Solved: Traffic Shaping on Internet circuits

Mikey John · ‎08-19-2019

Hi,

I have a 100M Internet circuit connecting to a Cisco ISR4331 router. We are planning to upgrade the circuit to 400M, and have multiple businesses use this circuit.

Can I implement traffic shaping to limit certain businesses to use only 300M of bandwdith, and have the remaining 100M for the other businesses. If yes, how do I differentiate the source traffic between these businesses while implementing traffic shaping?

Thanks
Mikey

Georg Pauwen · ‎01-09-2020

Hello,

the below should work:

ip access-list extended SOURCE_ACL
permit ip 10.1.0.0 0.0.0.255 any
permit ip 10.2.0.0 0.0.0.255 any
!
class-map match-any CLASS_1
match access-group name SOURCE_ACL
!
policy-map SHAPE_300
class CLASS_1
shape average 300000000
class class-default
fair-qeue
!
interface GigabitEthernet0/0
service-policy output SHAPE_300

View solution in original post

Giuseppe Larosa · ‎08-19-2019

Hello Mikey,

if the business units can be classified based on IP address subnet you can use access lists to create class-maps and then you can use hierarchical QoS with a parent shaper and child policies.

If this is not possible you need to use NBAR (match protocol) and classify traffic at application layer.

Hope to help

Giuseppe

Mikey John · ‎08-19-2019

Hi Giuseppe,

Thanks for your reply. Yes, the business units are classified into different subnets.

Could you please help me with any configuration examples, or guide me to any webpage for reference.

Thanks

Mikey

Joseph W. Doherty · ‎08-19-2019

BTW, shaping can only be used for egress, so if you're looking to limit Internet ingress traffic to 300 Mbps, you would need to either shape traffic on LAN egress or police WAN ingress. Also, either won't be very precise on limiting ingress traffic before the shaper or policer because the Internet traffic can burst above the limit before it reaches the shaper or policer. If you only want to limit bandwidth going to the Internet (again not from it), either a shaper or policer will be very effective.

Also BTW, you realize an ISR 4331, to support 400 Mbps, especially duplex, will need a boost license, and even then, it might not be able to constantly guarantee above 300 Mbps aggregate performance?

Giuseppe Larosa · ‎08-19-2019

Hello Joseph,

very good point about possible performance issues with increased aggregated traffic.

>> Also BTW, you realize an ISR 4331, to support 400 Mbps, especially duplex, will need a boost license, and even then, it might not be able to constantly guarantee above 300 Mbps aggregate performance?

Best Regards

Giuseppe

Mikey John · ‎01-09-2020

Hi Giuseppe,

Sorry to revive an old thread. We are in the process of implementing this traffic shaping solution in the coming few days. We have gone ahead and upgraded the router to a ASR1001X series router to support the 400M Internet bandwidth.

Could you please give me a configuration example (or help guide me to a link) for defining traffic shaping for these two subnets to use only 300M out of 400M.

Source 1 - 10.1.0.0/24

Source 2 - 10.2.0.0/24

Thanks

Mikey

Georg Pauwen · ‎01-09-2020

Hello,

the below should work:

ip access-list extended SOURCE_ACL
permit ip 10.1.0.0 0.0.0.255 any
permit ip 10.2.0.0 0.0.0.255 any
!
class-map match-any CLASS_1
match access-group name SOURCE_ACL
!
policy-map SHAPE_300
class CLASS_1
shape average 300000000
class class-default
fair-qeue
!
interface GigabitEthernet0/0
service-policy output SHAPE_300

Mikey John · ‎01-09-2020

Thanks George. This policy should be applied on the WAN interface towards the Internet?

Cheers

Mikey

Georg Pauwen · ‎01-09-2020

Yes indeed, apply the service policy to the WAN interface...

Mikey John · ‎01-09-2020

Thanks. Appreciate your inputs.

