1 Reply Latest reply: Nov 12, 2017 11:38 PM by Praveen RSS

    Policing and shaping


      Another important group of QoS tools that need to be reviewed are policers and shapers. Both of them operate in a similar manner, in the sense that both meter traffic rates. The different between them is what they do after metering.


      Traffic policers may remark or drop traffic as a result of a policy action. The dropping or remarking of traffic may happen when the traffic rate reaches the configured maximum rate. Traffic policers may propagate bursts, so the result is an output rate in form of saw-tooth shape.


      Traffic shapers retain excess packets in a queue, scheduling the excess for a later transmission over time. By smoothing bursts, shapers prevent unnecessary packet drops. As shapers don’t propagate bursts, the output is a smoothed packet output rate.





      It’s important to get in mind that the classification process must occur before policing or shaping traffic. In the next subsections, we’ll get into the more relevant aspects of both tools.




      Policers continuously monitor traffic flows in order to identify and respond to traffic violations. It’s considered that a traffic violates a rate when the input rate exceeds the configured rate. A policer doesn’t delay traffic. When a policer detects a violation, it’ll take an immediate pre configured action. Such action can be either remarking or dropping the violating traffic.


      If the policer drops the violating traffic, then it’s known as a dropper. In this case it continuously determines if the offered load is in excess of the defined traffic rate and then drops the out-of-contract traffic.


      If the policer remarks traffic, such policer is called marker. Marking down traffic can be used to signal the network a lower preference or higher drop probability for some traffic class.


      A policer can be configured to work in the data plane or in the control plane. When applied to the control plane, the policer protects against resource exhaustion attacks by limiting the traffic rate allowed to be processed by the routing engine.

      Policers are usually implemented in ingress direction, but can be applied on both, ingress and egress direction.


      Dual-rate, three-color policer


      Dual-rate RFC 2698 policer performs the traffic conditioning for RFC 2597 Assured Forwarding PHBs:


      • T < CIR → conform
      • CIR < T < PIR → exceed
      • PIR < T → violate


      The Committed Information Rate (CIR) is the rate at which the policer is configured to either drop or remark traffic.


      Policers may police to multiple rates, such as the dual rate policer defined in RFC 2698. With such a policer, the CIR is the principle rate to which traffic is policed, but an upper limit, called the Peak Information Rate (PIR), is also set.





      Shapers work in a different way; If in a given moment, the offered traffic exceeds the configured rate, the exceeding traffic is buffered and delayed until the offered load falls below a contracted rate. If the excess of traffic it’s permanent, then the buffer will eventually get full and the subsequent packets will be dropped.


      Traffic shaping limits the transmission rate to a value, the shaped rate, lower than the line rate.


      By applying buffering techniques, shapers avoid to drop traffic. This minimizes TCP retransmissions and TCP resynchronization adverse effects on business applications.

      Shapers are configurable on outgoing direction only.





      Both QoS mechanisms, policing and shaping, use previous traffic classification to limit the traffic rate, ensuring that traffic does not exceed some previously defined bandwidth limit.


      Traffic policing drops or remarks excess packets to stay within a limit. Traffic shaping queues excess packets to stay within the contractual rate. Traffic policing drops excess packets to stay within a limit (alternatively can remark and send excess traffic). The impact on network traffic is different if we use one or another tool.

      Policing is often implemented at the access or distribution layers (input or output direction). Next brief list summarizes main use cases:


      • Ingress to a QoS domain to limit the traffic rate per TC.
      • Inside a QoS domain to recolor traffic in moments of overutilization of network resources.
      • Ingress to another QoS domain to limit the resources assigned to a customer (subrate access).

      Shaping is often implemented at the WAN Edge to conform to a specific rate of traffic (output direction). Next brief list summarizes main use cases:


      • Congestion avoidance within a QoS Domain.
      • Keeping traffic within the SP contracted rate.
      • Implement shaping at the network edge with another enterprise QoS domains.


      Next table summarizes some of the most relevant points about the two techniques:






      Drop, Markdown


      Exceeding traffic

      Dropped or remarked


      Supports remarking









      TCP retransmits






      Implementation point

      Access & Distribution

      WAN edge



      I hope you find it useful.