What Is Policing in Networking?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Traffic policing is a way for network devices to control how much data can flow through a connection. It checks the data rate and if it goes over the set limit, it drops the extra packets or marks them for later discarding. This helps to ensure that no single user or application hogs the network bandwidth. It is like a traffic officer who stops cars that speed, keeping the road safe for everyone.
Commonly Confused With
Traffic shaping buffers excess packets and releases them later, while policing drops them immediately. Shaping smooths traffic, policing enforces a hard rate. Shaping is typically used on egress interfaces, while policing is often on ingress.
If you have a hose and you want to limit water flow, shaping stores extra water in a tank and releases it slowly, policing cuts off the extra water entirely.
Classification is the process of marking packets (e.g., with DSCP or CoS) so that other QoS mechanisms can treat them appropriately. Policing (and shaping) use classification to determine which traffic to apply rate limits to. Classification itself does not drop or delay packets; it only tags them.
Classification is like putting a stamp on a letter (priority), policing is like saying only 100 letters per minute can be posted, and dropping the rest.
Rate limiting is a broader term that can refer to any technique to limit bandwidth. Policing is one type of rate limiting (hard, drop-based). Another type is shaping (buffering). Some vendors use 'rate limiting' synonymously with policing. In exam contexts, rate limiting often implies policing.
If the internet plan says 100 Mbps, the ISP's rate limiting is usually policing. If a company limits FTP traffic to 10 Mbps, it can be either policing or shaping depending on the implementation.
Admission control is a mechanism that decides whether to accept a new flow (e.g., a new voice call) based on available resources, before the flow starts. Policing reacts to traffic after it arrives, dropping excess. Admission control prevents congestion proactively; policing manages it reactively.
Admission control is like a hotel asking if you have a reservation before you check in. Policing is like letting you in but then making you leave if the room is too full.
Must Know for Exams
Policing is a core topic in several major IT certification exams, especially those covering network fundamentals, routing and switching, and Quality of Service. For the Cisco CCNA (200-301) exam, policing appears in the QoS objectives. Candidates must understand the difference between policing and shaping, how to configure policing using MQC, and how it affects traffic. The exam may ask questions about token bucket algorithms, burst sizes, and the actions taken on exceeding traffic. For the CompTIA Network+ (N10-008) exam, policing is covered under traffic shaping and QoS concepts, though at a more introductory level. You might be asked to explain the purpose of policing or compare it to shaping.
For the Cisco CCNP Enterprise (ENCOR 350-401) exam, the depth increases significantly. Candidates need to know how to design and implement policing in complex QoS policies, including the use of two-rate, three-color markers, and how policing interacts with other QoS tools like class-based shaping and low-latency queuing. Exam questions often present a scenario where you must choose the correct QoS tool or interpret a configuration snippet. For JNCIA-Junos (JN0-101) and JNCIP-ENT (JN0-351), policing is covered under firewall filters and QoS. Juniper uses the term policer and candidates must know how to apply policers to interfaces or firewall filter terms.
In AWS certification exams like the AWS Certified Solutions Architect Associate, policing is not directly covered, but the concept appears in network ACLs, security groups, and CloudFront origin shielding. These are more about access control than bandwidth policing. Similarly, the Microsoft Azure Administrator exam may touch on network limits and throttling, but not as a core objective.
For the exam, you should be ready for multiple-choice questions that test the definition, differences between policing and shaping, and possible consequences of policing (e.g., TCP retransmissions, reassembly issues). You might also see drag-and-drop questions about QoS components. In troubleshooting questions, you may be given a scenario where bandwidth is limited and you need to identify that policing is dropping packets. Understanding the token bucket model is key-know the difference between committed information rate (CIR), committed burst (Bc), and excess burst (Be). Also, remember that policing does not buffer, while shaping does. This is a classic exam trap.
Simple Meaning
Imagine you are hosting a party at your house and you have a rule that only 10 people can enter through the front door per minute to avoid a crush. You station a friend at the door with a clicker. Each time a person walks in, the friend clicks the counter. If the count in one minute reaches 10, the friend simply refuses to let any more people in until the next minute starts. That is a form of policing: you are setting a hard limit on the rate of entry, and anything beyond that limit is simply turned away.