Mikey

Joseph W. Doherty · ‎01-09-2020

Some suggestions . . .

If you have 400 Mbps, and the physical interface is more, suggest you have a parent shaper for the 400 Mbps. Then you could still limit the one class to 300 Mbps or, perhaps better, would be to allow it to have a 75% bandwidth guarantee. This will allow this class to take advantage of otherwise unused bandwidth.

BTW: since Georg's suggested policy doesn't have any bandwidth statements, unsure how the two classes will share bandwidth. The only thing certain is the one class may not have more that 300 Mbps.

Also, Georg's policy has FQ in class-default, but in later variants (i.e. since HQF) of CBWFQ, it can also be used in other non class-default classes.

Mikey John · ‎01-10-2020

Hi Joseph,

Thanks for your inputs. So, from what I understand, Fair-queue generally is implemented on WAN interfaces(being low BW). And this helps in giving preference to lower BW traffic compare to higher BW traffic (file downloads etc)? Also, if we want to specify the BW for a particular class (subnets), Weighted fair queue is better?

Could you please help with a few more queries below.

1) Can I specify the 300M bandwidth to be used by the non-default class? Is a queue-limit also needed for this class?
class-map match-any CLASS_1
bandwidth 300000
match access-group name SOURCE_ACL

2) How do I implement parent shaper for 400Mbps?

3) Would all the remaining source subnets be part of default class, and be given 100M of BW to use?

As mentioned earlier, my main goal is to assign 300M BW for those two subnets, and 100M for the remaining ones. Also, I don't the Non-default class to eat up on the 100M BW assigned for default class.

Cheers
Mikey

Joseph W. Doherty · ‎01-10-2020

The FQ being for low bandwidth applies to the older version of FQ, WFQ. The version of FQ found within CBWFQ scales to high bandwidth links.

#1 Believe you're confusing a class-map, for matching, with a policy-map's class, for processing. The latter is where you define the bandwidth statement, which isn't a shaper.

#2

policy-map Parent
class class-default
shape average 400000
service-policy Child

policy-map Chile
class x
class y
class class-default

interface x
service-policy output Parent

#3 Yes, to remaining subnets, unknown regarding bandwidth, because the policy, as defined, applied to physical interface, and 400 Mbps is usually not a physical bandwidth hand-off.

Mikey John · ‎02-20-2020

Thanks Joseph. I have used the "bandwidth percent" command under the class to assign bandwidth to each of these classses. Please let me know if this looks ok?

ip access-list extended Labs
permit ip 10.x.x.x 0.0.1.255 any
permit ip 10.x.x.x 0.0.0.31 any

class-map match-any CLASS_1
match access-group name Labs

policy-map SHAPE_QOS_INTERNET
class class-default
shape average 400000
service-policy SHAPE_QOS_LABS

policy-map SHAPE_QOS_LABS
class CLASS_1
bandwidth percent 75 --> Assigns 300M to this class
class class-default
bandwidth percent 25 ---> Assigns 100M to this default class

interface GigabitEthernet0/0/0
service-policy output SHAPE_QOS_INTERNET

Thanks

Mikey

Joseph W. Doherty · ‎02-20-2020

Yes, but some suggestions . . .

I now recall (?) shapers (and policers) actually measure in bps, if so, you'll need to adjust the value to set for 400 Mbps. (NB: if values are indeed bps, not Kbps, my prior posting is incorrect too.)

On some platforms (and IOS versions), I suspect shapers/policers don't account for L2 overhead. If you find this true with your platform, you can adjust the shaper's values smaller to allow for the (average) overhead (usually about 15%). (Unfortunately, as L2 overhead percentages varies based on packet size, you cannot obtain the exact rate desired, unless the IOS does account for L2 overhead.)

If you do see the shaper, shaping, you might consider setting FQ in one or both policy map classes.

Lastly, you might consider not using the word shape in your child policy as it doesn't actually shape.