[c-nsp] Aggregated Microflow Policers

Tim Stevenson tstevens at cisco.com
Thu Feb 16 14:13:07 EST 2006

At 04:50 AM 2/16/2006, Peter Salanki opined:
>Hash: SHA1
>I'm reading about per-user microflow policing in SUP720 at http://
>It states that I can't do microflow policing on egress, and I can't
>do aggregated microflow policing.
>Let's suppose I have a 7600 with 3 ge ports. One is a routed port to
>a customer segment, and the other two are different uplinks. Policing
>the incoming traffic from the customer segment to the internet on a
>per-user bases is no problem, but how do I get the policing of the
>incoming->users correct? Attaching a per-user microflow policer on
>inbound on both upstreams would make the user able to get twice of
>his contracted capacity if he picks his sources right.

uFlow policing is based on NF table entries. As long as the flow mask 
is dest IP only for the uflow policy you attach to the 2 uplinks, 
traffic destined to a downlink host with a particular IP will hit the 
same NF entry & get policed in aggregate regardless of which input 
interface it arrives on.

But, this assumes that BOTH interfaces are serviced by the same 
fwding engine (PFC or DFC); the NF table, and thus uflow policing, 
are on a per fwding engine basis, each fwding engine has its own copy 
of the NF table.


>Thank you for your suggestions,
>/Peter Salanki
>Bahnhof AB (AS8473)
>Stockholm, Sweden
>Version: GnuPG v1.4.1 (Darwin)
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list