In a computer network, policing works in a very similar way. A router or switch is configured with a specific rate limit, say 1 megabit per second (Mbps). As data packets flow through the device, it measures how many bits per second are passing. If the rate exceeds that 1 Mbps limit, the device immediately drops the extra packets. The result is that the traffic never goes above the configured speed. This is different from shaping, which would buffer the extra traffic and send it later when there is free capacity. Policing does not buffer; it enforces the limit by discarding excess packets immediately.
Policing is used in many real-world IT situations. Internet service providers use it to enforce the speeds of the plans they sell to customers. If you have a 100 Mbps plan, the provider’s equipment polices your traffic so that you never get more than that speed. Companies use policing to limit how much bandwidth certain applications, like video streaming or file sharing, can consume so that critical business applications always have enough capacity. It is a simple, effective way to manage bandwidth and ensure fairness across many users.
Because policing drops packets, it can cause performance issues if not configured carefully. For example, if the limit is set too low, legitimate traffic can get dropped, leading to slow network performance and retransmissions. Network administrators must understand policing to set correct limits and to know how it interacts with other quality of service (QoS) mechanisms like shaping and queuing.
Full Technical Definition
Traffic policing is a Quality of Service (QoS) mechanism that limits the rate of incoming or outgoing traffic on a network interface by discarding or marking packets that exceed a configured bandwidth threshold. It operates on a per-packet basis and uses a token bucket or leaky bucket algorithm to measure traffic conformance. The core concept is to enforce a committed information rate (CIR) and, in some implementations, a peak information rate (PIR).
In a typical token bucket implementation, the router maintains a bucket that holds tokens. Tokens are added to the bucket at a constant rate equal to the CIR (e.g., 1 Mbps). Each token represents permission to send a certain number of bytes (often one byte per token). The bucket has a maximum depth, which determines the burst size (committed burst, or Bc). When a packet arrives, the system checks if there are enough tokens in the bucket to cover the packet size. If yes, the packet is conforming, tokens are removed, and the packet is transmitted normally. If not, the packet is considered exceeding and the policing action is applied. The actions can be: drop the packet, mark it with a lower IP precedence or DSCP value (policing with remarking), or pass it but mark it as eligible for dropping later.
Policing is defined in RFC 2475 (An Architecture for Differentiated Services) and is a fundamental building block of Differentiated Services (DiffServ). It is commonly implemented in Cisco IOS using the MQC (Modular QoS CLI) with the `police` command, or in Linux using `tc` (traffic control) with a policer filter. The configuration typically specifies the average rate (bits per second), normal burst size (bytes), and excess burst size (bytes). Some implementations support a two-rate, three-color marker (trTCM) that classifies packets as green (conforming), yellow (exceeding), or red (violating) and applies different actions.
In real IT implementations, policing is used on ingress interfaces to limit traffic entering a network (e.g., from a customer), on egress interfaces to enforce a maximum outbound rate, or as part of a service policy in a provider network. It is stateless in that it does not buffer packets; it either forwards or drops/remarks them immediately. This makes policing efficient but potentially harsh because bursts are not smoothed. It is often combined with shaping (which buffers) in complex QoS designs. Policing can also be applied at Layer 2 (e.g., to limit MAC layer traffic) or Layer 3 (IP traffic) depending on the device.
Common standards and protocols involved include IEEE 802.1p (priority tagging), DiffServ Code Point (DSCP) marking, and various vendor-proprietary extensions. For example, in Cisco Catalyst switches, policing can be done via the `mls qos` commands. In enterprise environments, policing is often used to enforce bandwidth limits per user or per application as part of a QoS policy. Policing can cause TCP global synchronization if aggressive drops occur, because many TCP connections may slow down simultaneously. Therefore, careful configuration of burst sizes and drop policies is essential.
Real-Life Example
Think of a busy highway with a toll plaza. The toll plaza has a limited number of booths, and each booth can only process a certain number of cars per minute. Let us say that the rate limit is 10 cars per minute per booth. This is the policing rate. Now, imagine that during rush hour, 15 cars arrive at one booth in the same minute. The toll operator, acting as the police officer, can only let 10 cars through. The remaining 5 cars are turned away (dropped) and have to find another route or come back later. The operator does not ask the 5 cars to wait in a holding area (that would be shaping); they are simply refused entry and must leave.
