed]] {conform action [exceed {drop | set dscp dscp table cir-markdown-map} [violate
{drop | set dscp dscp table pir-markdown-map}]]}}
5. show policy-map [type qos] [policy-map-name]
6. copy running-config startup-config

DETAILED STEPS

Command Purpose
Step 1 config t Places you into CLI Global Configuration mode.
Example:
switch# config t
switch(config)#
Step 2 policy-map [type qos] [match-first] Creates or accesses the policy-map named
policy-map-name policy-map-name, and then enters policy-map mode.
Example:
The policy-map name can contain alphabetic, hyphen,
switch(config)# policy-map policy1 or underscore characters, is case sensitive, and can be
switch(config-pmap-qos)# up to 40 characters.

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-7
 Chapter 4 Configuring QoS Policing
Verifying the Policing Configuration

Command Purpose
Step 3 class [type qos] {class_map_name | Creates a reference to class_map_name, and enters
class-default} policy-map class configuration mode. The class is
Example:
added to the end of the policy map. Specify
switch(config-pmap-qos)# class class-default to select all traffic not matched by
class-default classes in the policy map so far.
switch(config-pmap-c-qos)#
Step 4 police [cir] {committed-rate Polices cir in bits or as a percentage of the link rate.
[data-rate] | percent cir-link-percent} The conform action is taken if the data rate is <= cir.
[[bc | burst] burst-rate [link-speed]]
[[be | peak-burst] peak-burst-rate
If be and pir are not specified, all other traffic takes
[link-speed]] [conform action [exceed the violate action. If be or violate are specified, then
set dscp dscp table cir-markdown-map the exceed action is taken if the data rate <= pir, and
[violate set dscp dscp table the violate action is taken otherwise. The actions are
pir-markdown-map]]] described in Table 4-3 and Table 4-4. The data rates
and link speeds are described in Table 4-5 and
Table 4-6.
Example: This example shows a 1-rate, 3-color policer that
switch(config-pmap-c-qos)# police cir transmits if the data rate is within 300 milliseconds of
256000 be 300 ms conform transmit exceed
set dscp dscp table cir-markdown-map
traffic at 256000 bps; marks down DSCP using the
violate drop system-defined table map if the data rate is within 300
switch(config-pmap-c-qos)# milliseconds of traffic at 256000 bps; and drops
packets otherwise.
Step 5 show policy-map [type qos] (Optional) Displays information about the policy map
[policy-map-name] configuration.
Example:
switch(config-pmap-c-qos)# show
policy-map
Step 6 copy running-config startup-config (Optional) Saves the running configuration
persistently through reboots and restarts by copying it
Example:
switch(config-pmap-c-qos)# copy
to the startup configuration.
running-config startup-config

Verifying the Policing Configuration

Use these command to verify the policing configuration.

show policy-map Displays information about policy maps and

policing.

Example Configurations
The following are examples of how to configure policing:

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-8
 Chapter 4 Configuring QoS Policing
Feature History for QoS Policing

Example 4-1 1-rate, 2-color policer

config t
policy-map policy1
class one_rate_2_color_policer
police cir 256000 conform transmit violate drop

Example 4-2 1-rate, 2-color policer with DSCP markdown

config t
policy-map policy2
class one_rate_2_color_policer_with_dscp_markdown
police cir 256000 conform set-dscp-transmit af11 violate set dscp dscp table
pir-markdown-map

Example 4-3 1-rate, 3-color policer

config t
policy-map policy3
class one_rate_3_color_policer
police cir 256000 pir 256000 conform transmit exceed set dscp dscp table
cir-markdown-map violate drop

Feature History for QoS Policing

This section provides the QoS policing release history.

Feature Name Releases Feature Information

QoS Policing 4.0 This feature was introduced.

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-9
 Chapter 4 Configuring QoS Policing
Feature History for QoS Policing

Cisco Nexus 1000V Quality of Service Configuration Guide, Release 4.0(4)SV1(1)

4-10