HELP. Policy-map drops packages even though it's not maxed out

weardfear · ‎11-14-2022

Hi all,

Router is C8500L-8S4X

I'm attempting to create a policy-map which is used for a Etherchannel.
As far as i can read it requires a "Fragment" map when shaping on a etherchannel.
I'm trying to achieve a max bandwidth limit of around 600mbit, but when i apply it on the two physical interfaces that's part of the etherchannel several packages are dropped. Like 1 in 20 is dropped.

This is what i got so far.

class-map match-any CM_Match_VoIP
match protocol rtp
match protocol sip
match protocol skype
match protocol rtp-video
match protocol rtp-audio
match dscp ef

ip access-list extended ACL_Shape_Deny-Shaping
10 permit ip 123.123.0.0 0.0.0.255 123.123.0.0 0.0.0.255 (Correct IP's removed)

ip access-list extended ACL_Shape_Permit-Shaping
10 permit ip any any

class-map match-all CM_Match-All
match access-group name ACL_Shape_Permit-Shaping
match not access-group name ACL_Shape_Deny-Shaping

policy-map PM_MaxDownload-Fragment
class class-default fragment Class_Fragment
shape average 600000000
policy-map PM_Match_Protocols
class CM_Match_VoIP
priority level 1
class class-default
fair-queue
policy-map main-interface-out
class CM_Match-All service-fragment Class_Fragment
shape average 600000000

Hope someone can help!

Joseph W. Doherty · ‎11-14-2022

What's your policy stats look like?

weardfear · ‎11-15-2022

Thank you for the response!
Currently the Policy-map is not attached to any interfaces, i'm gonna have to wait for a proper time before i can apply it.

Once i've attached it, are there anything else than the policy stats you'd like ? Is 5 minutes enough stats for you ?

Joseph W. Doherty · ‎11-15-2022

"Is 5 minutes enough stats for you ?"

If your 1 in 20 drops are happening, during those 5 minutes, such stats might provide some clues.

"Once i've attached it, are there anything else than the policy stats you'd like ?"

Not yet. We'll first see what the policy stats show.

weardfear · ‎11-16-2022

Hi again : ).

Aight, 1/20 might be an exageration. But at the time i posted this i was loosing 1/20 ICMP packages, and after disabling it i didn't get a single one.

The other member of the etherchannel has 0 output, so i have omitted that.
The output here is made in the order shown with a 10 second interval'ish.

TenGigabitEthernet0/1/0 is up, line protocol is up
Hardware is 4xSFP+, address is 44ae.250c.ee40 (bia 44ae.250c.ee08)
MTU 9216 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 11/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full Duplex, 10000Mbps, link type is auto, media type is SFP-H10GB-ACU7M
output flow-control is on, input flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output 00:00:00, output hang never
Last clearing of "show interface" counters 5w0d
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 105.82 mega-bits/sec , 30.61 Kpps
5 minute output rate 461.94 mega-bits/sec , 53.23 Kpps
58,080,513,027 packets input, 19,329,585,584,156 bytes, 0 no buffer
Received 312,718 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1,623,140 multicast, 0 pause input
114,735,096,363 packets output, 70,329,423,045,940 bytes, 0 underruns
Output 38,372,115 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 1 interface resets
152,029 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

----------------------------------------------------------------

TenGigabitEthernet0/1/0

Service-policy output: main-interface-out

Class-map: CM_Match-All (match-all) service-fragment Class_Fragment
309810674 packets, 325410930776 bytes
5 minute offered rate 469461000 bps, drop rate 7288000 bps
Match: access-group name ACL_Shape_Permit-Shaping
Match: not access-group name ACL_Shape_Deny-Shaping
Queueing
queue limit 406 packets
(queue depth/total drops/no-buffer drops) 228/631231/0
(pkts output/bytes output) 309179448/324660753082
shape (average) cir 600000000, bc 2400000, be 2400000
target shape rate 600000000

Class-map: class-default (match-any)
5028551 packets, 3312515347 bytes
5 minute offered rate 2668000 bps, drop rate 0000 bps
Match: any

queue limit 6781 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 5027850/3312347979

----------------------------------------------------------------

TenGigabitEthernet0/1/0 is up, line protocol is up
Hardware is 4xSFP+, address is 44ae.250c.ee40 (bia 44ae.250c.ee08)
MTU 9216 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 11/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full Duplex, 10000Mbps, link type is auto, media type is SFP-H10GB-ACU7M
output flow-control is on, input flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:08, output 00:00:00, output hang never
Last clearing of "show interface" counters 5w0d
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 106.66 mega-bits/sec , 30.67 Kpps
5 minute output rate 469.26 mega-bits/sec , 54.7 Kpps
58,081,451,947 packets input, 19,330,016,088,032 bytes, 0 no buffer
Received 312,724 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1,623,158 multicast, 0 pause input
114,736,940,109 packets output, 70,331,477,949,131 bytes, 0 underruns
Output 38,372,489 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 1 interface resets
152,032 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

----------------------------------------------------------------

TenGigabitEthernet0/1/0

Service-policy output: main-interface-out

Class-map: CM_Match-All (match-all) service-fragment Class_Fragment
312309257 packets, 328182649171 bytes
5 minute offered rate 477001000 bps, drop rate 7770000 bps
Match: access-group name ACL_Shape_Permit-Shaping
Match: not access-group name ACL_Shape_Deny-Shaping
Queueing
queue limit 406 packets
(queue depth/total drops/no-buffer drops) 399/695247/0
(pkts output/bytes output) 311614016/327360707177
shape (average) cir 600000000, bc 2400000, be 2400000
target shape rate 600000000

Class-map: class-default (match-any)
5056059 packets, 3326875670 bytes
5 minute offered rate 2683000 bps, drop rate 0000 bps
Match: any

queue limit 6781 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 5055355/3326707454

Joseph W. Doherty · ‎11-16-2022

I didn't want to mentioned it earlier, but I had suspected it might turn out to be your shaper is being congested, and stats appear to confirm, i.e.:

5 minute offered rate 469461000 bps, drop rate 7288000 bps
Match: access-group name ACL_Shape_Permit-Shaping
Match: not access-group name ACL_Shape_Deny-Shaping
Queueing
queue limit 406 packets
(queue depth/total drops/no-buffer drops) 228/631231/0

5 minute offered rate 477001000 bps, drop rate 7770000 bps
Match: access-group name ACL_Shape_Permit-Shaping
Match: not access-group name ACL_Shape_Deny-Shaping
Queueing
queue limit 406 packets
(queue depth/total drops/no-buffer drops) 399/695247/0

64,016 drops between those two stats snapshots! In both instances, over half of shaper's queue resources used! (56% and 98% [!] respectively.)

What to do? Depends on what your goals are. You might "tweak" shaper's queue size (if platform supports) bigger to try to deal with a transient burst (if that's what's happening), and/or "tweak" class-defaults FQ flow queues sizes (if platform supports) smaller (to "target" drops against bandwidth flow hogs), and/or "tweak" shaper Bc/Tc parameters (to allow transient burst to pass w/o queuing it).