Hi,

Can you post output of  sh policy-map interface x/x, sh policy-map,  sh class-map and also sh access-list.

Regards.

Alain.

Dear cadetalain, thank you very much for your help.

Here is the required info (I made it during real traffic tranfer! For the tests conditions please see PS at the end):

branch#show policy-map int fa0

FastEthernet0

  Service-policy input: MyDSCP

    Class-map: DSCP-VoIPT (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name VoIPT

      QoS Set

        dscp ef

          Packets marked 0

    Class-map: DSCP-HighPT (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name HighPT

      QoS Set

        dscp af31

          Packets marked 0

    Class-map: DSCP-LowPT (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name LowPT

      QoS Set

        dscp default

          Packets marked 0

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any

      QoS Set

        dscp cs1

          Packets marked 0

So packets are not marked!?

branch#show policy-map int tun2

Tunnel2

  Service-policy output: ParentQoS4DMVPN

    Class-map: class-default (match-any)

      536562 packets, 418567849 bytes

      5 minute offered rate 2658000 bps, drop rate 0 bps

      Match: any

      Queueing

      queue limit 64 packets

      (queue depth/total drops/no-buffer drops) 0/0/0

      (pkts output/bytes output) 731/131010

      shape (average) cir 1900000, bc 7600, be 7600

      target shape rate 1900000

      Service-policy : MyQoS

        queue stats for all priority classes:

          queue limit 64 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

        Class-map: QoS-VoIPT (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: ip dscp ef (46)

          Priority: 38% (722 kbps), burst bytes 18050, b/w exceed drops: 0

        Class-map: QoS-HighPT (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: ip dscp af31 (26)

          Queueing

          queue limit 64 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

          bandwidth 25% (475 kbps)

        Class-map: QoS-LowPT (match-all)

          535823 packets, 418494629 bytes

          5 minute offered rate 2660000 bps, drop rate 0 bps

          Match: ip dscp default (0)

          Queueing

          queue limit 64 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

          bandwidth 10% (190 kbps)

        Class-map: class-default (match-any)

          739 packets, 73220 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: any

          Queueing

          queue limit 64 packets

          (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0

          (pkts output/bytes output) 731/131010

          Fair-queue: per-flow queue limit 16

Very strange! I can see some traffic was guaranteed bandwidth as QoS-LowPT, although no marking was made. Besides something strange is with default class, I see packets count is not zero, but offered rate is zero!?

Branch#sh policy-map

  Policy Map CP_Policy_CEF-Exc

    Class class-default

     police cir 1000000 bc 31250

       conform-action transmit

       exceed-action drop

  Policy Map CP_Policy_Host

    Class cp_icmp

     police cir 50000 bc 1562

       conform-action transmit

       exceed-action drop

    Class cp_isakmp

     police cir 50000 bc 1562

       conform-action transmit

       exceed-action drop

    Class cp_esp

     police cir 5000000 bc 156250

       conform-action transmit

       exceed-action drop

    Class cp_ssh

     police cir 20000 bc 1500

       conform-action transmit

       exceed-action drop

    Class class-default

     police cir 10000 bc 1500

       conform-action transmit

       exceed-action drop

  Policy Map ParentQoS4DMVPN

    Class class-default

      Average Rate Traffic Shaping

      cir 1900000 (bps)

      service-policy MyQoS

  Policy Map MyDSCP

    Class DSCP-VoIPT

      set dscp ef

    Class DSCP-HighPT

      set dscp af31

    Class DSCP-LowPT

      set dscp default

    Class class-default

      set dscp cs1

  Policy Map MyQoS

    Class QoS-VoIPT

      priority 38 (%)

    Class QoS-HighPT

      bandwidth 25 (%)

    Class QoS-LowPT

      bandwidth 10 (%)

    Class class-default

      fair-queue

  Policy Map CP_Policy_Transit

    Class class-default

     police cir 10000000 bc 312500

       conform-action transmit

       exceed-action drop

Branch#sh class-map

Class Map match-all DSCP-HighPT (id 6)

   Match access-group name HighPT

Class Map match-all QoS-LowPT (id 10)

