
Traffic policing is a critical component of modern communication networks. It ensures that data packets are transmitted efficiently and effectively, preventing network congestion and downtime.
Traffic policing limits the amount of data that can be transmitted by a device or application, preventing it from overwhelming the network. This is typically done by setting a specific rate limit, measured in bits per second.
Network administrators can use traffic policing to prevent malicious activity, such as denial-of-service attacks, by limiting the amount of traffic that can be generated by a single device or application.
On a similar theme: Data Communication
What is Traffic Policing?
Traffic policing is a method used to control the amount of traffic that can flow through a network. It ensures that traffic does not exceed a certain rate, preventing congestion.
Cisco IOS supports two methods of traffic policing: Committed Access Rate and Class-Based Policing. These two mechanisms have important functional differences.
The police command is used to specify a maximum rate for a class of traffic, and if that rate is exceeded, an immediate action is taken. This is in contrast to the shape command, which buffers packets and sends them out later.
Policing uses a token bucket to determine whether a packet exceeds or conforms to the applied rate. A configurable action is implemented, which includes IP precedence or Differentiated Services Code Point (DSCP).
Here are the two methods of traffic policing supported by Cisco IOS:
- Committed Access Rate
- Class-Based Policing
Cisco recommends using Class-Based Policing and other features of the modular QoS CLI when QoS policies are applied.
Components and Implementations
Traffic policing is implemented through the token bucket algorithm on Cisco equipment.
Traffic policing can be applied to all IP packets in a Layer 2 or Layer 3 traffic flow at a logical interface, with some exceptions.
A policer defines a set of traffic rate limits and sets consequences for traffic that does not conform to the configured limits.
Packets in a traffic flow that do not conform to traffic limits are either discarded or marked with a different forwarding class or packet loss priority (PLP) level.
Traffic policers are instantiated on a per-PIC basis, which means they are specific to each Policy Interface Card.
Components Used

Token bucket functionality is used in some implementations of traffic policing.
Traffic policing can be implemented with various algorithms, including the Generic Cell Rate Algorithm (GCRA), which is a version of the leaky bucket algorithm.
The leaky bucket algorithm is a common method used in traffic policing to control the rate of traffic.
Traffic policing can also be implemented with the help of policers, which define a set of traffic rate limits and set consequences for traffic that does not conform to the configured limits.
Policers can be applied to all IP packets in a Layer 2 or Layer 3 traffic flow at a logical interface, or to specific IP packets in a Layer 3 traffic flow using a stateless firewall filter.
Traffic policers are instantiated on a per-PIC basis.
Intriguing read: Level 3 Communications
Implementations
Implementations of traffic policing and shaping can be complex, but they have some key differences.
On Cisco equipment, both traffic policing and shaping are implemented through the token bucket algorithm.
The leaky bucket and token bucket algorithms are essentially mirror images of each other, with one adding bucket content while the other takes it away, or vice versa.
Given equivalent parameters, implementations of both algorithms will see exactly the same traffic as conforming and non-conforming.
Traffic policing requires maintenance of numerical statistics and measures for each policed traffic flow.
It doesn't require the implementation or management of significant volumes of packet buffer, making it significantly less complex to implement than traffic shaping.
Traffic Policing Techniques
Cisco IOS supports two main methods of traffic policing: Committed Access Rate and Class-Based Policing. These mechanisms have distinct functional differences, as explained in the comparison between Class-Based Policing and Committed Access Rate.
Use the police command to specify a maximum rate for a class of traffic, and if that rate is exceeded, an immediate action is taken. This means that packets cannot be buffered and sent out later, unlike the shape command.
The token bucket determines whether a packet exceeds or conforms to the applied rate, and policing implements a configurable action, including IP precedence or DSCP.
Connection Admission Control Alternative

Connection Admission Control is an alternative to traffic policing that's worth considering. It's used in connection-oriented networks like ATM systems.
This method involves verifying the traffic characteristics and quality of service (QoS) requirements of an application before it's allowed to use the network.
The application requests a connection through signalling, such as Q.2931, and provides information about its traffic and QoS needs.
