Extreme SLX-OS QoS and Traffic Management Configuration Guide, 20.7.3
> Traffic Policing
Extreme Networks, Inc. December 15, 2025
Search this document
Print this page
Email this page
View PDF
Previous
Next
Preface
Text Conventions
Documentation and Training
Help and Support
Send Feedback
About This Document
What's New in this Document
Supported Hardware
Traffic Policing
Traffic Policing Overview
Service Policy Configuration Rules
Policy Maps
Committed Information Rate and Committed Burst Size
Excess Information Rate and Excess Burst Size
Traffic Policing Behaviors
Traffic management egress buffer thresholds
Class Maps
Class map policer configuration parameters
Traffic policer configuration rules for class maps
Default Class Map Traffic Policing
Single rate three color marker
Two-rate, three-color marker
Match Access-Group Class Map Policing
Precedence for ACL and Rate Limiting Features
Considerations for Layer 2 ACL-based Rate Limiting
Configure Layer 2 ACL Rate Limiting
ACL-based rate limiting use cases
Use case 1: Protection against TCP SYN attacks
Use case 2: Protection against TCP RST attacks
Use case 3: Protection against ping flood attacks
Use case 4: Protection against UDP flood attacks
Configuring all the use cases for ACL traffic filtering
Control Plane Policing
CoPP Discard and Permit for Control Packets
CoPP Rate Limiting
CoPP-related Commands
VLAN-based rate limiting
Configuration Considerations for VLAN-based Rate Limiting
Configure VLAN-based Rate Limiting
Show Commands for VLAN-based Rate Limiting
Bridged-domain based rate limiting
Configuration Considerations for Bridge Domain-based Rate Limiting
Configuring bridge-domain based rate limiting
Show Commands for Bridge Domain-based Rate Limiting
Receive ACL Rate Limiting
Configuring RACL rate limiting
Egress ACL Rate Limiting
Egress ACL Rate Limiting Considerations
Configure Egress ACL Rate Limiting
Configuring IPv4 Egress Rate Limiting
Configuring IPv6 Egress Rate Limiting
Configure Statistics Support for Egress ACL Rate Limit
Egress ACL Rate Limiting Show Commands
TTL 0/1 Rate Limiting
Subnet Trap Rate Limiting
Rate Limiting Scalability
Configuring traffic policing
Configuring a class map using an ACL
Configuring a policy map
Configuring port-based traffic policing
Configuring ACL-based rate limiting
Configuring use case 1: Protection against TCP SYN attacks
Configuring use case 1: Bind the TCP SYN ACL to an interface
Configuring use case 2: Protection against TCP RST attacks
Configuring use case 2: Bind the TCP RST ACL to an interface
Configuring use case 3: Protection against ping flood attacks
Configuring use case 3: Bind the ping flood attack ACL to an interface
Configuring use case 4: Protection against UDP flood attacks
Configuring use case 4: Bind the UDP ACL to an interface
Configuring and applying all four use cases for ACL-based traffic filtering
Storm Control for Broadcast, Unknown Unicast, and Multicast Traffic
Configuring Storm Control on an Ethernet Interface
Configuring storm control globally on the device
Quality of Service
QoS overview
QoS Unicast and Multicast Traffic
QoS on the SLX 9250, SLX 9150, Extreme 8520, and Extreme 8720
IEEE 802.1q ToS-DSCP header fields
QoS Feature Support on SLX-OS Platforms
Congestion control
Weighted random early detection
How WRED works
Applying WRED
Link Level Flow Control
Transient Buffer Congestion Detection
Explicit Congestion Notification
Hardware Buffer Configuration for Lossless Traffic
Scheduling
Scheduling types
QoS strict priority egress traffic scheduling
Weighted round robin egress traffic scheduling
Fair queue egress traffic scheduling
Multicast queue scheduling
QoS Ingress Data Buffer Management
Ingress QoS mutation
Egress QoS Mutation
QoS Mutation Maps
Configuring QoS for control traffic
Increase the Egress Throughput on a TM Port
Configure a CoS-to-traffic Class Mutation Map
Applying a CoS-to-traffic class mutation map to an interface
Configuring DSCP mappings
Configuring a DSCP-to-DSCP mutation map
Applying a DSCP-to-DSCP mutation map to an egress interface
DSCP-to-Traffic Class Mappings
Configuring a DSCP-to-traffic class map
Applying a DSCP-to-traffic class map to an interface
Configuring a DSCP-to-traffic class and drop precedence map
Applying a DSCP-to-traffic class and drop precedence map to an interface
Limitations for DSCP-to-traffic class mappings
Configuring traffic class-to-CoS mappings
Configuring a traffic class-to-CoS mutation map
Applying a traffic class-to-CoS mutation map to an egress interface
Configuring an Interface Level QoS Traffic Class
Configuring Traffic Class to DSCP Mappings
Applying a Traffic Class to DSCP Map to an Egress Interface