   Match ip  dscp default (0)

Class Map match-all cp_ssh (id 1)

   Match access-group name cp_ssh

Class Map match-any class-default (id 0)

   Match any

Class Map match-all cp_esp (id 2)

   Match access-group name cp_esp

Class Map match-all QoS-VoIPT (id 8)

   Match ip  dscp ef (46)

Class Map match-all cp_isakmp (id 3)

   Match access-group name cp_isakmp

Class Map match-all cp_icmp (id 4)

   Match access-group name cp_icmp

Class Map match-all DSCP-VoIPT (id 5)

   Match access-group name VoIPT

Class Map match-all QoS-HighPT (id 9)

   Match ip  dscp af31 (26)

Class Map match-all DSCP-LowPT (id 7)

   Match access-group name LowPT

Branch#sh access-list

Standard IP access list 42

    10 permit 192.168.0.1

    20 deny   any

Extended IP access list HighPT

    10 permit tcp 192.168.0.0 0.0.63.255 192.168.0.0 0.0.0.255 eq 1521

    20 permit tcp 192.168.0.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255

    30 permit tcp 192.168.0.0 0.0.63.255 192.168.30.0 0.0.0.255 eq 1521

    40 permit tcp 192.168.30.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255

    50 deny ip any any

Extended IP access list LowPT

    10 permit tcp any any eq 445

    20 permit tcp any eq 445 any

    30 permit udp any any eq 445

    40 permit udp any eq 445 any

    50 permit tcp any any eq 1352

    60 permit tcp any eq 1352 any

    70 permit tcp any any eq smtp

    80 permit tcp any eq smtp any

    90 permit tcp any any eq pop3

    100 permit tcp any eq pop3 any

    110 deny ip any any

Extended IP access list VoIPT

    10 permit udp host 192.168.0.253 any

    20 permit udp any host 192.168.0.253

    30 permit udp host 192.168.30.253 any

    40 permit udp any host 192.168.30.253

    50 deny ip any any

Extended IP access list cp_esp

    10 permit esp any any

    20 deny ip any any

Extended IP access list cp_icmp

    10 permit icmp any any

    20 deny ip any any (651 matches)

Extended IP access list cp_isakmp

    10 permit udp any eq isakmp any eq isakmp (651 matches)

    20 deny ip any any

Extended IP access list cp_ssh

    10 permit tcp any any eq 22

    20 deny ip any any

Extended IP access list fa4_in

    10 permit tcp host 192.168.110.2 host 192.168.87.111 eq 22

    20 permit udp host 192.168.110.2 eq isakmp host 192.168.87.111 eq isakmp

    30 permit esp host 192.168.110.2 host 192.168.87.111

    40 permit icmp host 192.168.110.2 host 192.168.87.111

    50 deny ip any any

Extended IP access list sl_def_acl

    10 deny tcp any any eq telnet log

    20 deny tcp any any eq www log

    30 deny tcp any any eq 22 log

    40 permit tcp any any eq 22 log

Extended IP access list vlan1_in

    10 deny udp any any eq netbios-dgm

    20 deny udp any any eq netbios-ns

    30 deny udp any any eq netbios-ss

    40 deny tcp any any eq 139

    50 permit ip any any (734417 matches)

Extended IP access list vlan20_in

    10 permit tcp host x.y.69.33 host x.y.69.217 eq 22

    20 permit udp host x.y.69.33 eq isakmp host x.y.69.217 eq isakmp (664 matches)

    30 permit esp host x.y.69.33 host x.y.69.217 (851454 matches)

    40 permit icmp host x.y.69.33 host x.y.69.217

    50 deny ip any any

Interface FA0 - vlan 1 is LAN interface, FA3 - vlan 20 and FA4 - are WAN interfaces. For my tests FA3 is used.

I have 2 tunnels, 1 tunnel is used for tests.

BTW, why my access list cp_esp is not showing any packets?! My traffic is going via tunnel, everything except ICMP, ISAKMP, ESP and SSH are denied, but I have real traffic passing via routers, how is it possible? Is this an IOS glitch?

