Traffic Policing
We've just discussed how to avoid congestion, basically through dropping packets so that transmission of lower priority traffic slows down. Traffic policing can be as simple as dropping packets or it can be more complex, as when setting a new IP Precedence value for the packet.
To police traffic, assign a Committed Access Rate (CAR) . There are two methods for doing so: MQC CAR and assigning a CAR directly to an interface. If the traffic exceeds our assigned access rates, we perform actions on the traffic, such as dropping certain types of packets or changing their IP Precedence values.
First, let's look at policing in an MQC configuration.
11.5.1. MQC Policing
To add policing with MQC, we use the police command. With this command, we assign an average rate, a normal burst rate, and a maximum burst rate for our traffic. To make things a little confusing, the average rate is specified in bits per second while the normal burst size and maximum burst size is in bytes. The average rate sets the long-term transmission rates for traffic. Any traffic that is equal to or below this rate conforms to our policing. The normal burst size determines how big normal traffic bursts can be before the rate limit is exceeded. And finally, the maximum burst size determines how big the burst traffic can be before traffic exceeds the rate limit.
After we configure the rates and burst sizes, we assign actions that tell the router what to do if those sizes are being conformed to, exceeded, or being violated. A conform action is used when the traffic conforms to our values. An exceed action is taken when the traffic exceeds our values. And finally, a violate action (which is optional) is taken if the traffic violates our normal and maximum burst sizes.
In a nutshell, traffic policing allows you to control the maximum rate of traffic received or transmitted on an interface. It is usually enabled on interfaces that are on the edge of your network, allowing you to control traffic rates coming in and going out of your network. In most traffic policing configurations, traffic that falls within the rate parameters is transmitted while traffic that exceeds the parameters is dropped or transmitted with a lower priority. You decide what to do with the traffic by assigning policing actions, which can be drop, transmit with different precedences, and so on.
Table 11-7 lists the valid actions that can be taken as part of traffic policing.
Police action |
Description |
---|---|
drop |
Drop the packet. |
set-prec-transmit |
Set the IP Precedence value and transmit the packet. |
set-qos-transmit |
Set the QoS group value for the packet and transmit it. |
set-dscp-transmit |
Set the differentiated services code point (DSCP) value for the packet and transmit it. |
TRansmit |
Transmit the packet. |
The following example shows policing configured on class1 in the policy map named policy-police-example. We set an average rate of 5,000 bits per second, a normal burst rate at 1,000 bytes, and the excess burst size at 1,000 bytes for all packets leaving our interface. Our conform action is to transmit with no modifications. Our exceed action is to set the QoS group value for the packet before transmitting it. And finally, our violate action is to drop the packet.
policy-map policy-police-example class class1 police 5000 1000 2000 conform-action transmit exceed-action set-qos-transmit 1 violate-action drop ! interface fastethernet 0/1 service-policy output policy-police-example
11.5.2. Committed Access Rate (CAR)
We enable a committed access rate (CAR) directly on an interface with the rate-limit command. We can apply the limits in either direction: inbound or outbound. The rate-limit command looks almost identical to the MQC police command. And the actions are similar as well, as you can see in Table 11-8.
Action |
Description |
---|---|
continue |
Evaluate the next rate-limit command. |
drop |
Drop the packet. |
set-dscp-continue |
Set the differentiated services codepoint (DSCP) and continue to next rate-limit command. |
set-dscp-transmit |
Set the differentiated services codepoint (DSCP) and transmit the packet without further processing. |
set-mpls-exp-imposition-continue |
Set the multiprotocol label switching experimental bits and continue to next rate-limit command. |
set-mpls-exp-imposition-transmit |
Set the multiprotocol label switching experimental bits and transmit the packet without further processing. |
set-prec-continue |
Set the IP Precedence value (0-7) and continue to next rate-limit command. |
set-prec-transmit |
Set the IP Precedence value (0-7) and transmit the packet without further processing. |
set-qos-continue |
Set the QoS group ID (1-99) and continue to next rate-limit command. |
set-qos-transmit |
Set the QoS group ID (1-99) and transmit the packet without further processing. |
transmit |
Transmit the packet. |
11.5.2.1. Rate-limit example
In this example, we are going to permit www traffic to have a CAR rate of 20,000,000 bps, with burst rates of 24,000 and 32,000 over that. If the traffic exceeds our values, we drop the packets.
! match www traffic access-list 101 permit tcp any any eq www ! ! limit our www traffic to 256kpbs with bursts interface Hssi0/0/0 ip address 192.168.1.250 255.255.255.252 ! rate-limit input rate-limit access-group 101 20000000 24000 32000 conform-action transmit exceed-action drop
We can even use the rate-limit command to curb ICMP denial-of-service attacks:
! Capture ICMP traffic access-list 101 permit icmp any any ! interface serial 1/0 rate-limit input access-group 101 256000 8000 8000 conform-action transmit exceed-action drop