In the network world, the cars are data packets, the toll plaza is the router interface, the booth is the policing mechanism, and the operator is the policing algorithm. The limit of 10 cars per minute is the bandwidth rate, like 1 Mbps. The 5 cars that are turned away are the packets that are dropped. If the operator only marked those cars as "slower" (e.g., with a note to let them go later), that would be remarking instead of dropping. But in pure policing, the extra traffic is simply discarded.
This analogy also highlights the burst capability. Suppose one minute only 5 cars arrived, so the booth had 5 unused slots. In the next minute, could the booth let in 15 cars? That depends on the burst allowance. In the basic analogy, no, because each minute is separate. But in the token bucket algorithm, unused tokens from previous cycles can accumulate (up to a maximum burst size), allowing a short burst of more than the average rate. So if the previous minute had only 5 cars, the bucket might hold 5 extra tokens, allowing 15 cars in the next minute. However, if 20 cars arrive, the extra 5 beyond the burst are still dropped. The toll operator analogy with a token bucket would be a booth that can let in up to 10 cars per minute on average, but if no cars came for 10 minutes, it could let in up to 100 cars all at once (the burst), but then the bucket is empty and the rate drops back to 10 per minute.
Why This Term Matters
Policing is a fundamental tool for network administrators because it provides a simple, efficient way to enforce bandwidth limits and protect network resources. Without policing, a single aggressive application or user could consume all available bandwidth, starving critical services like VoIP, video conferencing, or database transactions. For example, a large file download could saturate a 100 Mbps link, causing voice calls to break up or web pages to load sluggishly for everyone else. Policing prevents this by capping the bandwidth any single flow or user can use.
In practical IT contexts, policing is used by internet service providers to enforce the terms of service plans. If a customer subscribes to a 50 Mbps plan, the provider’s equipment polices that customer’s traffic to 50 Mbps. If the customer tries to send data at 100 Mbps, the extra packets are dropped. This ensures that customers who pay for higher speeds actually get the bandwidth they are entitled to, and that the provider can allocate capacity fairly among all users.
Within an enterprise, policing helps implement Quality of Service (QoS) policies. For instance, an administrator might police peer-to-peer file-sharing traffic to 5 Mbps while allowing business-critical SAP traffic to flow unrestricted. This ensures that important applications always have enough network capacity. Policing is also used to prevent denial-of-service (DoS) attacks. If an attacker sends a flood of packets, policing can limit the rate of incoming traffic, reducing the impact on legitimate users.
Another important reason policing matters is that it is lightweight on router resources compared to shaping. Because policing simply drops packets rather than buffering them, it uses little CPU and memory. This makes it suitable for high-speed interfaces where buffering would cause significant delays. However, because it drops packets, it can cause performance issues if misconfigured, such as excessive retransmissions. Therefore, understanding policing is crucial for balancing network performance and fairness. In short, policing is a key mechanism for implementing control, fairness, and protection in modern networks.
How It Appears in Exam Questions
In certification exams, policing questions typically fall into these patterns:
1. Definition and comparison questions: These ask you to select the correct description of policing or to differentiate it from shaping. For example: "Which of the following best describes traffic policing?" with options like "buffers excess traffic" (wrong), "drops excess traffic" (correct), or "prioritizes traffic" (mostly wrong). Another variant: "Traffic shaping vs. policing: which one uses a buffer?"
2. Token bucket algorithm questions: These may present a numeric scenario and ask how many packets are dropped. For instance: "A router is configured with a CIR of 2 Mbps, Bc of 8000 bytes, and burst size of 8000 bytes. If the bucket currently has 4000 tokens and a 3000-byte packet arrives, what happens?" Answer: the packet is conforming and transmitted. Or a question might ask: "After a period of inactivity, the token bucket is full. What is the maximum burst size?"
3. Configuration interpretation questions: The exam shows a snippet of MQC configuration, such as: policy-map LIMIT class WEB police 1000000 8000 8000 conform-action transmit exceed-action drop Then ask: "What is the effect of this policy?" Options might describe the rate limit, burst, and action. You must recognize that 1,000,000 bps is 1 Mbps, Bc is 8000 bytes, and exceeding traffic is dropped.
