[nsp] Policing on Sup720, 12.2(14)SX1

Iva Cabric ivac at iskon.hr
Fri Sep 26 05:10:54 EDT 2003 

Hello,
I would like to clear some things regarding policers on Sup720, if
someone knows details, please help:), and I apologise for long mail.

We have one GigabitEthernet interface which used as trunk with
configuration like this:

interface GigabitEthernet1/1
 no ip address
 mls qos vlan-based
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-1000
 switchport mode trunk

There is Vlan interface on which I wish to police traffic. It is
configured like this:

interface Vlan10
 description Vlan10
 ip address 10.0.5.1 255.255.255.192
 no ip redirects
 no ip proxy-arp
 ip route-cache flow
 service-policy input IN
 service-policy output OUT



And policers...:

! I need this because class-default cannot be used in policy-map,
! is there a more elegant solution than this one?
!
class-map match-all ALL
  match access-group name ALL
!
! limit ingress traffic with named aggregate policer
!
policy-map IN
  class ALL
      police aggregate IN
!
! use per-interface aggregate policer for egress traffic
!
policy-map OUT
  class ALL
     police 25000000 781250 781250 conform-action transmit exceed-action drop violate-action drop
!
mls qos aggregate-policer IN 25000000 100000 100000 conform-action transmit exceed-action drop
!
! used in class-map ALL
!
ip access-list extended ALL
 permit ip any any
 deny   ip any any



And with this configuration, everything works fine:

Router#sh policy-map interface vlan 10

 Vlan10

  Service-policy input: IN

    class-map: ALL (match-all)
      504309424 bytes
      30 second offered rate 2576008 bps   XXX
      Match: access-group name ALL
      police :
        25000000 bps 100000 limit 100000 extended limit
        aggregate-forwarded 503709245 bytes action: transmit
        exceeded 600179 bytes action: drop
        aggregate-forward 2788896 bps exceed 0 bps  YYY

  Service-policy output: OUT

    class-map: ALL (match-all)
      713813050 bytes
      30 second offered rate 4812408 bps   XXX
      Match: access-group name ALL
      police :
        25000000 bps 781000 limit 781000 extended limit
        aggregate-forwarded 713813050 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 4598744 bps exceed 0 bps  YYY

>From this output, these counters (marked with XXX above):

30 second offered rate 2576008 bps
30 second offered rate 4812408 bps

are same as counters on the physical port, on switch, which is on other
side of the trunk.

I'm not sure what these represent (marked with YYY above):

aggregate-forward 2788896 bps exceed 0 bps
aggregate-forward 4598744 bps exceed 0 bps

aggregate traffic through trunk interface, or something else???




Now, if I change ingress policy map to this:

policy-map IN
  class ALL
     police 25000000 781250 781250 conform-action transmit exceed-action drop violate-action drop

and egress is same:

policy-map OUT
  class ALL
     police 25000000 781250 781250 conform-action transmit exceed-action drop violate-action drop


I get:

Router#sh policy-map interface vlan 10
 Vlan10

  Service-policy input: IN

    class-map: ALL (match-all)
      11453120 bytes
      30 second offered rate 1559936 bps
      Match: access-group name ALL
      police :
        25000000 bps 781000 limit 781000 extended limit
        aggregate-forwarded 11453120 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 2214272 bps exceed 0 bps

  Service-policy output: OUT

    Class-map: ALL (match-all)
      62 packets, 7576 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group name ALL

Ingress policing works fine, but it seems that egress policer is
policing only packets directed to Vlan interface.

Also it looks that ingress policer is still aggregate, although it
doesn't use aggregate-policer IN. Why is it so??



And finally, if policy maps are configured like this:

policy-map IN
  class ALL
     police 25000000 781250 781250 conform-action transmit exceed-action drop violate-action drop
!
policy-map OUT
  class ALL
      police aggregate OUT
!
mls qos aggregate-policer OUT 25000000 100000 100000 conform-action transmit exceed-action drop

again, everything is fine:

sh policy-map interface vlan 10
 Vlan10

  Service-policy input: IN

    class-map: ALL (match-all)
      30578380 bytes
      30 second offered rate 2629904 bps
      Match: access-group name ALL
      police :
        25000000 bps 781000 limit 781000 extended limit
        aggregate-forwarded 30578380 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 3014720 bps exceed 0 bps

  Service-policy output: OUT

    class-map: ALL (match-all)
      35598350 bytes
      30 second offered rate 3385200 bps
      Match: access-group name ALL
      police :
        25000000 bps 100000 limit 100000 extended limit
        aggregate-forwarded 35598350 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 3782504 bps exceed 0 bps


Also in configuration where both policers are aggregate, they both work
fine.

So my thoughts are these:

- ingress policer, configured as per-interface policer, works fine,
  regardless how egress policer is configured,

- egress policer works fine in these cases:

  a) both ingress and egress policers are named aggregate policers
  b) ingress is named aggregate policer, and egress is per-interface
     aggregate policer

In case when both are per-interface aggregate policers, ingress works
fine, but egress is not working as needed, or it is policing only
small amount of traffic. I think it polices traffic which is directed to
the address on Vlan interface, but I'm not sure.

So, from above, which is preferred configuration?

Just to clear out above terms:

per-interface aggregate policer is this:

 policy-map OUT
   class ALL
      police 25000000 781250 781250 conform-action transmit exceed-action drop violate-action drop

and named aggregate policer is this:

 policy-map IN
   class ALL
       police aggregate IN
 !
 mls qos aggregate-policer IN 25000000 100000 100000 conform-action transmit exceed-action drop

These terms are from following document:

<URL:http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080160ec7.html>

I have read it few times, but I still can't find clear explanations for
policer behaviour (or maybe I don't know how to read between lines:).

In above document, there is part which explains how is traffic treated:

On ports configured for port-based PFC QoS, you can attach a policy map
to the ingress LAN port as follows:

- On a nontrunk ingress LAN port configured for port-based PFC QoS, all
  traffic received through the port is classified, marked, and policed
  according to the policy map attached to the port.

- On a trunking ingress LAN port configured for port-based PFC QoS,
  traffic in all VLANs received through the port is classified, marked,
  and policed according to the policy map attached to the port.

- On a nontrunk ingress LAN port configured for VLAN-based PFC QoS,
  traffic received through the port is classified, marked, and policed
  according to the policy map attached to the port's VLAN.

- On a trunking ingress LAN port configured for VLAN-based PFC QoS,
  traffic received through the port is classified, marked, and policed
  according to the policy map attached to the traffic's VLAN.

So, if I have trunking port (GigabitEthernet1/1, as above), which is
configured for VLAN-based PFC (with "mls qos vlan-based") and I have
different policers on different Vlan interfaces, will they work
independently or will aggregate policer police traffic from both Vlans?

Thanks for help.

More information about the cisco-nsp mailing list