OcNOS SP : Quality of Service Guide : Quality of Service Configuration : Traffic Policing
Traffic Policing
Traffic policing can be achieved by using a policy-map based method. Policy-map based configurations allow the flexibility to police the traffic per-port and a set of other matching criteria:
VLAN (outer vlan and inner vlan)
CoS (outer cos and inner cos)
DSCP
Topmost EXP
Ether-typ
Precedence
TCP or UDP port
ACL
Note: Qumran supports rate limiting of ingress traffic. Rate limiting egress traffic is not supported.
Applying Traffic Policing Parameters Using a policy-map
Policy-map based traffic policing can be achieved by binding policy-map on the interface in ingress direction. A policy-map is associated with two sections. One is class-map which will have match criteria configured. Other is police configuration to apply traffic policing on the matching traffic on the policy-map bound port in ingress direction (see Chapter 2, Configuring a QoS Policy-map).
Traffic policing determines the rate of ingress traffic that is allowed per port (traffic that matches the configuration in the class-map).
Note: Qumran supports two types of policing:
Single rate three color traffic rate limiting (RFC 2697).
Two rate three color traffic rate limiting (RFC 4115).
Single rate or two rate operations are in compliance with the RFCs mentioned.
Note: Packets marked with color red are dropped by default in Qumran devices. This default behavior can be modified with global command to disable red packet drop. However, traffic policing and storm control will not work if red packet drop is disabled.
For more information about color, refer to the Packet QoS Attributes section.
Configuration Considerations
Policy map based rate limiting is supported only for ingress traffic.
Only one policy-map of same type can be bound on an interface.
One policy-map can have up to 256 class-maps.
CIR and EIR configuration should be in same format. Example, if one of them is configured in percentage, other also should be configured in percentage.
The minimum configurable rate is 22 kilobits per second.
The minimum supported burst size is 1 kilobyte, while the maximum supported burst size is 4161 kilobytes.
Configuring Traffic Policing
The following section shows how to configure policing on an interface. See Chapter 2, Configuring a QoS Policy-map for configuring policy-maps.
Note: Policer action must be configured on the class node to achieve traffic policing for matching traffic.
Use the following command to configure a policer for Qumran MX:
police (colour-blind | colour-aware |) (cir) (<1-720000000> (kbps|mbps|gbps) | percent <1-100>) ((eir (<1-720000000> (kbps|mbps|gbps) | percent <1-100>)|) ((bc) <1-4161> (kbytes|mbytes|ms|us)|) ((be) <1-4161> (kbytes|mbytes|ms|us)|))
Use the following command to configure a policer for Qumran AX:
police (colour-blind | colour-aware |) (cir) (<1-500000000> (kbps|mbps|gbps) | percent <1-100>) ((eir (<1-500000000> (kbps|mbps|gbps) | percent <1-100>)|) ((bc) <1-4161> (kbytes|mbytes|ms|us)|) ((be) <1-4161> (kbytes|mbytes|ms|us)|))
For Qumran MX, the configurable rate range is 22 kbps to 720 gbps.
For Qumran AX, the configurable rate range is 22 kbps to 500 gbps.
An example of creating a policy-map and binding a class-map to it with police action is shown below:
(config)#qos enable
(config)#class-map n1-class-10
(config-cmap-qos)#match vlan 10
(config-cmap-qos)#exit
(config)#policy-map n1-police-10
(config-pmap-qos)#class n1-class-10
(config-pmap-c-qos)#police cir 10 mbps eir 20 mbps
(config-pmap-c-qos)#exit
(config-pmap-qos)#exit
(config)#hardware-profile filter qos-policer enable
(config)#interface xe1
(config-if)#service-policy type qos input n1-police-10
(config-if)#exit
In the following example, traffic with VLAN ID 10 received on interface xe1 will be policed to a total of 30 mbps with 10 mbps of traffic being marked green, and 20 mbps of traffic marked yellow, any remaining traffic will be dropped at ingress.
Example configuration for color aware police:
(config-pmap-c-qos)#police colour-aware cir 10 mbps eir 20 mbps
With this configuration, if traffic with vlan ID 10 (with CFI bit set) is received on interface xe1 it is “policed” to a total of 20 mbps only because the traffic will be treated as yellow and will be subjected only to the EIR bucket.
Displaying Rate Limiting Policies
Use the following commands to verify the configuration and statistics.
show policy-map – This command displays the configuration of policy map.
show policy-map interface INTERFACE-NAME – This command displays the policy-map details on the interface along with statistics of how many packets and bytes matches and how many packets and bytes are dropped due to policer.
show policy-map statistics type qos – This command displays the statistics of matched packets and bytes and dropped packets and bytes per class-map in table format.
Note: Packets dropped by the policer are counted in policy-map drops, as well as in queue red drops because the hardware doesn't support policer action to directly drop the packet. Packets that need to be dropped are marked red and are dropped at the queue.
Use the following command to obtain QoS statistics:
qos statistics
Use the following command to clear QoS statistics.
clear qos statistics
Drop counters verification
Drop counters with drop reason can be verified globally using the following command:
#show hardware-discard-counters
+----------------------------------+---------+------------+------------+
| Registers | Core 0 | Core 1 |
+----------------------------------+---------+------------+------------+
IQM_QUEUE_ENQ_DISCARDED_PACKET_COUNTER 1596100
Reason: DP_LEVEL_STATUS Y
EGQ_PQP_DISCARD_UNICAST_PACKET_COUNTER 59807
Reason: SRC_EQUAL_DEST_INT Y