The network then matches this information against a traffic contract, which determines whether the connection is accepted or not.
If the connection is accepted, the application is allowed to use the network, but if not, it's blocked.
This approach protects network resources from malicious connections and enforces compliance with negotiated traffic contracts.
Unlike traffic policing, which is an a posteriori verification, CAC is an a priori verification, meaning it happens before the transfer occurs.
Rate Limiting
Rate Limiting is a crucial aspect of traffic policing, allowing you to control the maximum rate of traffic transmitted or received on an interface. This is often configured on interfaces at the edge of a network to limit traffic into or out of the network.
Traffic policing can be used to set the IP precedence or DSCP values for packets entering the network, which can then be used by downstream devices to determine how the traffic should be treated. For example, the Weighted Random Early Detection (WRED) feature uses the IP precedence values to determine the probability that a packet will be dropped.
In congested environments, frames with the DE bit set to 1 are discarded before frames with the DE bit set to 0. This is because the Traffic Policing feature allows users to mark the Frame Relay DE bit of the Frame Relay frame.
Traffic that falls within the rate parameters is transmitted, whereas traffic that exceeds the parameters is dropped or transmitted with a different priority. This is a common application of traffic policing at a congestion point, where QoS features generally apply.
Here are some key benefits of rate limiting:
- Prevents network congestion by limiting the maximum rate of traffic
- Ensures that high-priority traffic is transmitted first
- Helps to prevent malicious connections from overwhelming the network
Traffic Policing Management
Traffic policing is a crucial component of network access security that helps thwart denial-of-service (DoS) attacks by controlling the maximum rate of IP traffic sent or received on an interface.
A policer defines a set of traffic rate limits and sets consequences for traffic that does not conform to the configured limits. Packets in a traffic flow that do not conform to traffic limits are either discarded or marked with a different forwarding class or packet loss priority (PLP) level.
You can apply a policer to all IP packets in a Layer 2 or Layer 3 traffic flow at a logical interface, or to specific IP packets in a Layer 3 traffic flow at a logical interface by using a stateless firewall filter.
To monitor and maintain traffic policing, you can use the following commands:
Cisco recommends class-based policing and other features of the modular QoS CLI when QoS policies are applied.
Monitoring and Maintaining
Monitoring and Maintaining Traffic Policing is crucial for ensuring your network runs smoothly. You can display all configured policy maps using the command `Router# show policy-map`.
Displaying configured policy maps is a straightforward process. To do this, use the command `Router# show policy-map`. This will give you a comprehensive view of all your policy maps.
To view a specific policy map, you can use the command `Router# show policy-map policy-map-name`. This is useful when you need to check the details of a particular policy map.
You can also display statistics and configurations of all input and output policies attached to an interface using the command `Router# show policy-map interface`. This is a great way to monitor the performance of your network.
Here are some useful commands for monitoring and maintaining traffic policing:
Selection Criteria
Traffic policers can be applied to all IP packets in a Layer 2 or Layer 3 traffic flow at a logical interface, except for policers configured to rate-limit aggregate traffic.
You can apply a policer to specific IP packets in a Layer 3 traffic flow at a logical interface by using a stateless firewall filter, with the exception of policers configured to rate-limit based on physical interface media rate.
Policers can be applied to inbound or outbound interface traffic, with inbound traffic policers helping to conserve resources by dropping traffic that doesn't need to be routed through a network.
Traffic policers are instantiated on a per-PIC basis, which means they work independently for each PIC, and traffic policing does not work when the traffic for one L-PDF subscriber is distributed over multiple Multiservices PICs in an AMS group.
Explore further: Mobile Communications over IP
Configuration Tasks
To configure traffic policing, you'll need to use the policebps command. This command specifies a maximum bandwidth usage by a traffic class, and it works with a token bucket mechanism.
The policebps command has several options, including burst-normal, burst-max, conform-action, exceed-action, and violate-action. The conform-action option specifies what to do with packets that conform to the traffic policing parameters, while the exceed-action option specifies what to do with packets that exceed those parameters.
