Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Using Policers to Manage Oversubscription

You might want to use a policer when an interface is oversubscribed and you want to control what will happen if congestion occurs. For example, you might have servers connected to a switch as listed in Table 1.

Table 1: Servers Connected to Switch

Server Type


IP Address

Network application server

1-gigabit interface

Authentication server

1-gigabit interface

Database server

10-gigabit interface

In this example, users access services provided by the network application server, which requests information from the database server as appropriate. When it receives a request from a user, the network application server first contacts the authentication server to verify the user’s credentials. When a user is authenticated and the network application server provides the requested service, all the packets sent from the database server to the application server must transit the 1-Gigabit Ethernet interface connected to the application server twice—once on ingress to the application server and again on egress to the user.

The sequence of events for a user session is as follows:

  1. A user connects to the application server and requests a service.

  2. The application server requests the user’s credentials and relays them to the authentication server.

  3. If the authentication server verifies the credentials, the application server initiates the requested service.

  4. The application server requests the files necessary to meet the user’s request from the database server.

  5. The database server sends the requested files to the application server.

  6. The application server includes the requested files in its response to the user.

Traffic from the database server to the application server might congest the 1-gigabit interface to which that the application server is connected. This congestion might prevent the server from responding to requests from users and creating new sessions for them. You can use policing to make sure that this does not occur.

To create this firewall configuration, perform the following steps on the database server:

  1. Create a policer to drop traffic from the database server to the application server if it exceeds certain limits:

  2. Create a filter to examine traffic from the database server to the application server:

  3. Configure the filter to apply the policer to traffic egressing the database server and destined for the application server:

  4. If required, configure a term to allow traffic from the database server to other destinations (otherwise the traffic will be dropped by the implicit deny statement):

    Note that omitting a from statement causes the term to match all packets, which is the desired behavior.

  5. Install the egress filter as an output filter on the database server interface that is connected the application server:

Here is how the final configuration would appear: