02-09-2011 12:14 PM - edited 03-04-2019 11:22 AM
I have been through every forum on the net for this on and am getting no where...PLEASE HELP!
Here is my situation,
I have lots of PPPoE users that get Virtual Access interfaces created upon login based on a virtual template. I need to traffic shape them. I know how to get it to work on an individual basis, because the policing within a service policy works fine. As soon as i change it to shaping it leaves things wide open.
I really dont care how it gets done, I just need to be able to specify a speed to be traffic shaped and apply that to a virtual template. I need to limit speeds on the download and upload, i understand that the upload i will use the policing, but the download i need it to smooth out the flow and be traffic shaped, not policed.
Here is my Policies and classes:
***
policy-map CHILD
class class-default
bandwidth 1650
policy-map PARENT
class class-default
shape average 1650000
service-policy CHILD
****
Here is my Virtual Template:
****
interface Virtual-Template8
description pppoe-auth-FTTH
ip unnumbered FastEthernet0/0
ip access-group subs-in-FTTH in
ip mtu 1493
timeout absolute 6120 0
peer default ip address pool FTTH-POOL
ppp authentication pap pppoe-auth
ppp authorization pppoe-auth
ppp timeout idle 84600
service-policy output PARENT
****
Here is the Virtual Access Interface that gets created:
***
7200-ADSL#sho interfaces virtual-access 2.32 configuration
Virtual-Access2.32 is a PPP over Ethernet link (sub)interface
Derived configuration : 284 bytes
!
interface Virtual-Access2.32
ip unnumbered FastEthernet0/0
ip access-group subs-in-FTTH in
timeout absolute 6120 0
peer default ip address pool FTTH-POOL
ppp authentication pap pppoe-auth
ppp authorization pppoe-auth
ppp timeout idle 84600
service-policy output PARENT
end
***
AND HERE IS MY PROBLEM!!!
****
7200-ADSL#sho policy-map interface virtual-access 2.32
Virtual-Access2.32
Service-policy output: PARENT
Class-map: class-default (match-any)
279116 packets, 369905269 bytes
5 minute offered rate 8990000 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
1650000/1650000 9900 39600 39600 24 4950
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 59 3501 0 0 no
Service-policy : CHILD
Class-map: class-default (match-any)
279116 packets, 369905269 bytes
5 minute offered rate 8990000 bps, drop rate 0 bps
Match: any
Queueing
Output Queue: Conversation 73
Bandwidth 1650 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
****
The results i am getting is unrestrcited throughput, i am seeing about 40mb of throughput when the target is to limit to 1.65MB. As you can see from the output the PARENT class is seeing 279116 packets, but the shaper only saw 59. In all the examples i see on the internet these two numbers should be the same. Why is the shaper not acting on all the traffic crossing that class/policy?
Hardware/IOS:
Cisco IOS Software, 7200 Software (C7200-IK9SU2-M), Version 12.4(12), RELEASE SOFTWARE (fc1)
Thanks for any Input!
Joel
02-09-2011 02:06 PM
Why are you using class class-default twice?
Why not having this instead:
policy-map PARENT
class class-default
shape average 1650000
02-09-2011 02:11 PM
That would be easy! Unfortunately it gives the same results!
Thanks,
Joel
02-09-2011 02:15 PM
But if I use as you suggest, but with a "police" statement, it works fine! But I need shaping, not policing!
Thanks,
Joel
02-09-2011 02:57 PM
After a quick research, I've found that shaping is not supported on virtual-interfaces because the interface is unable to obtain "back pressure" information from the physical interface.
With that said, I suggest opening a TAC case to get a final confirmation. Perhaps, there is a service provider image that may support your requirement. You won't find the cool stuff on the mainline image.
02-09-2011 03:16 PM
Do you have the link stating this? because in my hours of research, it seems that people were able to get it working, but I will also look into it further.
