1. Introduction
Traffic policing is a QoS mechanism that limits the rate of traffic by dropping or marking excess packets when the defined limit is exceeded. Unlike traffic shaping, which buffers excess traffic, policing discards or reclassifies packets immediately.
π Key Benefits of Traffic Policing:
β
Enforces bandwidth limits on applications/users
β
Prevents network abuse (e.g., users setting high DSCP values)
β
Protects critical traffic by limiting non-essential traffic
β
Can mark or drop excess traffic to maintain QoS policies
2. How Does Policing Work?
Policing uses the Token Bucket Algorithm to monitor the rate of incoming traffic.
π Behavior of Policing:
- Traffic within the limit β Allowed β
- Traffic exceeding the limit β Dropped or marked π«
- No buffering (unlike shaping)
Policing vs. Shaping
| Feature | Policing | Shaping |
|---|---|---|
| Purpose | Limits and enforces a strict rate | Smooths out bursts |
| Effect on Excess Traffic | Drops or marks packets | Buffers packets in a queue |
| Delay Impact | No delay | Can introduce delay |
| Best Use Case | Ingress (incoming) traffic | Egress (outgoing) traffic |
3. Configuring QoS Policing on Cisco Routers & Switches
Cisco uses Class-Based Policing to enforce bandwidth limits.
A. Policing All Traffic on an Interface
To police all traffic on an interface to 5 Mbps:
interface GigabitEthernet1/0/1
police 5000000 conform-action transmit exceed-action dropconform-action transmitβ Allowed traffic goes through.exceed-action dropβ Traffic beyond 5 Mbps is dropped.
B. Class-Based QoS Policing
1οΈβ£ Define a Class to Match Traffic:
class-map MATCH-VIDEO
match ip dscp af412οΈβ£ Create a Policy Map to Apply Policing:
policy-map POLICE-VIDEO
class MATCH-VIDEO
police 2000000 250000 exceed-action drop3οΈβ£ Apply to an Interface:
interface GigabitEthernet1/0/1
service-policy input POLICE-VIDEOπΉ Explanation:
- Limits AF41-marked traffic (video) to 2 Mbps.
- Bursts up to 250 Kbps are allowed.
- Excess traffic is dropped.
C. Marking Instead of Dropping (Two-Color Policing)
Instead of dropping excess traffic, mark it with a lower priority (DSCP 10):
policy-map POLICE-WEB
class MATCH-WEB
police 1000000 200000
conform-action transmit
exceed-action set-dscp-transmit 10π This means:
- Traffic under 1 Mbps is transmitted normally.
- Traffic above 1 Mbps is marked as DSCP 10 (lower priority) instead of being dropped.
D. Three-Color Policing (CIR, PIR, Drop)
Three-color policing allows three actions:
β Conform (Transmit β
)
β Exceed (Mark lower priority βοΈ)
β Violate (Drop π«)
policy-map POLICE-TRAFFIC
class class-default
police 5000000 1000000 2000000
conform-action transmit
exceed-action set-dscp-transmit 10
violate-action dropπ Explanation:
- Traffic β€ 5 Mbps β Allowed β
- Traffic between 5 Mbps – 7 Mbps β Marked as DSCP 10 βοΈ
- Traffic > 7 Mbps β Dropped π«
4. Verifying Policing
β Check if policing is applied:
show policy-map interface GigabitEthernet1/0/1β Check interface traffic rate:
show interfaces GigabitEthernet1/0/1 | include rate5. Summary
| Scenario | Configuration |
|---|---|
| Police all traffic to 5 Mbps | police 5000000 conform-action transmit exceed-action drop |
| Limit Video (AF41) to 2 Mbps | Class-based policing with exceed-action drop |
| Mark excess traffic instead of dropping | exceed-action set-dscp-transmit 10 |
| Three-color policing (Transmit, Mark, Drop) | conform-action transmit, exceed-action set-dscp-transmit 10, violate-action drop |
| Verify policing | show policy-map interface |
π Traffic policing enforces bandwidth limits and protects network resources!
The Lazy Networker 
Leave a comment