4. Scenario-based troubleshooting: You are given a description of a problem: "After implementing a QoS policy on a link, users report that large file transfers time out but web browsing is fine. The policy used policing. What is the most likely cause?" Answer: The policing rate is too low for the file transfers, causing drops and TCP retransmission timeouts.
5. Design questions: "You need to limit outbound traffic from a branch office to 10 Mbps, but temporary bursts up to 15 Mbps should be allowed for up to 100 ms. Which QoS tool should you use?" The answer is policing with careful burst settings, or possibly shaping if bursts are to be smoothed. The exam expects you to know that policing can allow bursts via burst size configuration.
6. Advanced questions (CCNP level) may combine policing with marking (e.g., set dscp af41 on conforming traffic, set dscp 0 on exceeding traffic). You might need to understand multi-actions applied in a single police command.
7. Some questions ask about the impact of policing on TCP. For example: "Aggressive policing on a link carrying many TCP connections can cause global synchronization. Why?" Answer: Because many TCP sessions experience drops simultaneously, all reduce their window sizes at the same time, creating an on-off pattern of low utilization.
When preparing, practice interpreting police configurations and calculating token bucket values. You can use the formula: Tc = Bc / CIR (where Tc is the time interval in seconds). But most exam questions are conceptual rather than heavy math.
Practise Policing Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a network administrator for a medium-sized company. The company has a single internet link of 100 Mbps. Management wants to ensure that video conferencing traffic gets at least 30 Mbps of bandwidth and that file downloads from the internet do not consume more than 50 Mbps. You decide to use policing on the outbound traffic from your network to the internet.
You configure a policer on the router's WAN interface. For the file download traffic, you create a class that matches traffic from the company's file server IP addresses. You apply a police policy that sets a rate of 50 Mbps with a normal burst of 64 kilobytes. For traffic exceeding that limit, you drop the packets. For the video conferencing traffic, you set a police rate of 30 Mbps with a conform action of transmit and an exceed action of drop. This ensures that video conferencing never gets less than 30 Mbps, but if it tries to use more, the excess is dropped.
Now, imagine a user starts a large software update download. The download traffic is classified as file download and hits the 50 Mbps police limit. For the first few seconds, because the token bucket is full, the download bursts up to 50 Mbps. However, as the bucket empties, the rate is capped at 50 Mbps. Any extra packets that arrive beyond the burst are dropped. The download proceeds at a steady 50 Mbps, which is acceptable.
At the same time, a video conference call starts. The video traffic is matched to the video class and is policed at 30 Mbps. The video codec sends at a variable rate, averaging 20 Mbps, so it never exceeds the limit and all packets are forwarded. The file download cannot steal more than its 50 Mbps, leaving plenty of room for the video. Without policing, the file download could have consumed the entire 100 Mbps link, causing the video to stutter or fail.
Later, you notice that the file download seems slower than expected on some days. You inspect the policing counters on the router and see thousands of dropped packets for the file class. You realize that the 50 Mbps limit is being hit hard, especially when multiple users run downloads simultaneously. You decide to increase the police rate to 70 Mbps for file downloads, and you also increase the burst size to help with short bursts. This improves user satisfaction. This scenario shows how policing is configured, how it affects traffic, and how an administrator can monitor and adjust it.
Common Mistakes
Confusing policing with traffic shaping.
Policing drops excess packets immediately, while shaping buffers them and sends them later. Many learners think policing also buffers.
Remember: Policing = dropping; Shaping = buffering. Policing enforces a hard limit by discarding, shaping smooths traffic by delaying.
Setting the policing rate too low, causing constant packet drops for legitimate traffic.
A rate that is too low will drop packets even for normal usage, leading to poor performance, retransmissions, and user complaints.
Measure actual traffic patterns using tools like NetFlow. Set the police rate at least 20% above the average expected usage, and configure appropriate burst sizes to accommodate short spikes.
Forgetting to account for Layer 2 overhead when setting the police rate.
The police rate is usually measured in bits per second at Layer 3, but Layer 2 headers add extra bits. If you set a rate of 1 Mbps for Layer 3 traffic, the actual throughput at Layer 2 may be higher, causing unexpected drops.
When policing on an interface, include the Layer 2 overhead (like Ethernet header and FCS) in the rate calculation, or use a tool that accounts for it (e.g., Cisco IOS can police at Layer 2).