Joel
02-09-2011 03:42 PM
All the information I got was from internal cases. I highly suggest you open a case for further troubleshooting. It may be an issue with the image you are running and TAC may offer a different image that works per your requirement.
02-09-2011 05:00 PM
I understand, however, we do not carry a support contract, so that is not an option.
In any case, i have found two articles that directly reference success using QoS on a virtual-template / Virtual-access, both are a little different from one another. I have not had a chance to test them, I will not be able to until friday now, but i will report back if i have any results.
02-09-2011 07:23 PM
Hi Joel,
I may be way off track here but we do something similar to what i think you are trying to achieve....
We terminate a number of PPPoE sessions using radius based authentication. We cant apply a service policy directly to the virtual-template because all our users have different access requirements. Rather all users access details (including shaping rules) are pushed out from our radius server based on the clients username and password.
So the radius file might look somthing like this:
"username@domain" Password == "password"
Service-Type == Framed-User,
Framed-Netmask == 255.255.255.255,
Framed-IP-Address == x.x.x.x,
Cisco-AVPair == "lcp:interface-config=ip load-sharing per-destination"
Cisco-AVPair == "lcp:interface-config=rate-limit input rate burst maxburst conform-action transmit exceed-action drop"
Cisco-AVPair == "lcp:interface-config=rate-limit output rate burst maxburst conform-action transmit exceed-action drop"
The net result is somthing that looks like this.....
router#show run int vi12
Building configuration...
Current configuration : 297 bytes
!
interface Virtual-Access12
ip unnumbered Loopback0
ip load-sharing per-packet
rate-limit input 128000 16000 32000 conform-action transmit exceed-action drop
rate-limit output 512000 16000 32000 conform-action transmit exceed-action drop
end
This was taken off a Cisco 7206 running AdvancedIP 12.4 6 T2. We have a similar setup for services that require CB QoS but it requires some different AV Pairs and we had to upgrade our IOS to a different feature set to make it work.
Not sure if any of that helps you at all.
Regards,
Peter
02-10-2011 04:06 AM
Yup, this is exactly what we are doing today, but the policing is causing some speed issues as it just drops any traffic over the limit, causing many tcp retransmissions. We have the bursts configured correct per the equation recommended by cisco, but when a customer runs a speed test for example it jumps all over the map because it is super fast until the token bucket is empty, then it slows WAY down because packets start to drop as they hit the cap transfer rate.
So the whole goal is to shape that traffic out so they see a smooth predictable speed limit. With the "rate-limit" and higher speeds such as 10mb or 20mb, it has been very difficult to get the exact limit predictably, it seems to jump all over + or - 3mb.
Thanks for the input!
Joel
02-06-2012 01:19 AM
Hello,
don't know if this may still be useful or not..
I had exactly the same issue and I succeded to make it work by applying the policy map
on the pvc portion of the configuration:
interface atm 0/0/0
xxx
xxx
xxx
pvc 8/21
service-policy output Qos-Policy
that's it.
My equipment was a cisci 1841 with ios 15.0 M1
hope this may help.
bye
02-14-2011 12:43 PM
Alright, very dissapointing but I am giving up, I am convinced there is somthing with my hardware/software that does not support this, everything configures fine, but it never gets shaped on the virtual interface. We have to move forward and since the solution we have in place is working (just not as we desired) we are satisfied. The solution we ended up using was exactly like the one PAnsell86 posted above.
The only real drawback that we have seen is that because of the quick burst in the policing and then the dropped packets when the limit is exceeeded which is causeing retransmissions. But in production, the only thing this means is that the speedtest sites jump all over the place and do not hold a steady rate. It works much better at sub 10mb/sec, above that it gets crazy unpredictable results.
So in summary, we are willing to try to explain to the customer why the speedtest looks crazy and tell them to FTP for download a file, which gives them perfectly excepted download speeds. We seem to have the best results with the formula from cisco: (CIR * 0.125) * 1.5.
Thanks for all the input,
Joel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: