policing in main class versus nested policy-maps

atvatv
in CCIE Routing & Switching Technical


I was wondering what the benefit is of nested policy-maps. Why could i not use the below in one policy-map and apply that?

Also, in below task i need to make ICMP traffic under the silver class police to 1mbps, but it is nested in the nested_policy. How does it know it's for the silver class? for example, if it can't differentiate between gold and server, icmp might be policed first? 

 

ip access-list extended ICMP permit icmp any any 

 

class-map ICMP

 match access-group name ICMP

 

class-map TRAFFIC_TO_AS_100

 match access-group name TRAFFIC_TO_AS_100

 

policy-map SILVER_NESTED_POLICY

 class ICMP

 police 1000000 25000

 

policy-map NESTED_POLICY

 class GOLD

  police cir 5000000 bc 78125 pir 10000000 be 156250

  conform-action transmit

  exceed-action set-dscp-transmit 0

  violate-action drop

class SILVER

 police cir 3500000 bc 87500

 conform-action transmit

 exceed-action set-dscp-transmit 0

 !

 service-policy SILVER_NESTED_POLICY

 

policy-map POLICY

 class TRAFFIC_TO_AS_100

!

 class class-default

  police cir 20000000

   service-policy NESTED_POLICY

· Share on FacebookShare on Twitter

Comments

  • markus.wirthmarkus.wirth

    Hi!
    The concept of hierachical policies is that they are connected together corresponding to different traffic types.

    You can check this short example here at Cisco.com:
    http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmcli2.html#wp1022062

    Anyway...usually those policies are used to shape/police traffic and then prioritize traffic inside of the shaped/policed bandwidth.
    For example you have a 100Mbit Interface that serves a 2Mbit provider line. You would create a parent policy that shapes everything to 2Mbit (slows down the transmission and hold packets longer in the buffer so that TCP traffic will slow down with the windows size by packets that get tail dropped after a longer period of time).
    Inside of these 2 Mbit of traffic you maybe have TCP traffic and voice traffic. You prioritize the voice traffic with a policy-map that is a child of the parent one.


    class prio-voip-traffic
    priority percent 10
    class class-default
    bandwidth remaining percent 100

    policy-map shape-parent
    class class-default
    shape average 100000
    service-policy prio-voip-traffic


    In your example I would say (correct me if I am wrong) the traffic is generally policed to "police cir 20000000" (think are 20Mbit/sec), then inside those 20Mbit/sec you police the GOLD and SILVER classes to their values. Due to the "service-policy SILVER_NESTED_POLICY" you do the following. Traffic that matches SILVER will go into that class. Once the traffic is there, it will be checked for lets say "details" (if it is ICMP or not) and icmp traffic is then policed to 1000000.
    It does know its for the silver class because under the "class"-configuration of SILVER you added "service-policy..." That connects the ICMP class with the SILVER class.

    HTH!
    Regards!
    Markus

    · Share on FacebookShare on Twitter
  • atvatv

    Hi Markus,

    Thanks for your reply. Yes i think i missed that it was nested in the SILVER class. Now i understand how it knows it is related.

     

    What i don't understand yet with policing is:

    -Why not just have different classes next to the default class under the root policy, why do we need hierarchical classes. What's the difference? With shaping i sort of get it, as you can't apply a LLQ without it.

    -What gets precedence when you nest a policy like the one in the SILVER class, i assume it checks first for service-policys attached as otherwise it would already police everything before the special ICMP exception is applied? Does it work that way, top down, that policy-maps attached to a policymap are served first?

     

    Much obliged,

    Alef

    · Share on FacebookShare on Twitter
  • markus.wirthmarkus.wirth

    What gets precedence when you nest a policy like the one in the SILVER class, i assume it checks first for service-policys attached as otherwise it would already police everything before the special ICMP exception is applied? Does it work that way, top down, that policy-maps attached to a policymap are served first?

    Well how should the policy-map know what comes first? Lets say you have a parent = police/shape to 1000kbit/sec, under that you have a child that marks icmp packets. If the packets match the policer they are not calculated to other routines like priority percent or whatever. So the hierachy says that first the underlying service-policys take place and then they kind of get down until they reach the parent one. If one of the service-policys in the chain is violated like a policer, the packet gets dropped. Thats my view of this scenario.

    Why not just have different classes next to the default class under the root policy, why do we need hierarchical classes. What's the difference? With shaping i sort of get it, as you can't apply a LLQ without it.

    Well hierachy is a good one. Lets say you have a policy map that has implemented the following features:

    a class that sets set dscp ef

    a class that matches DSCP=8 packets and prioritizes to 50 percent

    a policer that polices down to 128kbit/sec

     

    A packet with DSCP=8 comes in. What does the machine do? Well do you get it? With hierachy you could first prioritize DSCP=8 packets and then mark all others.

    Thats my way of unerstanding but sometimes I am not good at explanations so others are welcome to post here!

     

    Regards!

    Markus

     

    · Share on FacebookShare on Twitter
Sign In or Register to comment.