Not configuring burst sizes properly, leading to no bursts being allowed.
If the burst size (Bc) is set too small, even legitimate short bursts of traffic (e.g., a web page load) will be dropped, causing slow web browsing.
Configure the burst size to be at least the size of a typical TCP window or a few maximum segment sizes (MSS). On Cisco, a common default is 1.5 ms of traffic at the CIR, but adjust based on application needs.
Applying policing to control plane traffic without understanding the impact.
Policing on control plane (e.g., routing protocol updates) can drop critical packets, causing routing instability or neighbor loss.
Never police control plane traffic without careful planning. Use separate policers with higher rates for control traffic, and consider using CoPP (Control Plane Policing) with proper classification.
Exam Trap — Don't Get Fooled
{"trap":"The exam might show a configuration that uses both shaping and policing on the same interface and ask about the net effect. Learners think they understand each tool separately but get confused when combined.","why_learners_choose_it":"Learners often assume that shaping and policing are mutually exclusive, or they think that one overrides the other.
They may not realize that they can be applied in tandem, with one functioning on ingress and the other on egress, or on different classes.","how_to_avoid_it":"Remember that in a QoS policy, shaping and policing can coexist. Typically, policing is applied inbound to a router (e.
g., on the customer-facing interface) to enforce a service contract, and shaping is applied outbound to buffer traffic for a slow WAN link. In exam scenarios, carefully note the direction (inbound vs outbound) and the class to which the action is applied.
If a packet is dropped by policing before it enters the shaping queue, it will never be shaped. If policing is applied outbound, it drops after shaping, possibly wasting the buffering effort. Draw a simple diagram to visualize the packet flow."
Step-by-Step Breakdown
1. Traffic Arrives
A data packet enters or leaves the network interface where policing is configured. The router inspects the packet and determines which class it belongs to based on configured classification rules (e.g., match IP address, protocol, or DSCP value). This step is essential because policing is applied per-class.
2. Token Bucket Check
For the class, the router checks a token bucket associated with that policer. The bucket contains tokens that are added at a constant rate equal to the committed information rate (CIR). The bucket depth determines the maximum burst size (Bc). The router compares the packet size against the number of available tokens.
3. Conform or Exceed Decision
If the number of tokens in the bucket is greater than or equal to the packet size, the packet is considered conforming (green). Tokens equal to the packet size are removed from the bucket. If there are not enough tokens, the packet is exceeding (yellow or red). Some implementations also check against a second bucket for the peak information rate.
4. Apply Action
Based on the conformance result, a configured action is applied. For conforming packets, the action is typically transmit. For exceeding packets, the action can be drop, set a lower DSCP value (remark), or transmit with a lower priority. In some configurations, a third color (violating) has a separate action like drop.
5. Update Token Bucket
After the decision, the token bucket state is updated. For conforming packets, tokens are removed. If no packets arrive, tokens continue to accumulate up to the bucket depth (Bc). This allows short bursts of traffic to be transmitted when the bucket is full. The bucket is continuously refilled at the configured rate.
6. Packet Forwarding or Dropping
If the action is transmit, the packet is forwarded normally through the router to the next hop. If the action is drop, the packet is discarded. If the action is remark, the packet's IP precedence or DSCP field is changed, and the packet is forwarded. This final step determines the actual effect on the traffic flow.
Practical Mini-Lesson
Policing is a critical tool for a network professional to master because it provides a deterministic way to enforce bandwidth limits. In practice, you configure policing using a policy map in Cisco IOS or using a firewall filter in Juniper Junos. The configuration must be precise: you have to choose the correct rate, burst sizes, and actions. A common real-world scenario is limiting guest Wi-Fi traffic. You create a class that matches all traffic from the guest VLAN, then apply a police policy that limits the total guest bandwidth to, say, 10 Mbps, with a burst of 4 MB (megabytes). This ensures that guests do not saturate the corporate internet link.
One nuance of policing is the choice of burst size. If the burst size is too large, a rogue device could send a huge burst that consumes all the bandwidth for a short moment, potentially impacting other users. If the burst size is too small, even legitimate traffic like a video stream might get dropped because the initial burst of a video request can be larger than the bucket. In practice, a good rule of thumb is to set the burst size to 1.5 times the maximum segment size (MSS) multiplied by the number of expected concurrent flows, but this is often tuned empirically. Tools like Wireshark or SNMP monitoring can help assess if drops are happening.