P.S. For my experiments I am using:

1. Hardware:

- one Cisco 1811 – with head office config

- one Cisco 871 just for routing (as ISP emulator)

- one Cisco 871 – with one of the branches config

- two PCs connected one to the branch router, another – to head office router.

There is GRE over IPSec AES 256 bit encrypted DM-VPN between the Head office and branches. The test routers are connected via VPN.

2. Software:

jPerf + file copying to check if policy works. In jPerf I can change protocol and port hence changing the traffic class.

Now, first of all I can see throughoutput ~6mbps full duplex, although I have control plane host policy with 5mbps restriction for ESP and shaping set on the Tunnel interface (I tried to apply it also on the physical interface instead either, with the same result). So even shaping doesn’t work!? (Shouldn’t it restrict the bandwidth even if there is free bandwidth?)

- Very strange! I can see some traffic was guaranteed bandwidth as QoS-LowPT, although no marking was made.

Well, later I understood that traffic is just matching the class and this is because the most part of traffic is initially having dscp default, which is the one I used for LowPT class. So this is clear.

So the main questions are:

- Why marking on LAN interface is not working?

- Why shaping on Tunnel (and also on physical) interface is not working?

- And why encrypted traffic is not matched by control plane policing class which matches ESP packets?

Are you marking the traffic on the LAN side?

Yes. I apply the marking policy to FE0, which is physical interface connected to LAN. Here is its settings:

interface FastEthernet0
description To_LAN
service-policy input MyDSCP
end

Hi,

Can you post the full running please because it's weird you get no hits on class-map for fa0.

Regards.

Alain.

cadetalain wrote:
Hi,
Can you post the full running please because it's weird you get no hits on class-map for fa0.
Regards.
Alain.

Sure. Here it is:

Branch#show run

Building configuration...

Current configuration : 9199 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Branch

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-24.T2.bin

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 12

logging message-counter syslog

logging buffered 131072 notifications

no logging console

no logging monitor

enable secret 5 $1$1a4K$gjj4DvMKXrhltQStNVS.H.

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone AMT 4

clock summer-time AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

!

dot11 syslog

no ip source-route

ip arp proxy disable

no ip gratuitous-arps

!

!

ip dhcp database flash:dhcp

no ip dhcp use vrf connected

ip dhcp bootp ignore

ip dhcp excluded-address 192.168.11.2 192.168.11.10

ip dhcp excluded-address 192.168.11.240 192.168.11.254

!

ip dhcp pool Shushi_pool

   network 192.168.11.0 255.255.255.0

   default-router 192.168.11.1

   lease 90

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name ANet

login block-for 60 attempts 3 within 15

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username xxx secret 5 $1$kqnm$5f4OutOM529GELfZdVNkx/

username yyy secret 5 $1$Ieyz$m9mhGmTQKpIL9z57FTlp0.

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6 zzz address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

!

crypto ipsec security-association replay window-size 512

!

crypto ipsec transform-set dmvpnset esp-aes 256 esp-sha-hmac

!

crypto ipsec profile dmvpnprof

set transform-set dmvpnset

!

!

archive

log config

  logging enable

  logging size 900

  notify syslog contenttype plaintext

  hidekeys

path flash:Backed-up-Config

maximum 5

time-period 1440

!

!

!

class-map match-all DSCP-HighPT

match access-group name HighPT

class-map match-all QoS-LowPT

match ip dscp default

class-map match-all cp_ssh

match access-group name cp_ssh

class-map match-all cp_esp

match access-group name cp_esp

class-map match-all QoS-VoIPT

match ip dscp ef

class-map match-all cp_isakmp

match access-group name cp_isakmp

class-map match-all cp_icmp

match access-group name cp_icmp

class-map match-all DSCP-VoIPT

match access-group name VoIPT

class-map match-all QoS-HighPT

match ip dscp af31

class-map match-all DSCP-LowPT

match access-group name LowPT

!

