Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Hierarchical Layer 2 Policers on IQE PICs


The IQE PIC can police traffic at Layer 2 in a hierarchical manner. Policing is the practice of making sure that different streams of incoming traffic conform to certain parameters and limits. If the incoming traffic exceeds the established boundaries, that traffic can be marked or even ignored, depending on configuration. Hierarchical policing maintains two rates: an aggregate rate and a high-priority rate. The traffic is marked differently depending on service class (currently, the classes are expedited forwarding and nonexpedited forwarding). The expedited traffic has an additional rate configured, the guaranteed rate (CIR), which is only marked above that limit. If there is no expedited traffic present, then the non-expedited traffic is able to use the aggregate bandwidth rate before being marked with a packet loss priority. When expedited traffic is present, it is marked above the guaranteed rate, but also uses bandwidth from the nonexpedited range.

For example, consider an aggregate rate of 10 Mbps and a high-priority rate of 2 Mbps of a Fast Ethernet interface. The guaranteed rate is also set at 2 Mbps for expedited forwarding traffic. If there is no expedited traffic present, then nonexpedited traffic can use up to 10 Mbps before being marked. When expedited forwarding traffic is present, the expedited traffic is guaranteed 2 Mbps (of the 10 Mbps) without being marked, but is marked above the 2 Mbps limit. In this case, the nonexpedited forwarding traffic can use the remaining 8 Mbps before being marked.

Layer 2 policers configured on IQE PICs have the following limitations:

  • Only one kind of policer is supported on a physical or logical interface. For example, a hierarchical or two- or three-color policer in the same direction on the same logical interface is not supported.

  • Applying policers to both physical port and logical interface (policer chaining) is not supported.

  • If there is no behavior aggregate classification, there is a limit of 64 policers per interface. (Usually, there will be a single policer per DLCI in frame relay and other logical interface types.)

  • The policer should be independent of behavior aggregate classification. (Without a behavior aggregate, all traffic is treated as either expedited or non-expedited forwarding, depending on configuration.)

  • With a behavior aggregate, traffic not matching any classification bits (such as DSCP or EXP) is policed as nonexpedited forwarding traffic.

  • Only two levels of traffic policing are supported: aggregate and premium.

To configure Layer 2 policing on the IQE PIC, for each forwarding class:

  1. Enable configuration of the forwarding classes.
  2. Define the forwarding classes.
  3. Configure the hierarchical policer.
    1. Enable configuration of the hierarchical policer.

    2. Configure the aggregate policer.

    3. Configure the premium policer.

  4. Apply the policer to the logical on the IQE PIC.

    Alternatively, to hierarchically rate-limit Layer 2 ingress traffic for all protocol families and for all logical interfaces configured on physical interface so-6/0/0, you could reference the policer from the physical interface configuration.