Traffic Policing

Traffic Policing

Traffic Policing, like Traffic Shaping, is used to abide by the traffic contract i.e. maintain CIR. The Policer measures the cumulative byte-rate of the packets. The Policer acts on the packet as either allowed to pass, dropped or remarked with a different IP Precedence or IP DSCP value.

CB Policing also uses the concept of token bucket; however, there are variations in its operation as compared to CB Shaping. CB Policing can be configured to use three categories about whether a packet is conforming to the traffic contract-

Conforming- Packet is inside the contract
Exceeding- Packet is using up an excess burst capability
Violating- Packet is outside the contract

CB Policing: Single Token Bucket, Single Rate

When using token buckets for policing, two important things happen.

1. Tokens are replenished into the bucket- In CB Policing, each token is the right to send one byte (instead of a bit in CB Shaping). CB Policing replenished tokens in the bucket in response to a packet arriving at the policing function. Every time a packet is policed, CB policing puts some tokens back into the bucket. The number of tokens put in the bucket is calculated based on the formula-

(Current_packet_arrival_rate - Previous_packet_arrival_rate) * (Police_rate) / 8

For example, suppose the Police_rate is 128000kbps (or 16000 KBps). If the last packet policed was 1 second ago, CB policing will put 16000 tokens in the bucket.

2. The Policer decides if the packet conforms to the contract or not- CB Policing compares the number of bytes in the packet to the number of tokens in the token bucket.

If the number of bytes in the packet less is than or equal to number of tokens in the token bucket, the packet conforms to the contract. CB policing removes tokens from the token bucket equal to the number of bytes in the packet and then performs the action that conform to the contract.
If the number of bytes in the packet is greater than the number of tokens in the token bucket, the packet exceeds the contract. CB policing does not remove the tokens from the bucket and performs the action on packets that exceed the contract (drop or remark to different IP Precedence or IP DSCP value)

CB Policing: Dual Token Bucket, Single Rate

Dual token bucket supports Bc (committed burst) and Be (excess burst). In dual token bucket (Bc and Be buckets), CB policing characterizes packet into three groups-

Conform
Exceed
Violate

CB policing continues to replenish the Bc bucket when a packet arrives. However, any spilled tokens are captured in the Be bucket. If the Be bucket fills then the tokens are wasted. The number of tokens replenished in the Bc bucket is calculated using the same above formula.

The dual token bucket now follows the following algorithm-

If the number of bytes in the packet is less than or equal to the number of tokens in the Bc bucket, the packet conforms.CB policing removes tokens from Bc bucket equal to the number of bytes in the packet and then performs the action that conform to the contract.
If the packet does not conform, and if the number of bytes in the packet is less than or equal to number of tokens in the Be bucket, the packet exceeds. CB policing removes tokens from Be bucket equal to the number of bytes in the packet and then performs the action that exceed the contract.
If the packet neither conforms nor exceeds, the packet violates. CB policing does not remove tokens from any bucket, and perform the action that violates the contract.

CB Policing: Dual Token Bucket, Dual Rate

Dual token bucket with dual rate has two sustained rates, CIR (Committed Information Rate) and PIR (Peak Information Rate). The CIR conforms to the traffic contract while PIR exceeds CIR. CB Policing replenishes tokens into both, CIR and PIR, buckets when a packet arrives that needs to be policed. The PIR bucket is replenished with tokens directly rather than collecting spilled tokens.

For example, if CIR is 128kbps (or 16KBps) and PIR is 256kbps (or 32 kBps), then if 1 second is the difference between last policed packet and new packet arrival time, 16000 tokens will be replenished in CIR bucket while 32000 tokens will be replenished in PIR bucket. If either bucket spills tokens, they are wasted.

The spending of token algorithm is similar as above but with little difference-

If the number of bytes in the packet is less than or equal to the tokens in the CIR bucket, the packet conforms. CB policing removes tokens from CIR bucket equal to the number of bytes in the packet, and performs the conform action. However, it will also remove the same amount of tokens from the PIR bucket.
If the packet does not conform, and if the number of bytes in the packet is less than or equal to number of tokens in the PIR bucket, the packet exceeds. CB policing removes tokens from PIR bucket equal to the number of bytes in the packet and then performs the action that exceed the contract.
If the packet neither conforms nor exceeds, the packet violates. CB policing does not remove tokens from any bucket, and perform the action that violates the contract.