Police and bandwidth in same class

muhammad-furqan · ‎06-26-2016

Requirement - Specific traffic between two data centers must guaranteed minimum bandwidth of 50mb and in case of exceed it will change the precedence value from 2 to 0

Here is the configuration which i want to apply

Option 1 -

class-map match-any VOIP
match ip precedence 2

policy-map VOIP
class VOIP
bandwidth 50000
police 45000000 bc 500000 conform-action transmit exceed-action set-prec-transmit 0 violate-action set-prec-transmit 0

Option 2 -

class-map match-any voice
match ip precedence 3

policy-map child
class voice
police 45000000 bc 500000 conform-action transmit exceed-action set-prec-transmit 0 violate-action set-prec-transmit 0

policy-map parent
class voice
bandwidth 50000
service-policy child

Please suggest if these configurations are correct

Peter Paluch · ‎06-26-2016

Muhammad,

These are my thoughts about the suggested configurations:

In both options, your policing rate of 45 Mbps is 5 Mbps below your minimum guaranteed rate of 50 Mbps. That does not make much sense because obviously, with this setup, you cannot really guarantee a minimum of 50 Mbps to these classes.
It is not necesary to use the violate-action keyword in the policing configuration. This keyword is only required if you are doing a so-called three-color two-rate policing (police cir cir pir pir ...)
For voice, it is not common to use an IP precedence of 2 or 3 - usually, voice is marked as DSCP class EF = 46, translating into IP precedence of 5.
Also, voice is usually placed into a class configured with the priority keyword instead of bandwidth. The priority keyword guarantees both a minimum and maximum bandwidth guarantee/allowance (it behaves as a combination of bandwidth and police as it both provides for minimum bandwidth guarantee and an implicit policing), and in addition, it creates a priority queue for the traffic so that it gets dequeued before any other traffic.
It is not customary to remark voice traffic. Ultimately, the quality of voice would suffer. Your network should be designed so that it can carry a certain number of simultaneous voice calls without causing any congestion, and your telephony servers (gatekeepers, SIP proxies, etc.) should be configured to disallow additional calls beyond this designed limit.

With these remarks in mind, Option 1 looks okay. Option 2 will behave similarly but it is unnecessarily complex if both the parent and the child policy-map are going to refer to just one class.

Best regards,
Peter

muhammad-furqan · ‎06-27-2016

Hi Peter,

Both the shape and police commands restrict the output rate to a maximum kbps value. Importantly, neither mechanism provides a minimum bandwidth guarantee during periods of congestion. Use the bandwidth or priority command to provide such guarantees.

http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-policing/19645-policevsshape.html#minimumvsmaximum

That' why i am using bandwidth command which will provide minimum bandwidth guarantee of 50mb, i am not using police for minimum bandwidth guarantee here i am using police for only to remark the traffic if it will exceed the 49mb ( 45mb with 4mb burst)

As per our service provider we have to mark it with 2 and SP will drop the traffic with IP precedence 2 if it will exceed the 50mb that's why i am remarking it with dscp 0 if it exceeds 50mb.

Priority command will start doping the traffic which exceeds 50mb which i don't want

Joseph W. Doherty · ‎06-27-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

As Peter notes, both policers should behave alike and option 1 is a less complex policy.

If your provider is enforcing a hard cap of 50 Mbps, you should try to find out what Tc and Bc (and Be?) they're using, so you can mimic those with your policer. That said, I believe on many platforms, shapers and policer don't account for L2 overhead, so you need to shape/police slower so that the L2 cap isn't exceeded.

As Peter also notes, generally LLQ is used for real-time traffic like VoIP. To avoid it dropping packets, set it's bandwidth setting higher than than you expect you'll ever generate, and continue to use a policer to remark. This will insure, such traffic is dequeued first.

On the idea of not dropping overrate VoIP traffic, i.e. remarking it instead, do be aware although you don't immediately drop the packet, depending on your network and QoS policies, the packet might now be delivered out-of-sequence and/or with too much latency or jitter making it worthless. I.e. you might find you've just used bandwidth for no purpose.

The ideal way to deal with VoIP traffic, is a call admission system, that tracks available bandwidth, and insures new calls are not admitted unless there's bandwidth to support them.

Peter Paluch · ‎06-30-2016

Joe, Muhammad,

Joe: Thanks for joining this thread! Even though I do answer QoS-related questions from time to time, I nevertheless hope each time that you'll join the thread and provide your own perspective. QoS is a beast and I am still learning from experts like you.

Muhammad:

That' why i am using bandwidth command which will provide minimum bandwidth guarantee of 50mb, i am not using police for minimum bandwidth guarantee here i am using police for only to remark the traffic if it will exceed the 49mb ( 45mb with 4mb burst)

You are correct about the remarking - I missed that particular detail. Still, you are putting together two unrelated things - the throughput, which is the amount of data over a period of time, with the burst size, which is only the amount of data. It is like adding together a velocity (kmph) with a distance (km) - you cannot really do that, and summing these two numbers together produces a number that has no meaning.

Keep in mind that the burst size is the maximum amount of data that can be sent at the full speed of the interface. However, this sending of data is interspersed with artificial periods of silence to make sure that the average speed, combined from sending data at the full speed and being silent for a certain time, does not exceed the configured CIR. We could go into the maths but at this point, suffice it to say that you cannot really add together the CIR (in bits per second) and the Bc (which is in bits) - Bc is not a speed but a certain amount of data, and this data would be sent out on the full speed of the interface, not with the CIR.

If you want to remark traffic that flows beyond 50 Mbps then configure your policing for the intended rate of 50 Mbps, no other.

Of course, feel welcome to ask further!

Best regards,
Peter