!

policy-map CP_Policy_CEF-Exc

class class-default

    police 1000000 conform-action transmit  exceed-action drop

policy-map CP_Policy_Host

class cp_icmp

    police 50000 conform-action transmit  exceed-action drop

class cp_isakmp

    police 50000 conform-action transmit  exceed-action drop

class cp_esp

    police 5000000 conform-action transmit  exceed-action drop

class cp_ssh

    police 20000 conform-action transmit  exceed-action drop

class class-default

    police 10000 conform-action transmit  exceed-action drop

policy-map MyQoS

class QoS-VoIPT

   priority percent 38

class QoS-HighPT

    bandwidth percent 25

class QoS-LowPT

    bandwidth percent 10

class class-default

    fair-queue

policy-map ParentQoS4DMVPN

class class-default

    shape average 1900000

  service-policy MyQoS

policy-map MyDSCP

class DSCP-VoIPT

  set dscp ef

class DSCP-HighPT

  set dscp af31

class DSCP-LowPT

  set dscp default

class class-default

  set dscp cs1

policy-map CP_Policy_Transit

class class-default

    police 10000000 conform-action transmit  exceed-action drop

!

pseudowire-class TO_CORE

encapsulation l2tpv3

interworking ethernet

ip local interface Loopback0

!

!

!

!

interface Loopback0

ip address 192.168.98.11 255.255.255.255

!

interface Tunnel1

description DMVPN_FA4_To_Core_ISP1

ip address 192.168.97.6 255.255.255.0

ip mtu 1400

ip nhrp authentication dmvpn

ip nhrp map 192.168.97.1 192.168.110.2

ip nhrp network-id 1

ip nhrp nhs 192.168.97.1

ip tcp adjust-mss 1360

ip ospf network point-to-point

ip ospf cost 20

ip ospf hello-interval 3

ip ospf dead-interval 9

qos pre-classify

tunnel source FastEthernet4

tunnel destination 192.168.110.2

tunnel path-mtu-discovery

tunnel protection ipsec profile dmvpnprof

service-policy output ParentQoS4DMVPN

!

interface Tunnel2

description DMVPN_VLAN20_To_Core_ISP2

ip address 192.168.96.6 255.255.255.0

ip mtu 1400

ip nhrp authentication dmvpn

ip nhrp map 192.168.96.1 x.y.69.33

ip nhrp network-id 2

ip nhrp nhs 192.168.96.1

ip tcp adjust-mss 1360

ip ospf network point-to-point

ip ospf cost 10

ip ospf hello-interval 3

ip ospf dead-interval 9

qos pre-classify

tunnel source Vlan20

tunnel destination x.y.69.33

tunnel path-mtu-discovery

tunnel protection ipsec profile dmvpnprof

service-policy output ParentQoS4DMVPN

!

interface FastEthernet0

description To_LAN

service-policy input MyDSCP

!

interface FastEthernet1

description L2TP

switchport access vlan 55

!

interface FastEthernet2

!

interface FastEthernet3

description To_Core_ISP2

switchport access vlan 20

bandwidth 2000

!

interface FastEthernet4

description To_Core_ISP1

bandwidth 256

ip address 192.168.87.111 255.255.255.0

ip access-group fa4_in in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

!

interface Vlan1

description To_LAN

ip address 192.168.11.1 255.255.255.0

ip access-group vlan1_in in

!

interface Vlan20

description To_Core_ISP2

ip address x.y.69.217 255.255.255.192

ip access-group vlan20_in in

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan55

description L2TP

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

xconnect 192.168.98.100 21 pw-class TO_CORE

!

router ospf 1

router-id 192.168.98.11

log-adjacency-changes

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel2

network 192.168.11.0 0.0.0.255 area 0

network 192.168.96.0 0.0.0.255 area 0

network 192.168.97.0 0.0.0.255 area 0

network 192.168.98.11 0.0.0.0 area 0

!

ip forward-protocol nd

ip route 192.168.110.2 255.255.255.255 192.168.87.1

ip route x.y.69.33 255.255.255.255 x.y.69.225

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

!

ip access-list extended HighPT

remark Traffic to regional center 1 Oracle servers (subnet 192.168.0.0) and reverse

permit tcp 192.168.0.0 0.0.63.255 192.168.0.0 0.0.0.255 eq 1521

permit tcp 192.168.0.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255

remark Traffic to regional center 2 Oracle servers (subnet 192.168.30.0) and reverse

permit tcp 192.168.0.0 0.0.63.255 192.168.30.0 0.0.0.255 eq 1521

permit tcp 192.168.30.0 0.0.0.255 eq 1521 192.168.0.0 0.0.63.255

deny   ip any any

ip access-list extended LowPT

remark SMB Traffic (direct and reverse)

permit tcp any any eq 445

permit tcp any eq 445 any

permit udp any any eq 445

permit udp any eq 445 any

remark Lotus Notes Traffic (direct and reverse)

permit tcp any any eq 1352

permit tcp any eq 1352 any

remark e-mail Traffic (direct and reverse)

permit tcp any any eq smtp

permit tcp any eq smtp any

permit tcp any any eq pop3

permit tcp any eq pop3 any

deny   ip any any

ip access-list extended VoIPT

remark VoIP Traffic

permit udp host 192.168.0.253 any

permit udp any host 192.168.0.253

permit udp host 192.168.30.253 any

permit udp any host 192.168.30.253

deny   ip any any

ip access-list extended cp_esp

permit esp any any

deny   ip any any

ip access-list extended cp_icmp

permit icmp any any

deny   ip any any

ip access-list extended cp_isakmp

permit udp any eq isakmp any eq isakmp

deny   ip any any

ip access-list extended cp_ssh

permit tcp any any eq 22

deny   ip any any

ip access-list extended fa4_in

permit tcp host 192.168.110.2 host 192.168.87.111 eq 22

permit udp host 192.168.110.2 eq isakmp host 192.168.87.111 eq isakmp

permit esp host 192.168.110.2 host 192.168.87.111

permit icmp host 192.168.110.2 host 192.168.87.111

deny   ip any any

ip access-list extended vlan1_in

deny   udp any any eq netbios-dgm

deny   udp any any eq netbios-ns

deny   udp any any eq netbios-ss

deny   tcp any any eq 139

permit ip any any

ip access-list extended vlan20_in

permit tcp host x.y.69.33 host x.y.69.217 eq 22

permit udp host x.y.69.33 eq isakmp host x.y.69.217 eq isakmp

permit esp host x.y.69.33 host x.y.69.217

permit icmp host x.y.69.33 host x.y.69.217

deny   ip any any

!

logging trap notifications

logging facility local2

logging source-interface Loopback0

access-list 42 permit 192.168.0.1

access-list 42 deny   any

no cdp run

!

!

!

!

control-plane host

service-policy input CP_Policy_Host

!

control-plane transit

service-policy input CP_Policy_Transit

!

control-plane cef-exception

service-policy input CP_Policy_CEF-Exc

!

!

control-plane

!

!

line con 0

exec-timeout 5 0

no modem enable

transport output ssh

line aux 0

exec-timeout 5 0

transport preferred none

transport output none

line vty 0 4

exec-timeout 5 0

privilege level 15

transport input ssh

transport output none

!

scheduler max-task-time 5000

ntp source Vlan1

ntp access-group peer 42

ntp server 192.168.0.1

end

Alain, you are my last hope, please help.

Alen

Hi Alen,

If I've got time this week-end I'll lab your topology in Dynamips to try to troubleshoot your problem because

just looking at your config I don't see obvious reasons why it is failing but maybe I should print it and take a better look at it.

If I have an idea I'll let you know don't worry.

Regards.

Alain.

Alain, thank you very much for your time!

I'll wait.

Best regards,

Alen

P.S. I am paying your attention on the fact, that not only marking is not working, but also shaping. Copying files from one side to another and jPerf one-side tests show up to 12mbps, full duplex - 6-7mbps!?

Hi,

Can you post a diagram with the interfaces jotted down as well as the subnets.

You have no match for myDSCP on f0/0 input so it's normal traffic is not marked.

Are you sure traffic is coming in this interface :just put an ACL like this to verify

ip access-list COUNT

permit ip any any

int f0/0

ip access-group COUNT in

then let your traffic flow and do a show access-list

Regards.

Alain.

Yes! I found it!

After your question I understood I should not apply the marking policy to the physical interface, but to vlan subinterface. (Physical FA0 is L2 interface on the switch)

I changed it and now I can see traffic is being marked!!! And the parent policy on the tunnel interface is also showing something. It was obvious but I missed it (I missed it, because initially I thought I should apply any (including the marking) policy to logical interface inside an additional parent shape policy too, and failed while applying shaping on vlan1 for input traffic. (Now I even know, that shaping can not be applied onto incoming traffic ). After that I started to apply the policy onto physical interface).

So it finally started to work, but I still can see shaping is not working as it should. The branch router is transfering traffic at its full speed. Besides I mentioned some strange things with the QoS, but I'll be able to report tomorrow after an intensive tests.

Thank you for your help Alain!

I hope you will try to help with the shaping issue and any further questions with QoS functioning.

Well, I made some testing and here is the result (I emulate voice traffic using jPerf, plus simultaneously copy file. Both were in direction from the branch to Head office):

Branch#show policy-map int tunnel2

Tunnel2

  Service-policy output: ParentQoS4DMVPN

    Class-map: class-default (match-any)

      680338 packets, 1004663810 bytes

      5 minute offered rate 7709000 bps, drop rate 0 bps

      Match: any

      Queueing

      queue limit 64 packets

      (queue depth/total drops/no-buffer drops) 0/0/0

      (pkts output/bytes output) 1629/313662

      shape (average) cir 1900000, bc 7600, be 7600

      target shape rate 1900000

      Service-policy : MyQoS

        queue stats for all priority classes:

          queue limit 64 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

        Class-map: QoS-VoIPT (match-all)

          455834 packets, 693779348 bytes

          5 minute offered rate 5712000 bps, drop rate 0 bps

          Match: ip dscp ef (46)

          Priority: 38% (722 kbps), burst bytes 18050, b/w exceed drops: 0

        Class-map: QoS-HighPT (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: ip dscp af31 (26)

          Queueing

          queue limit 64 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

          bandwidth 25% (475 kbps)

        Class-map: QoS-LowPT (match-all)

          222837 packets, 310709709 bytes

          5 minute offered rate 1961000 bps, drop rate 0 bps

          Match: ip dscp default (0)

          Queueing

          queue limit 64 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

          bandwidth 10% (190 kbps)

        Class-map: class-default (match-any)

          1667 packets, 174753 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: any

          Queueing

          queue limit 64 packets

          (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0

          (pkts output/bytes output) 1629/313662

          Fair-queue: per-flow queue limit 16

So:

1. QoS is likely working, but the strange thing is we got total 7709000 bps, 5712000 bps for VoIPT and 1961000 bps for LowPT, which means 2.91:1 ratio, not 3.8:1 as it should be (the show command was done after 7 minutes of not ended testing, so 5 minutes statistics is correct).

Why I have this ratio, not the right one?

2. Shaping is not working! It shows "target shape rate 1900000", but the same time "5 minute offered rate 7709000 bps, drop rate 0 bps". Why? And what to change to make shaping to work?

3. Should I set bandwidth to the class-default? I read in some documents, that only 75% of available bandwidth is distributed between user-defined classes and the remaining 25% is used for L2 overhead and other things plus class-default, but in newer documents I see this:

Class-Default and Bandwidth
The bandwidth assigned to the class-default class is the unused interface bandwidth not consumed by user-defined classes. By default, the class-default class receives a minimum of 1% of the interface bandwidth.

I can't understand, how much will get default class in case of congestion with user-defined classes? 1% or 25%?

3'. Let's take 2 situations:

- I have user-defined classes configured with "bandwidth percent" commands and in total with more than 75% of bandwidth. Class-default is not manually assigned bandwidth. How much of the totally available bandwidth will get user-defined classes and class-default in case of congestion? I expect (in fact just want) that each class would receive exactly assigned bandwidth and class-default - the rest (but not less than 1%).

- The same conditions but in total user-defined classes are configured with less than 75% of bandwidth. I expect that class-default would receive 25%, and all "congested" classes including class-default would receive additional bandwdith according to their weights.

Please tell me what we have in reality?

Thank you very much!