In this section:
The "single token bucket" policer model is used by SBC policers. This model applies a limit to the rate of received packets streams. Packets in excess of the permitted rate are deemed "nonconforming" and are discarded. Black lists do not use this model because they do not apply policing; every packet matching a black list entry is discarded. However, the discard rate of black listed packets is measured and may trigger an alarm.
These policers protect the system itself and the protected networks behind it against Denial of Service caused by overwhelming floods of packets. The policers also protect the delivery of service to each peer system in the network against disruption by floods of packet sent by other peers.
Each policer instance conceptually consists of a "bucket" that collects "tokens" (a token may be thought of as a credit). New tokens flow into the bucket at a constant rate called the fillRate.
If the bucket "fills up" (the number of tokens in the bucket reaches the bucketSize), additional credits that are added per the fillRate "spill over" the edge of the bucket and are lost. When a packet to be policed is received, if there are sufficient credits in the bucket to accommodate the packet then the packet is accepted and the corresponding credits are deducted from the bucket. If there are insufficient credits in the bucket, the packet is discarded and no credits are removed from the bucket.
If a packet is received when the credit balance is less than the size of the packet, the packet is discarded subjected to the discard rate set in the IP Policing Alarm profile or in the Policer Alarm monitoring this NIF. The values are:
Over time, the maximum rate at which packets are accepted by the policer is equal to the fillRate. However, since the bucket can store up tokens, it allows a limited number of tokens to be saved up (bucketSize) during periods when packets are arriving more slowly. Those saved credits allow the policer to accept short-term bursts at a later time that are temporarily arriving at a rate in excess of the fillRate. The larger the bucketSize, the more credits may be saved for later. The bucket thus allows the policer to accommodate some burstiness in the arrival of packets.
For the SBC policers, the tokens represent units of packets. Thus the fillRate is in packets per second and the bucketSize is in packets.
These objects collectively achieve the following:
When a new ACL rule is created, and the associated policer fillRate and bucketSize are not specified, these values default to a fillRate of 50 PPS and a bucketSize of 50 packets in order to facilitate more secure deployments. When configuring policing values, estimate the expected maximum traffic rate for each new ACL rule, and then set the policer fillRate accordingly.
The fill rate and bucket rate for micro-flow policer are calculated as follows:
Example:
If the fillRate is configured as "25" in all of the fields under sipCacProfile, the fillRate of the micro-flow policer is calculated as:
If the bucketSize is configured as "30" in all of the fields under sipCacProfile, the bucketSize of the micro-flow policer is calculated as: