Policing
Policing is used to limit the bandwidth of traffic that enters the switch at ingress.
Traffic that exceeds the configured bandwidth is dropped.
A policer is configured by using rate and burst parameters, where rate is the maximum traffic rate
in bits per second and burst is the maximum allowed burst in bytes.
Policers are implemented using a tc filter containing a police action.
The tc filter is attached to a clsact qdisc which must be created first:
# tc qdisc add dev eth0 clsact
See the TC Introduction page for a general introduction to tc commands.
1. Port Policer
A port policer limits the bandwidth of traffic that enters the port at ingress and is implemented by a tc matchall filter.
Setup a port policer with a rate of 100 Megabits per second and a burst of 4096 bytes:
# tc filter add dev eth0 ingress prio 100 handle 200 matchall skip_sw \ action police rate 100000000 burst 4096
The skip_sw flag signals that hardware offload is required.
Show port policer statistics:
# tc -s filter show dev eth0 ingress
filter protocol all pref 100 matchall chain 0
filter protocol all pref 100 matchall chain 0 handle 0xc8
skip_sw
in_hw (rule hit 0)
action order 1: police 0x1 rate 100Mbit burst 4075b mtu 2Kb action reclassify overhead 0b
ref 1 bind 1 installed 0 sec used 0 sec
Action statistics:
Sent 1004000 bytes 1000 pkt (dropped 893, overlimits 0 requeues 0)
Sent software 0 bytes 0 pkt
Sent hardware 1004000 bytes 1000 pkt
backlog 0b 0p requeues 0
used_hw_stats immediate
Here it is shown that 893 packets out of 1000 packets are dropped.
Delete the port policer created above:
# tc filter del dev eth0 ingress prio 100 handle 200 matchall
2. ACL Policer
An ACL policer makes it possible to limit the bandwidth of a specific incoming traffic stream.
ACL policers are implemented by a tc flower filter that is hardware offloaded via VCAP IS2.
See the TC and VCAP page for more information about how to configure VCAPs by using tc commands.
Setup an ACL policer with a rate of 100 Megabits per second and a burst of 4096 bytes that polices all traffic containing destination IP address 10.10.10.10:
# tc filter add dev eth0 ingress chain 20000 prio 100 handle 200 protocol ip flower skip_sw \ dst_ip 10.10.10.10 \ action police rate 100000000 burst 4096 \ action goto chain 21000
The skip_sw flag signals that hardware offload is required.
Show ACL policer statistics:
# tc -s filter show dev eth0 ingress
filter protocol ip pref 100 flower chain 20000
filter protocol ip pref 100 flower chain 20000 handle 0xc8
eth_type ipv4
dst_ip 10.10.10.10
skip_sw
in_hw in_hw_count 1
action order 1: police 0x1 rate 100Mbit burst 4075b mtu 2Kb action reclassify overhead 0b
ref 2 bind 1 installed 8 sec used 8 sec
Action statistics:
Sent 0 bytes 10000 pkt (dropped 0, overlimits 0 requeues 0)
Sent software 0 bytes 0 pkt
Sent hardware 0 bytes 10000 pkt
backlog 0b 0p requeues 0
used_hw_stats immediate
action order 2: gact action goto chain 21000
random type none pass val 0
index 2 ref 1 bind 1 installed 8 sec used 8 sec
Action statistics:
Sent 0 bytes 10000 pkt (dropped 0, overlimits 0 requeues 0)
Sent software 0 bytes 0 pkt
Sent hardware 0 bytes 10000 pkt
backlog 0b 0p requeues 0
used_hw_stats immediate
Here it is shown that the filter was hit by 10000 packets.
ACL policers do not support count of dropped frames.
Delete the ACL policer created above:
# tc filter del dev eth0 ingress chain 20000 prio 100 handle 200 protocol ip flower
3. PSFP Policer
A PSFP policer works in much the same way as an ACL policer and is explained in detail on the PSFP page.