QoS Policing & Shaping

Shaping and Policing is a Traffic Condition Technique comes under QoS PHB. Both is used to rate limit traffic on a interface or sub-interface to adhere to a traffic contract or to restrict further congestion of traffic down to the remaining network devices. The way shaping and policing rate-limit traffic is different in a way that shaping buffer the the traffic exceeding a certain bit-rate unlike policing drop the exceeding bit-rate.


A network device buffer packet in it’s output queue to slow down the rate of transmission and decrease the bit-rate. It does so by sending some packets then hold on for some moments and then send some packets again, so on and so fourth. Device uses it’s processor clock rate to achieve the goal. The purpose of shaping is to provide a CIR(committed information rate) without dropping packets. For example a serial link has a 128Kbps of physical speed and we want to achieve a CIR of 64Kbps. So the device will send packets 50% of the time and remaining 50% of the time it will pause transmission.

64 Kbps CIR on a 128 Kpbs Link (packets are being sent 50% of the time )

Now for an example we are trying to achieve 96 Kbps CIR on the same 128 Kbps serial link. So we will send packets for 75% of the time and remaining 25% of the time we will pause.

96 Kbps CIR on a 128 Kpbs Link (packets are being sent 75% of the time )

A total 1 sec (1000 ms) has been devided into 8 intervals of each 125ms. This is called Tc(Time Interval). Now a device has to calculate, how many bits it need to send in each interval(Tc). This is called committed burst(Bc)

Tc, Bc and CIR

  • Time Interval(Tc) – is the time in milliseconds over which we can send the Bc (committed burst). One sec or 1000 ms is divided into several intervals(8 interval) so each of the window is 125ms (1sec / 8). This time is called Tc. In Cisco device Tc is 125ms.
  • Committed Burst(Bc) – The max number of bits a device can send to achieve the CIR. is the amount of traffic that we can send during the Tc (time interval) and is measured in bits.
  • Committed Information Rate(CIR) – is the bit-rate that is defined in the “traffic contract” that we received from the ISP.
  Bc = Tc * CIR  
Tc = 125 ms = .125 sec; CIR = XX bps; Bc = YY bits; 
CIR = 64 kbps = 64000 bps; 
Tc = .125 sec = 125 ms; 
Bc = 64000 * .125 = 8000 bits = 1000 bytes 

Doing so, we are introducing some additional delay to the traffic. The shaper can now calculate how much time it requires to send the 8000 bits on the physical rate(128 kbps).


Delay is the time a shaper will take to send committed burst on a physical rate. The contending interface must a speed configured on it, which is the physical rate(Kbps). Now the device will calculate the time it will take by devidind the Bc value with Physical rate.

Delay = Bc / physical bitrate 
 Bc = YY bits;  physical bitrate = MM kbps = MM * 1000 bps; Delay = (YY / MM * 1000) * 100 msec;
 Bc = 8000 bits;
 physical rate = 128 kpbs = 128000 bps;
 Delay = 8000/128000 sec = 62.5 msec;

The introduced delay of 62.5 ms is a bit high for delay sensitive traffic such as VoIP. For real-time traffic the recommendation is to set Tc to 10ms to keep the delay to at minimum.

Excess Burst (Be)

Data packets are random in nature and very bursty. So to tackle this, its evident that we pass some additional packets sometimes. With traffic shaping, there is an option to allow excess burst(Be) along with Bc. This additional bits/bytes/octates we send is called Burst Excess(Be).

Token Bucket

The token bucket is an algorithm used in packet switched computer networks. It can be used to check that data transmissions, in the form of packets, conform to defined limits on bandwidth and burstiness. It can also be used as a scheduling algorithm to determine the timing of transmissions that will comply with the limits set for the bandwidth and burstiness.
This algorithm is very simple. The device will maintain couple of registers where it will store the tokens and will use as and when required.

