Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

rate-limit vs policing

Hi there,

I have managed firewall services for my mpls vpn network. Currently, the PE-Internet facing towords the firewall is using VLAN 802.1q.

For each particular link, I used rate-limit in/out for customers subscribing internet link bandwidth for 128K,256K,512K,1Mb and etc.

Upon checking on the net, I noticed that I could also used policy-map police command.

I wonder for both rate-limit and police does have different right?, perhaps anybody could explain and advise particular scenario or those command?

Thanks in advance.



Re: rate-limit vs policing

CAR is the oldest policing tool offered in the Cisco IOS Software and I'd suggest you to go with Class based policing.

and quoting:


Configuring class-based policing using the MQC syntax is an easy way to activate policing for only certain classes of traffic.

With class-based policing, class definitions represent application separation, and policing is performed only on the classes configured in the policy map. "

"Class-Based Policing Benefits

Class-based policing is the currently recommended tool for policing. Its major advantages over CAR are summarized here:

Class-based policing is compliant with DiffServ RFCs (CAR is not).

Policing feature enhancements (such as percentage-based bandwidth specification and hierarchical policing) are made only to the class-based policing features, not to CAR.

CAR does not exist within the MQC syntax. Therefore, its statistics cannot be tied back to the policy statistics shown by the show policy interface command.

Class-based policing statistics are available in the CISCO-CLASS-BASED-QOS-MIB, offering enhanced network management and monitoring capability.

The granularity of classification for class-based policing is far superior to that available for CAR. For example, NBAR can be used with class-based policing but not with CAR.



Re: rate-limit vs policing


As the previous poster mentioned, CAR is legacy configuration to police traffic and Class based policing is newer and is the method recommended by Cisco. MQC based policing gives you more flexibility with the configuration and provides more functionality than CAR. Another reason why the latter method is better is because Cisco wouldn't be adding newer features to CAR.

There are many differences between the two methods but will highlight just one or two here. CAR only supports a single token bucket for normal/max burst whereas MQC based policing supports a separate token bucket for every class. Action for conforming/non-conforming traffic is limited to confirm/exceed with CAR whereas violate is an additional option supported with MQC based Policing configuration. There are some more differences between these two and most of them are in favor of MQC based policing.



CreatePlease to create content