Re: Policing and CIR,PIR,BC,BE

Hi!

This is certainly one of the more confusing topics : )

1) The plain vanilla "police <bps>" command implements EITHER what we call a
single-rate two-color policer or a single rate three-color policer depending
on if you specify a violate action or not. In other words, with no violate
action defined we police based on only ONE rate, which would be what you
specify in bps in the command, and we can do certain things -- if we are
within the rate we "conform" and do some action (usually transmit). If we
are over the policed rate, but still within the max burst (Be in bytes) then
we do something else based on the exceed action (usually drop or mark
down). IF you choose to specify a violate action you are now implementing a
single-rate three-color policer. This is essentially the same thing but
more granular. Now you can say if I am within the policed rate then I
conform and do this thing...if I am over the rate but still less than the Be
that do something else (you went over the rate, but you are still somewhere
between the normal burst Bc and the max burst Be) and finally if I am over
the max burst do something else entirely. So you have three options instead
of two, hence the three colors.

2) The command "police cir" gets more "interesting" : ) When you do police
cir you are implementing a DUAL-rate three-color policer. This introduces
the whole concept of PIR. You are actually policing based on TWO entirely
different rates, as you actually have two separate token buckets involved,
Tc and Tp and you have different actions for each bucket being policed.
Essentially, you still have your three options (conform, exceed, violate)
but now exceed means "I went over the policed CIR rate but I am still under
the peak rate." The burst rate here would be related to the first token
bucket. Every Tc time interval you get Bc tokens in the first bucket to
play with. So essentially exceed means that you went over your allotted Bc
tokens per Tc and you need to wait for Bc to refill if you want to send at
that rate. The violate action here relates to the PIR and means "I went
over the policed CIR rate, AND I went over the PIR rate too...now I'm
screwed". The PIR rate relates to the 2nd token bucket you are policing
which gets Bc + Be tokens every Tc interval.

3) Remember that with policing your Bc and Be are specified in terms of
BYTES usually. Be careful.

So in summary:

police <bps> -- single rate two color OR single rate three color depending
on options. conform means within the bps rate. Exceed means you went over
the Bc rate and Violate means you are over Bc + Be.
police <cir> -- dual rate three color policer. conform means within the CIR
rate. Exceed means you went over policed rate of the FIRST bucket (Be).
Violate means you are over the policed rate of the SECOND bucket (PIR)

HTH!!!

On Fri, Dec 11, 2009 at 3:04 PM, karim jamali <karim.jamali_at_gmail.com>wrote:

> Dear Amr,
>
> The link brings a good understanding of Policing:
>
> http://wiki.nil.com/QoS_Policing_in_Cisco_IOS
>
> Petr's Policing vs Shaping article on INE Blog:
>
>
> http://blog.internetworkexpert.com/2008/07/03/at-a-glance-the-difference-between-shaping-and-policing/
>
>
> I do believe in some sort or the other the values do correspond to each
> other (I mean shaping & policing values).
> The way it is explained is the token bucket; tokens are always added to the
> bucket in case of policing at the rate of the cir, when a packet comes, if
> enough tokens in the bucket exist to send the packet it is sent; otherwise
> it is discarded.
>
> Then the concept of PIR is introduced, it comes with some ISPs which will
> allow you to go above the CIR; filling the regular token bucket with the
> rate of CIR and an additional excess token bucket with the PIR rate. So now
> if a packet comes we will check if enough tokens (CIR+PIR) are available to
> send the packet otherwise it will be dropped. When both CIR & PIR are
> specified this is a dual token bucket where three actions can take place
> (Conform/Exceed/Violate).
>
> Police & Police cir as far as i believe do the same function. However
> police
> rate is used for control-plane policing(traffic destined to the control
> plane).
>
> Check this link for the difference between Police commands:
>
>
> http://www.cisco.com/en/US/docs/ios/12_3t/qos/command/reference/qos_o1gt.html#wp1090915
>
> Best Regards,
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards,
Joe Astorino CCIE #24347 (R&S)
Sr. Technical Instructor - IPexpert
Mailto: jastorino_at_ipexpert.com
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
Blogs and organic groups at http://www.ccie.net