Traffic Policing

We've just discussed how to avoid congestion, basically through dropping packets so that transmission of lower priority traffic slows down. Traffic policing can be as simple as dropping packets or it can be more complex, as when setting a new IP Precedence value for the packet.

To police traffic, assign a Committed Access Rate (CAR) . There are two methods for doing so: MQC CAR and assigning a CAR directly to an interface. If the traffic exceeds our assigned access rates, we perform actions on the traffic, such as dropping certain types of packets or changing their IP Precedence values.

First, let's look at policing in an MQC configuration.

11.5.1. MQC Policing

To add policing with MQC, we use the police command. With this command, we assign an average rate, a normal burst rate, and a maximum burst rate for our traffic. To make things a little confusing, the average rate is specified in bits per second while the normal burst size and maximum burst size is in bytes. The average rate sets the long-term transmission rates for traffic. Any traffic that is equal to or below this rate conforms to our policing. The normal burst size determines how big normal traffic bursts can be before the rate limit is exceeded. And finally, the maximum burst size determines how big the burst traffic can be before traffic exceeds the rate limit.

After we configure the rates and burst sizes, we assign actions that tell the router what to do if those sizes are being conformed to, exceeded, or being violated. A conform action is used when the traffic conforms to our values. An exceed action is taken when the traffic exceeds our values. And finally, a violate action (which is optional) is taken if the traffic violates our normal and maximum burst sizes.

In a nutshell, traffic policing allows you to control the maximum rate of traffic received or transmitted on an interface. It is usually enabled on interfaces that are on the edge of your network, allowing you to control traffic rates coming in and going out of your network. In most traffic policing configurations, traffic that falls within the rate parameters is transmitted while traffic that exceeds the parameters is dropped or transmitted with a lower priority. You decide what to do with the traffic by assigning policing actions, which can be drop, transmit with different precedences, and so on.

Table 11-7 lists the valid actions that can be taken as part of traffic policing.

Table 11-7. Valid actions for MQC police command

Police action

Description

drop

Drop the packet.

set-prec-transmit

Set the IP Precedence value and transmit the packet.

set-qos-transmit

Set the QoS group value for the packet and transmit it.

set-dscp-transmit

Set the differentiated services code point (DSCP) value for the packet and transmit it.

TRansmit

Transmit the packet.

The following example shows policing configured on class1 in the policy map named policy-police-example. We set an average rate of 5,000 bits per second, a normal burst rate at 1,000 bytes, and the excess burst size at 1,000 bytes for all packets leaving our interface. Our conform action is to transmit with no modifications. Our exceed action is to set the QoS group value for the packet before transmitting it. And finally, our violate action is to drop the packet.

 policy-map policy-police-example
 class class1
 police 5000 1000 2000 conform-action transmit exceed-action
 set-qos-transmit 1 violate-action drop
 !
 interface fastethernet 0/1
 service-policy output policy-police-example

 

11.5.2. Committed Access Rate (CAR)

We enable a committed access rate (CAR) directly on an interface with the rate-limit command. We can apply the limits in either direction: inbound or outbound. The rate-limit command looks almost identical to the MQC police command. And the actions are similar as well, as you can see in Table 11-8.

Table 11-8. Valid CAR actions

Action

Description

continue

Evaluate the next rate-limit command.

drop

Drop the packet.

set-dscp-continue

Set the differentiated services codepoint (DSCP) and continue to next rate-limit command.

set-dscp-transmit

Set the differentiated services codepoint (DSCP) and transmit the packet without further processing.

set-mpls-exp-imposition-continue

Set the multiprotocol label switching experimental bits and continue to next rate-limit command.

set-mpls-exp-imposition-transmit

Set the multiprotocol label switching experimental bits and transmit the packet without further processing.

set-prec-continue

Set the IP Precedence value (0-7) and continue to next rate-limit command.

set-prec-transmit

Set the IP Precedence value (0-7) and transmit the packet without further processing.

set-qos-continue

Set the QoS group ID (1-99) and continue to next rate-limit command.

set-qos-transmit

Set the QoS group ID (1-99) and transmit the packet without further processing.

transmit

Transmit the packet.

 

11.5.2.1. Rate-limit example

In this example, we are going to permit www traffic to have a CAR rate of 20,000,000 bps, with burst rates of 24,000 and 32,000 over that. If the traffic exceeds our values, we drop the packets.


 ! match www traffic
 access-list 101 permit tcp any any eq www
 !
 ! limit our www traffic to 256kpbs with bursts
 interface Hssi0/0/0
 ip address 192.168.1.250 255.255.255.252
 !
 rate-limit input rate-limit access-group 101 20000000 24000 32000
 conform-action transmit exceed-action drop

We can even use the rate-limit command to curb ICMP denial-of-service attacks:

 ! Capture ICMP traffic
 access-list 101 permit icmp any any
 !
 interface serial 1/0
 rate-limit input access-group 101 256000 8000 8000 conform-action transmit
 exceed-action drop


Getting Started

IOS Images and Configuration Files

Basic Router Configuration

Line Commands

Interface Commands

Networking Technologies

Access Lists

IP Routing Topics

Interior Routing Protocols

Border Gateway Protocol

Quality of Service

Dial-on-Demand Routing

Specialized Networking Topics

Switches and VLANs

Router Security

Troubleshooting and Logging

Quick Reference

Appendix A Network Basics

Index



Cisco IOS in a Nutshell
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596008694
EAN: 2147483647
Year: 2006
Pages: 1031
Authors: James Boney

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net