in this lesson you will learn how to configure the different types of policing on Cisco IOS routers:
- Single rate, two-color
- Single rate, three-color
- Dual rate, three-color
If you have no idea what the difference is between the different policing types then you should start with my QoS Traffic Policing Explained lesson. Having said that, let’s configure some routers. I’ll use the following topology for this:
We don’t need anything fancy to demonstrate policing. I will use two routers for this, R1 will generate some ICMP traffic and R2 will do the policing.
Let’s start with the first policer…
Single Rate Two-Color Policing
Configuration is done using the MQC (Modular QoS Command-Line Interface). First we need to create a class-map to “classify” our traffic:
R2(config)#class-map ICMP
R2(config-cmap)#match protocol icmp
To keep it simple, I will use NBAR to match on ICMP traffic. Now we can create a policy-map:
R2(config)#policy-map SINGLE-RATE-TWO-COLOR
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police 128000
R2(config-pmap-c-police)#conform-action transmit
R2(config-pmap-c-police)#exceed-action drop
The policy-map is called “SINGLE-RATE-TWO-COLOR” and we configure policing for 128000 bps (128 Kbps) under the class-map. When the traffic rate is below 128 Kbps the conform-action is to transmit the packet, when it exceeds 128 Kbps we will drop the packet.
Above I first configured the police CIR rate and then I configured the “actions” in the “policer configuration”. You can also configure everything on one single line, then it will look like this:
R2(config-pmap-c)#police 128000 conform-action transmit exceed-action drop
Both options achieve the same so it doesn’t matter which one you use. For readability reasons I selected the first option.
Let’s activate the policer on the interface and we’ll see if it works:
R2(config)#interface FastEthernet 0/0
R2(config-if)#service-policy input SINGLE-RATE-TWO-COLOR
You need to use the service-policy command to activate the policer on the interface.
Time to generate some traffic on R1:
R1#ping 192.168.12.2 repeat 999999
Type escape sequence to abort.
Sending 999999, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
You can already see some of the packets don’t make it to their destination. Let’s see what R2 thinks about all these pings:
R2#show policy-map interface FastEthernet 0/0
FastEthernet0/0
Service-policy input: SINGLE-RATE-TWO-COLOR
Class-map: ICMP (match-all)
1603 packets, 314382 bytes
5 minute offered rate 18000 bps, drop rate 0 bps
Match: protocol icmp
police:
cir 128000 bps, bc 4000 bytes
conformed 1499 packets, 199686 bytes; actions:
transmit
exceeded 104 packets, 114696 bytes; actions:
drop
conformed 10000 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Above you can see that the policer is doing it’s job. The configured CIR rate is 128000 bps (128 Kbps) and the bc is set to 4000 bytes. If you don’t configure the bc yourself then Cisco IOS will automatically select a value based on the CIR rate. You can see that most of the packets were transmitted (conformed) while some of them got dropped (exceeded).
If you understand the theory about policing then the configuration and verification isn’t too bad right? Let’s move on to the next policer…
Single Rate Three-Color Policing
If you understood the previous configuration then this one will be easy. I’ll use the same class-map:
R2(config)#policy-map SINGLE-RATE-THREE-COLOR
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police 128000
R2(config-pmap-c-police)#conform-action transmit
R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
R2(config-pmap-c-police)#violate-action drop
Our CIR rate is still 128000 bps and the conform-action is still transmit. The difference is the exceed-action which I’ve set to set-dscp-transmit. When the traffic is exceeding, the policer will reset the DSCP value to 0 but still transmits the packet.
In our example, the ICMP traffic wasn’t marked at all but imagine that some marked traffic hits this policer…if it were “conforming” then it would be transmitted and keeps it DSCP value, if it were exceeding it would also be transmitted but as a “penalty” the DSCP value is stripped. The last command is also new, when the traffic is violating we use violate-action to drop it.
Let’s activate this policer:
R2(config-if)#no service-policy input SINGLE-RATE-TWO-COLOR
R2(config-if)#service-policy input SINGLE-RATE-THREE-COLOR
I’ll remove the old policer and enable the new one. Let’s generate some traffic on R1 again:
R1#ping 192.168.12.2 repeat 999999
Type escape sequence to abort.
Sending 999999, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
Some packets are being dropped, let’s see what R2 thinks about it:
R2#show policy-map interface FastEthernet 0/0
FastEthernet0/0
Service-policy input: SINGLE-RATE-THREE-COLOR
Class-map: ICMP (match-all)
4170 packets, 475380 bytes
5 minute offered rate 20000 bps, drop rate 0 bps
Match: protocol icmp
police:
cir 128000 bps, bc 4000 bytes, be 4000 bytes
conformed 2658 packets, 303012 bytes; actions:
transmit
exceeded 1470 packets, 167580 bytes; actions:
set-dscp-transmit default
violated 42 packets, 4788 bytes; actions:
drop
conformed 25000 bps, exceed 14000 bps, violate 0 bps
Class-map: class-default (match-any)
9 packets, 576 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Above you can see the conformed, exceeded and violated packets with the transmit, set-dscp-transmit and drop actions. Also, if you take a close look you can see the be (4000 bytes) next to the CIR rate. Just like the bc, if you don’t configure it yourself then Cisco IOS will select a be automatically.
We got one more policer to go…
Dual Rate Three-Color Policing
The configuration is similar but this time we also configure the PIR. Here’s what it looks like:
R2(config)#policy-map DUAL-RATE-THREE-COLOR
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police cir 128000 pir 256000
R2(config-pmap-c-police)#conform-action transmit
R2(config-pmap-c-police)#exceed-action set-dscp-transmit 0
R2(config-pmap-c-police)#violate-action drop
Next to the CIR (128 Kbps) I also configured the PIR (256 Kbps). I’ve kept the actions the same as the previous policer. Let’s enable it:
R2(config)#interface FastEthernet 0/0
R2(config-if)#no service-policy input SINGLE-RATE-THREE-COLOR
R2(config-if)#service-policy input DUAL-RATE-THREE-COLOR
Let’s generate some traffic:
R1#ping 192.168.12.2 repeat 99999
Type escape sequence to abort.
Sending 99999, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Now take a look at R2:
R2#show policy-map interface FastEthernet 0/0
FastEthernet0/0
Service-policy input: DUAL-RATE-THREE-COLOR
Class-map: ICMP (match-all)
7472 packets, 851808 bytes
5 minute offered rate 29000 bps, drop rate 0 bps
Match: protocol icmp
police:
cir 128000 bps, bc 4000 bytes
pir 256000 bps, be 8000 bytes
conformed 3713 packets, 423282 bytes; actions:
transmit
exceeded 3715 packets, 423510 bytes; actions:
set-dscp-transmit default
violated 44 packets, 5016 bytes; actions:
drop
conformed 32000 bps, exceed 32000 bps, violate 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
The output above is similar but now you see the CIR and PIR. Some of our packets are conforming, others are exceeding and violating.
You have now seen how to configure the single-rate two-color / three-color and the dual-rate three color policers. I hope these configuration examples have been useful to you. If you have any questions, feel free to leave a comment!
No comments:
Post a Comment