1. Introduction
In Quality of Service (QoS), two common techniques are used to control how much bandwidth traffic flows can consume: Shaping and Policing.
Both rely on a Committed Information Rate (CIR), which defines the maximum bandwidth that can be transmitted over an interface.
The difference lies in how each technique handles traffic that exceeds this CIR.
2. What is Shaping?
Shaping is a rate-limiting technique that buffers excess traffic instead of discarding it.
Figure 1 – Shaping in Quality of Service
In the figure, traffic that goes above the red CIR line is not dropped. Instead, it is placed in a shaping buffer and sent later at a controlled rate.
This configured rate limit is often defined by a service agreement.
For example, if an Internet Service Provider (ISP) sets a maximum of 400 Mbps, then 400 Mbps becomes the CIR.
By queuing traffic bursts and transmitting them gradually, shaping prevents packet loss, ensures compliance with the agreed bandwidth, and smooths out irregular traffic patterns.
3. What is Policing?
Policing also enforces the CIR but works in a different way.
Figure 2 - Policing in Quality of Service
When traffic exceeds the red CIR line, policing does not buffer it. Instead, it immediately applies one of two actions:
Dropping packets: Excess traffic is discarded.
Re-marking packets: Excess traffic is marked with a lower priority so that it may still be delivered, but as less important traffic.
Unlike shaping, policing does not provide flexibility for bursts. It is a stricter approach, commonly used in service provider environments to ensure traffic strictly conforms to contractual limits.
4. Real-World Example
Now that the basics of shaping and policing are clear, let’s consider a practical scenario to see how these techniques are applied in real networks.
Imagine this situation: you need to connect your local network to an Internet Service Provider (ISP). As part of your agreement, the ISP sets a 400 Mbps bandwidth limit. This means your traffic must remain within this rate. But how can you make sure of that, and what happens if it does?
To manage this, shaping and policing are applied, each with its own role:
Customer Router - Outbound Shaping
On the customer side, outbound shaping is configured. Outbound means all the traffic that leaves an interface. Here, shaping ensures that traffic sent toward the ISP does not exceed 400 Mbps.
Figure 3 - Shaping Quality of Service use case
Any traffic that goes beyond the rate limit is not discarded. Instead, it is placed in a buffer and transmitted later at the agreed speed. This way, the customer stays compliant with the contract while avoiding packet loss during short traffic bursts.
ISP Router (Policing)
On the ISP side, inbound policing is used. Inbound refers to all the traffic that enters an interface.
Here, policing strictly enforces the 400 Mbps limit on traffic arriving from the customer.
Figure 4 - Policy Quality of Service use case
If the incoming traffic exceeds the limit, the ISP router reacts immediately:
It can drop the excess traffic to maintain network stability.
Or it can re-mark the traffic with a lower priority, making those packets less likely to be delivered during congestion.
5. Conclusion
In this lesson, we covered two fundamental traffic rate-limiting techniques:
Shaping: Delays excess traffic by queuing it, smoothing out bursts, and ensuring compliance with agreed limits.
Policing: Immediately enforces the rate limit by dropping excess packets or re-marking them with a lower priority.
Together, these methods help networks respect bandwidth agreements and maintain performance under different traffic conditions.