1. Overview
DPP Manages bandwidth consumption on ACI fabric access interfaces, ensuring efficient use of resources. This blog uses an ACI fabric running 5.2(7f) and focuses on Data Plane Policing of l3Out interfaces.
- Action on Excess Traffic:
- Dropping: Packets exceeding the limit are discarded.
- Marking: QoS (Quality of Service) fields in packets are flagged, allowing for prioritization downstream.
- Traffic Applicability:
- Direction: Both ingress (incoming) and egress (outgoing) traffic can be policed.
- Layer: Works on L2 (data link) and L3 (network) interfaces.
- Configuration Options:
- Fabric Access Policies: Policies applied to physical or virtual interfaces connecting devices to the ACI fabric.
- Tenant Policies: Policies applied to Endpoint Groups (EPGs), controlling traffic for groups of servers or applications and boarder leaf access ports (l3extOut or l2extOut).
Sharing Mode: How policing is handled for multiple members within an EPG
- Shared Mode: A single hardware policer enforces the policy for all entities referencing it.
- Benefits:
- Efficient resource utilization: A single hardware policer enforces the policy for all entities referencing it. This is ideal when multiple entities have similar bandwidth requirements.
- Scalability: Saves hardware resources, especially for large deployments with many low-bandwidth policers.
- Drawback:
- Limited granularity: All entities share the same policing limit. If one member exceeds the limit, it can impact others using the same policer.
- Benefits:
- Dedicated Mode: Each entity (L2/L3 interface or EPG member) gets its own policer
- Benefits:
- Granular control: Each entity (L2/L3 interface or EPG member) gets its own dedicated policer. This ensures independent enforcement for each member’s bandwidth limit.
- Drawback:
- Resource consumption: Requires a separate hardware policer for each member, which can be less efficient for large deployments with many policers.
- Benefits:
Choosing the Right Mode:
The choice between shared and dedicated mode depends on your specific needs:
- Use shared mode for deployments with many low-bandwidth policers and similar traffic patterns.
- Use dedicated mode for scenarios requiring strict control over individual member bandwidth or when specific members might burst and impact others.
2. Configuration
Figure 1 – L3out Topology for DPP Demo
- Pre-Requisites: Tenant, VRF (Virtual Routing and Forwarding), and external routed network must be already configured.
- Create Data Plane Policing: Under tenant -> Policies -> Protocol -> Data Plane Policing
- Choose or input the following information on GUI:
- Name: The name for policy. Use the object naming standard of your organization.
- Administrative Status: Enabled
- Domain Policer mode and type: Bit policier vs. Packet Policier & 1 Rate 2 Color vs. 2 Rate 3 Color
- Burst size: Maximum allowed traffic exceeding the rate limit for a short duration.
- Rate: Committed Information Rate (CIR) – the sustained bandwidth allowed.
- Peak Rate (optional): Maximum allowed bandwidth for short bursts.
- Conform Action: Specify whether to drop or mark or transmit packets conforming the policy.
- Violate Action: Specify whether to drop or mark packets exceeding the limit.
- Sharing Mode: Dedicated Policier vs. Shared Policier
3. Assign DPP policy to Logical Interface Profile under L3Out: tenant -> Networking -> L3Outs -> L3Out name -> Logical Node Profiles -> Logical Node Profile Name -> Logical Interfaces Profiles
The Policy containing your L3 DPP policy needs to be mapped to an L3out. This profile is then attached to the specific L3 interface where you want to enforce the bandwidth control.
3. Verification
1. show running-config
APIC1# sh running-config tenant B-SRMPLS policy-map type data-plane L3out1-Core-DPP
# Command: show running-config tenant B-SRMPLS policy-map type data-plane L3out1-Core-DPP
# Time: Mon Mar 4 14:30:33 2024
tenant B-SRMPLS
policy-map type data-plane L3out1-Core-DPP
set burst 750 mega
set cir 500 mega
set sharing-mode shared
no shutdown
exit
exit
2. show policy-map type data-plane
APIC1# show policy-map type data-plane
Type data-plane policy-maps
====================
Policy in Tenant: B-SRMPLS
policy-map type data-plane L3out1-Core-DPP
set burst 750 mega
set conform-cos-transmit unspecified
set conform-dscp-transmit unspecified
set conform transmit
set excessive-burst unspecified
set exceed-cos-transmit unspecified
set exceed-dscp-transmit unspecified
set exceed drop
set mode bit
set pir 0
set cir 500 mega
set type 1R2C
set violate-cos-transmit unspecified
set violate-dscp-transmit unspecified
set violate drop
3. show dpp policy
LEAF-101# show dpp policy
Data Plane Policers
Policer Name : B-SRMPLS:L3out1-Core-DPP
Interface : vlan69
Direction : egress
Layer : Layer3
Oper State : enabled
Mode : bit
Type : 1R2C
Rate : 500 mega
Burst : 750 mega
SharingMode : shared
Conform action : transmit
Violate action : drop
Policer Name : B-SRMPLS:L3out1-Core-DPP
Interface : vlan69
Direction : ingress
Layer : Layer3
Oper State : enabled
Mode : bit
Type : 1R2C
Rate : 500 mega
Burst : 750 mega
SharingMode : shared
Conform action : transmit
Violate action : drop
4. show sys int aclqos dpp
LEAF-101# vsh_lc -c "show sys int aclqos dpp"
-----------------------------------------------------------
DPP: INGRESS POLICER ENTRIES
-----------------------------------------------------------
Name Interface ACL-Id Pol-SwId Pol-HwId Label Mask Rate Burst GreenPkts GreenBytes RedPkts RedBytes
B-SRMPLS:L3out1-Core-DPP Vlan69 1112 47 513 0x10000 0x38000 524288000 786432000 0 34270 0 0
-----------------------------------------------------------
DPP: EGRESS POLICER ENTRIES
-----------------------------------------------------------
Name Interface ACL-Id Pol-SwId Pol-HwId Label Mask Rate Burst GreenPkts GreenBytes RedPkts RedBytes
B-SRMPLS:L3out1-Core-DPP Vlan69 1110 5 4 0x4 0xe 524288000 786432000 0 136916 0 0