The violate-action option is used when a two token bucket algorithm is employed, and it specifies what to do with packets that violate the traffic policing parameters. If the violate-action option is not specified, a single token bucket algorithm is used.
Here's a list of the policebps command options:
Traffic Policing Limitations and Security
Traffic policing has its limitations, and understanding these constraints is crucial for effective network management. One such limitation is that traffic policing can only monitor Cisco Express Forwarding (CEF) switching paths on Cisco 7500 series routers.
This means that traffic policing won't work properly on these routers if CEF is not configured on both the interface receiving the packet and the interface sending the packet. In other words, CEF is a prerequisite for traffic policing on these routers.
Traffic policing also cannot be applied to packets that originated from or are destined to a router. This is an important consideration when designing network policies.
Here are some key restrictions on traffic policing:
- On a Cisco 7500 series router, traffic policing can only monitor CEF switching paths.
- On a Cisco 7500 series router, traffic policing cannot be applied to packets that originated from or are destined to a router.
- Traffic policing can be configured on an interface or a subinterface.
- Traffic policing is not supported on certain interfaces.
Traffic policing is supported on tunnels using the Cisco generic routing encapsulation (GRE) tunneling protocol, which is a notable exception to the restrictions listed above.
Traffic Policing Best Practices
Cisco recommends using class-based policing when applying QoS policies, as it offers more features and flexibility.
Class-based policing allows you to specify a maximum rate for a class of traffic, and if that rate is exceeded, an immediate action is taken. This is in contrast to the shape command, which buffers packets and sends them out later.
To implement traffic policing, use the police command to specify the maximum rate for a class of traffic. This command determines whether a packet exceeds or conforms to the applied rate.
The token bucket is used to determine whether a packet exceeds or conforms to the applied rate. If the packet exceeds the rate, a configurable action is taken, which can include setting the IP precedence or DSCP.
Here are the key differences between committed access rate and class-based policing:
By understanding the key differences between these two mechanisms, you can make informed decisions about which one to use in your QoS policies.
Traffic Policing vs Shaping
Traffic policing and shaping are two fundamental concepts in traffic management that help ensure efficient and fair network usage. Policing, as described in the article, propagates bursts by dropping excess traffic when the configured maximum rate is reached, resulting in a saw-tooth output rate.
Policing can be applied to inbound traffic on an interface, whereas shaping implies the existence of a queue and sufficient memory to buffer delayed packets, making it an outbound concept. Shaping retains excess packets in a queue and schedules them for later transmission, smoothing the packet output rate.
The main difference between policing and shaping lies in their approach to excess traffic. Policing discards or re-marks excess packets, whereas shaping buffers them and transmits them over time, as seen in the use cases for QoS policing and shaping.
Here's a summary of the key differences between policing and shaping:
In practical terms, policing is commonly used in ingress direction to ensure that incoming traffic does not exceed the configured rate, while shaping is used in outbound direction to smooth the packet output rate and prevent congestion.
Traffic Policing Impact and Effects
Traffic policing can have a profound impact on network behavior. It can introduce packet loss throughout periods of high incoming traffic.
If the source doesn't limit its sending rate, packet loss will continue, making it seem like link errors or disruptions are causing random packet loss.
Reliable protocols like TCP will retransmit dropped packets, generating more traffic and potentially causing congestion.
Take a look at this: Internet Packet Loss
Sources with feedback-based congestion control, such as TCP, will typically adapt rapidly to static policing by converging on a rate just below the policed sustained rate.
Co-operative policing mechanisms, like packet-based discard, facilitate more rapid convergence and higher stability, but may make it difficult for endpoints to distinguish between policed and shaped TCP traffic.
Traffic Policing Bandwidth Control
Traffic policing is a bandwidth control mechanism that restricts the output rate to a maximum kbps value. It's an a posteriori verification, meaning it checks the traffic after it's been sent, rather than verifying it beforehand like Connection Admission Control (CAC).
Cisco IOS supports two methods of traffic policing: Committed Access Rate and Class-Based Policing. These mechanisms have important functional differences, as explained in the Cisco documentation.