Configuring Interface level QoS Trust DSCP
Describes configuring Interface level QoS Remark DSCP
Configuring congestion control
Configuring WRED
Configuring link level flow control
Enable Priority Flow Control
Configuring Hardware Buffer for Lossless Traffic
Monitor TM Deleted or Discarded Packets
Displaying the egress queue state information for an interface
Displaying the RED Profile and dropped packets information for an interface
Configuring Explicit Congestion Notification
Configuring Enhanced Transmission Selection
LLDP TLVs for Enhanced Transmission Selection
Priority Flow Control Configuration TLV
Enhanced Transmission Selection (ETS) Recommendation TLV
Enhanced Transmission Selection (ETS) Configuration TLV
Link Aggregation TLV
Configuring scheduling
Configuring strict priority egress scheduling
Configure a Strict Priority for the Multicast Queue
Flow-based QoS
Configuring a class map using an ACL
Configuring a policy map
Configuring QoS mutation map actions
Apply QoS Mutation Maps to an Interface
Bind the Policy Map at the System Level
Bind the Policy Map to an Interface
Configuring the QoS policing rate
Applying the QoS policing rate to an interface
Configure Virtual Output Queuing
Configure an MPLS QoS DSCP-to-EXP Mutation Map
Applying an MPLS QoS DSCP-to-EXP mutation map globally
Configure an MPLS QoS EXP-to-DSCP Mutation Map
Applying an MPLS QoS EXP-to-DSCP mutation map globally
Configure an MPLS QoS EXP-to-Traffic Class Mutation Map
Applying an MPLS QoS EXP-to-traffic class mutation map globally
Configuring a CoS Mutation map on SLX 9740 and Extreme 8820
Applying a CoS Mutation map to a SLX 9740 or Extreme 8820
Traffic Management Counters and Statistics
Counters and Statistics Overview
Traffic Management Counter Types
Traffic Management Counters
Traffic Policing
Section contents:
Traffic Policing Overview
Traffic policing is the process of monitoring network traffic for compliance with a traffic policy and then enforcing that policy. Traffic policing involves such tools as rate limiting and shaping, CIR, EIR, color markers, service policies, class and policy maps, and storm control.
Service Policy Configuration Rules
Traffic policing is accomplished by binding a service policy to an interface.
Policy Maps
A policy map is a unique set of class maps, policing parameters, and QoS parameters that you can apply to a certain class of traffic.
Class Maps
Class maps are used in a policy map to apply policing and QoS policies to a particular class of traffic. You can use matching criteria to classify the traffic.
Single rate three color marker
Single rate three color marker (SrTCM) meters an IP packet stream and marks its packets either green, yellow, or red.
Two-rate, three-color marker
The two-rate, three-color marker (TrTCM) meters an IP packet stream and marks its packets either green, yellow, or red.
Match Access-Group Class Map Policing
The ACL-based policing feature controls the amount of bandwidth consumed by an individual flow or aggregate of inbound flows by limiting the traffic rate on a port according to criteria defined by the
match access-group
class map.
Control Plane Policing
Control Plane Policing helps regulate the flow of control packets to a local processor.
VLAN-based rate limiting
Bridged-domain based rate limiting
Receive ACL Rate Limiting
IP Receive access list (RACL) provides hardware-based filtering capability for Layer 3 IPv4 or IPv6 traffic that is destined to the CPU.
Egress ACL Rate Limiting
The device supports egress port and ACL rate limiting. With egress ACL rate limiting, you can control the egress rate limit on a Layer 2 VLAN, a bridge domain, or an ACL.
TTL 0/1 Rate Limiting
IPv4 and IPv6 frames with a TTL of 0 or 1 are primarily data frames. These frames are rate limited so that they do not congest the queues and prevent other control protocol frames from reaching the CPU.
Subnet Trap Rate Limiting
When the destination IP address of an ingress Layer 3-routed frame is not present in the forwarding routing table, the frame is trapped to the CPU (subnet trap frame) to generate an ICMP message. An
ICMP destination host unreachable
message is returned to the sender, informing the source host that the destination address is unreachable. If not rate-limited, the subnet trap frames can prevent other important control frames from reaching the CPU.
Rate Limiting Scalability
Configuring traffic policing
Follow these tasks to configure traffic policing.
Storm Control for Broadcast, Unknown Unicast, and Multicast Traffic
A broadcast, unknown unicast, and multicast (BUM) traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance.