  • A token is added to the bucket every 1/r seconds.Implementers of this algorithm on platforms lacking the clock resolution necessary to add a single token to the bucket every 1/r seconds may want to consider an alternative formulation. Given the ability to update the token bucket every S milliseconds, the number of tokens to add every S milliseconds = (r*S)/1000.
  • The bucket can hold at the most b tokens. If a token arrives when the bucket is full, it is discarded.
  • When a packet (network layer PDU) of n bytes arrives,
    • if at least n tokens are in the bucket, n tokens are removed from the bucket, and the packet is sent to the network.
    • if fewer than n tokens are available, no tokens are removed from the bucket, and the packet is considered to be non-conformant.

r is similar to CIR. b is similar to Bc. S is similar to Tc.

CIR = 64 Kbps = 64000/8 Bps = 8000 Bps; Tc = 10 ms = 0.01 sec;  b = Bc = Tc * CIR  
1 token to be addes into the bucket in every (1/8000) = 0.000125 second.  
(8000 * 10)/1000 = 80 Tokens to be added into the bucket in every 10 ms. 
b = (.01 * 64000) bits = 640 bits = 80 Bytes 

Shape with Excess Burst

With shaping, we have option to send more than the Bc in some Tcs. Look at the below example how it can be done. For an example the physical rate is 128 Kbps with a default Tc of 125ms. With a physical rate of 128 Kbps we can send maximum 16000 bits in an Tc.
Physical rate = 128000 bps; Tc = .125 sec; Total bits in a Tc = 128000 * .125 = 16000 bits
It’s now clear that with full capacity we can send max 16000 bits in a Time Interval. So introducing a Be(Excess Burst) of 64000 we can successfully use full capacity of the physical rate after certain period of inactivity. Note that the rate witch which the Be fill is not same with Bc. The rate Be fills is much lower than Bc. However the rate they spill are same.

In the above illustration, you can clearly see that after a long period of inactivity, the device is sending excess burst.

Shaping Configuration

Generic Shaping Configuration
Step     Command or Action Purpose
Step 1interface type number
Router(config)# interface s4/0
Configures an interface (or subinterface) type and enters interface configuration mode.
Enter the interface type number.
Step 2traffic-shape rate bit-rate [burst-size] [excess-burst-size] [buffer-limit]
Router(config-if)# traffic-shape rate 128000
Enables traffic shaping for outbound traffic on an interface based on the bit rate specified.
Enter the bit rate.
Verifyshow traffic-shape [interface-type interface-number]
show traffic-shape statistics [interface-type interface-number]
Router# show traffic-shape serial4/0
Router# show traffic-shape statistics serial4/0

(Optional) Displays the current traffic-shaping configuration.
(Optional) Displays the current traffic-shaping statistics.
Class Based Shaping Configuration
Step     Command or Action Purpose
Step 1policy-map {policy-name }
Router(config)# policy-map policy1
Specifies the name of the policy map to be created or modified.
Step 2class {class-name| class-default}
Router(config-pmap)# class class1
Specifies the name of the class map to be created or called.
Step 3shape {average | peak} percent percentage [be excess-burst-in-msec ms] [bc committed-burst-in-msec ms]
shape{average |peak}cir[bc] [be]
Router(config-pmap-c)# shape average percent 25 be 300 ms
Router(config-pmap-c)# shape average 38400 15440

Specifies average or peak rate shaping.

Configures either average or peak rate traffic shaping on the basis of the specified bandwidth percentage and the optional burst sizes.
Step 4shape max-buffers [number-of-buffers]
queue-limit [queue-limit]
Router(config-pmap-c)#shape max-buffers 4096
Router(config-pmap-c)#queue-limit 4096
(Optional) Specifies the maximum number ofbuffers allowed on shaping queues.
VerifyRouter#show policy policy-map
Router#show policy policy-map class class-name
Router#show policy interface interface-name
Displays the configuration of all classescomprising the specified policy map.
Displays the configuration of the specified class ofthe specified policy map.
Displays the configuration of all classesconfigured for all policy maps on the specifiedinterface.