Policing uses a token bucket to determine whether a packet exceeds or conforms to the applied rate. If the rate is exceeded, an immediate action is taken, such as dropping the packet. This is in contrast to shaping, which buffers packets and sends them out later.
Readers also liked: Control Communications
The police command is used to specify that a class of traffic must have a maximum rate imposed on it. This can include actions such as dropping packets, changing their IP precedence or DSCP, and more.
Here's a comparison of the police and shape commands:
The police command is useful for limiting the output rate of a traffic aggregate, but it can override guarantees made by other QoS features, such as the priority feature. In contrast, the shape command creates a hierarchical queuing system, ensuring that all guarantees are made.
Traffic Policing Quality of Service
Traffic policing is a quality of service (QoS) feature that helps manage network traffic by enforcing bandwidth limits and preventing congestion. Cisco IOS supports two methods of traffic policing: Committed Access Rate and Class-Based Policing.
Policing is not the same as shaping, which buffers packets and transmits them over time. With policing, if a packet pushes the current traffic rate above the configured rate, it is discarded or re-marked.
Traffic policing can be applied in either direction on an interface, but it's most commonly used in the ingress direction. This is because policing is often used to enforce service level agreements (SLAs) and prevent excessive bandwidth usage by specific hosts or applications.
Cisco recommends using Class-Based Policing and other features of the modular QoS CLI when QoS policies are applied. The police command is used to specify that a class of traffic must have a maximum rate imposed on it, and if that rate is exceeded, an immediate action must be taken.
Here are some key use cases for traffic policing:
- Enforcing service level agreements (SLAs) by preventing customers from sending more traffic than their agreed bandwidth limit
- Preventing excessive bandwidth usage by specific hosts or applications
- Protecting a device's control plane from denial of service (DoS) or other abusive traffic
In summary, traffic policing is an essential QoS feature that helps manage network traffic and prevent congestion by enforcing bandwidth limits and taking immediate action when those limits are exceeded.
Traffic Policing Color Marking
Traffic policing color marking is a way to identify and prioritize traffic flows by assigning colors to them, similar to a traffic light. This helps network administrators to manage traffic more efficiently and make informed decisions about how to prioritize packets.
A single-rate two-color policer meters traffic and classifies packets into two categories: green (conforming) and red (nonconforming). Traffic that exceeds the configured bandwidth and burst-size limit is marked as red.
The policer actions for single-rate two-color policers include assigning low loss priority to green packets and assigning low or high loss priority, assigning a forwarding class, or discarding red packets. On some platforms, you can also assign medium-low or medium-high loss priority.
Traffic can be marked using traffic policing to set the IP precedence or DSCP values for packets entering the network. This allows networking devices to use the adjusted IP precedence values to determine how the traffic should be treated.
A single-rate three-color policer meters traffic based on the configured committed information rate (CIR), committed burst size (CBS), and excess burst size (EBS). Traffic is marked as green, yellow, or red based on whether the packets arriving are below the CBS, exceed the CBS but not the EBS, or exceed the EBS.
The policer actions for single-rate three-color policers include assigning low loss priority to green packets, assigning medium-high loss priority to yellow packets, and assigning high loss priority to red packets. Discarding red packets is also an option.
Broaden your view: Website High Traffic
Here's a summary of the policer actions for single-rate two-color and three-color policers:
A two-rate three-color policer meters traffic based on the configured CIR and peak information rate (PIR), along with their associated burst sizes, the CBS and peak burst size (PBS). Traffic is marked as green, yellow, or red based on whether the packets arriving are below the CIR, exceed the CIR but not the PIR, or exceed the PIR.
The policer actions for two-rate three-color policers include assigning low loss priority to green packets, assigning medium-high loss priority to yellow packets, and assigning high loss priority to red packets. Discarding red packets is also an option.
Frequently Asked Questions
What is CIR and BC in QoS?
CIR (Committed Information Rate) is the guaranteed bandwidth for a network connection, while Bc (Committed Burst) is the maximum amount of data that can be sent within a specified time interval to maintain the average CIR rate. Understanding CIR and Bc is crucial for Quality of Service (QoS) management in network traffic shaping.
Featured Images: pexels.com