Another practical aspect is the interaction between policing and TCP. When policing drops TCP packets, the sender receives duplicate ACKs or timeouts and reduces its window. This can cause a sawtooth pattern of throughput. If many TCP flows are policed together, they can synchronize, leading to underutilization. To mitigate this, some implementations support random early detection (RED) or weighted random early detection (WRED) before police drops, but this is a separate mechanism. Also, consider the direction: policing on the ingress interface is often used for traffic coming from customers, while shaping is more common on egress for traffic leaving a slow WAN.
Configuration examples: In Cisco IOS, a basic police config looks like: policy-map GUEST_QOS class GUEST police 10000000 4000000 conform-action transmit exceed-action drop This limits to 10 Mbps with burst 4 MB. In Juniper, a policer is defined as: policer GUEST_LIMIT { if-exceeding { bandwidth-limit 10m; burst-size-limit 4m; } then discard; } and then applied to a firewall filter term.
What can go wrong? If you apply policing to a tunnel interface (like GRE) that has overhead, you must account for the tunnel header size. Otherwise, the actual user throughput will be less than expected. Also, some hardware (like Cisco Catalyst 6500) uses hardware-based policing that has granularity restrictions (e.g., rate must be a multiple of 8 kbps). If you set an unsupported rate, the hardware may round down, causing unexpected drops. Always verify with `show policy-map interface` to see actual drop counters.
Professionals also use policing for rate limiting on specific protocols. For example, to limit ICMP traffic to prevent ping floods: `class ICMP police 100000 8000 conform-action transmit exceed-action drop`. This prevents a DoS attack from overwhelming the router CPU. Policing is a precise, efficient, but unforgiving QoS tool that requires careful configuration and monitoring.
Memory Tip
Policing = Drop the Extra; Shaping = Save and Smooth. Remember the 'DROP' in 'POLicING'-Policing Drops Immediately.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Frequently Asked Questions
Can policing be applied to both inbound and outbound traffic?
Yes, policing can be applied on both ingress and egress interfaces. Inbound policing is common to enforce customer contracts, while outbound policing can be used to limit traffic leaving a network.
What happens to the tokens in the bucket when no traffic is flowing?
Tokens accumulate up to the configured burst size (Bc). This allows the interface to send a short burst of traffic at a higher rate than the CIR when traffic starts again.
Is policing supported on all network devices?
Most enterprise routers and switches support policing, though implementation and granularity vary. Low-end consumer routers often lack advanced policing features.
Does policing affect all packets equally?
No, policing is applied per-class. Packets in different classes can have different police limits, or some classes may not be policed at all. It is also possible to police per-flow in some implementations.
Can I use policing to limit traffic based on time of day?
Policing itself is time-independent. However, you can combine policing with time-based ACLs or scheduling (e.g., using Cisco NBAR with time-based policy) to achieve time-of-day rate limiting.
What is the difference between a single-rate policer and a two-rate policer?
A single-rate policer uses only one rate (CIR) and one burst. A two-rate policer uses both a CIR and a peak information rate (PIR) with separate burst sizes, allowing more granular traffic conformance (green, yellow, red).
Summary
Traffic policing is a fundamental Quality of Service mechanism that enforces bandwidth limits by dropping or remarking packets that exceed a configured rate. It works on a token bucket model where the rate of token addition determines the average allowed bandwidth, and the bucket depth controls the maximum burst size. Unlike shaping, policing does not buffer traffic; it acts immediately, making it efficient but potentially harsh on bursty applications.
Understanding policing is vital for IT professionals because it is used everywhere-from ISP subscriber management to enterprise QoS design. It helps ensure fairness, protect critical applications, and prevent network abuse. In certification exams for CCNA, Network+, and CCNP, policing appears in both conceptual and configuration questions. You must be able to compare it to shaping, interpret configuration snippets, and understand the impact on TCP performance.
Takeaway: Policing is a simple but powerful tool. Set it carefully with realistic rates and burst sizes, monitor it for drops, and always consider the direction and class of traffic. Master the token bucket concept, and you will be prepared for both exam questions and real-world network management.