Shaping is a process to provide a CIR(Committed Information Rate) [bps] by rate limiting the cumulative packet flow [bit-rate]. Limiting the bitrate of a connection is done with policing or shaping. The difference between the two is that policing will drop the exceeding traffic and shaping will buffer it. In a practical world , a customer pays only for what the bps or kbps of traffic it is using. So, the connection must adheres to a traffic contract [cumulative bandwidth/bit-rate]. A Policer check the overall bit-rate/byte-rate of the arriving packets, and then it takes certain action based on the incoming bps/kbps. The following 3 actions a Policer can implement.

  • Allow and Pass the Packet.
  • Discard and Drop the Packet.
  • Remark the Packet with higher drop probability(drop precedence) hoping that the excess packets will be dropped eventually down the hops in case of further congestion.

A policer has three clause according to which it takes above actions.

  • Conforming – Conforming means the incoming traffic is maintaining the traffic contract.
  • Exceeding – Exceeding means the incoming traffic is exceeding the CIR upto the excess burst.
  • Violating – Violation means the incoming traffic neither conforming nor exceeding.

From the Clause and Actions, we can derive three types of Policing techniques. These are mentioned below.

  • Single Rate – Two Color
  • Single Rate – Three Color
  • Dual Rate – Three Color
PolicerToken BucketsActionsInformation Rate
Single Rate – Two Color 1 Conforming, Violating CIR
Single Rate – Three Color 2 Conforming, Exceeding, ViolatingCIR
Dual Rate – Three Color 2 Conforming, Exceeding, Violating CIR, PIR

Single Rate – Two Color Policing

Only a Bc token bucket is placed in Single Rate(CIR) – Two Color(Conform, Violate) traffic shaping. The bucket can contain a limited numbers of tokens(equivalent to Bc). Whenever a packet arrives, the policer will check if it has enough numbers of tokens in the bucket. If so, it will forward the packet and spill some tokens which is equivalent to the number of octates of the packet. We will fill the buckets whenever is is spilled, it is called replenishing.

  • Bc bucket will be replenished with some tokens which is equivalent to Replenishing rate.
  • Each token represents a single byte.
  • Whenever a packet arrives the policer will check if there are enough tokens in the bucket to allow the packet to get through. Some tokens are spilled which is equivalent to the size in octates of the packet.
  • Some tokens are again replenished into the bucket which is equivalent to Replenishing rate.

Each time a packet is policed, the policer will put some tokens into the token bucket. The number of tokens that it will replenish can be calculated with the following formula:

 (Packet arrival time - Previous packet arrival time) * Police Rate / 8
 Example 1:
First Packet arrives at 1sec
Second  Packet arrives at 2sec  
Police Rate = 64 Kbps = 64000 bps
Token replenished = ( 1 * 64000 ) / 8 = 8000 tokens (~Bytes) 

 Example 2:
First Packet arrives at 1sec
Second Packet arrives at 1.5sec 
Third Packet arrives at 2.5sec   
Police Rate = 608 bps
Token replenished in .5 sec = ( .5 * 608 ) / 8 = 38 tokens (~Bytes) 
Token replenished in 1 sec = ( 1 * 608 ) / 8 = 76 tokens (~Bytes) 
Above illustration, Tokens are spilled and replenished as and when a packet gets through. Replenished rate is equivalent to police rate. Spill rate is equivalent to the size of the packets in octates.
Configuration Example

Specifying the bucket depth determines the allowable amount of burstiness for conforming traffic (how many bytes/packets) that may arrive closely together, assuming the bucket has had time to refill. In this example we have specified a CIR of 10 Mbps and a burst allowance of 15000 bytes. So, a burst of 10 MTU-sized packets on an Ethernet interface could be designated conforming:

policy-map police-with-burst
  class class-default
    police cir 10m bc 15000

Comment ( 1 )

  1. Replykrishnendu Das
    This is really good. Great Job !

Leave a Reply