I will have to snoop little more, but I do think your QoS is working... Please have in mind that QoS policy will kick in and start dropping traffic when you have link congestion, so if you have enough bandwidth, your may get much different ratio... I do not see any packet droped, so it may be that your policy is not configured properly, thinking that it has more bandwidth available...

Can you send configuration part with interface applied?

Best regards,

Mile

mile.ljepojevic wrote:
I will have to snoop little more, but I do think your QoS is working... Please have in mind that QoS policy will kick in and start dropping traffic when you have link congestion, so if you have enough bandwidth, your may get much different ratio... I do not see any packet droped, so it may be that your policy is not configured properly, thinking that it has more bandwidth available...

Can you send configuration part with interface applied?
Best regards,
Mile

Dear Mile, first of all, thank you for your help.

Regarding the case, the full config is posted in the post N8, please look there.

About QoS, I think it is working, but AFAIK the traffics ratio should be the same as their weights ratio. About QoS working only in case of congestion, I know it (I read a lot about QoS ), but I had congestion. I was copying a big file and generating UDP traffic with jPerf with 6mbps speed. File copying can eat all the bandwidth it could, so congestion was in place.

Anyway, let's suppose QoS is working properly, help me to find out why shaping is not. This is the main question. (The reason I want to make shaping is the routers CPU is being utlized for 100% when having 6-7mbps full duplex traffic. I will be happy with 4-4.5mbps. P.S. I will also create CB policing for incoming traffic, but later.)

Hi Alen,

The reason I want to make shaping is the routers CPU is being utlized for 100%

you are not using CEF? You have congestion surely then but shaping is not meant to alleviate congestion, you'd be better using congestion avoidance technique like cb-wred.Anyway if you want to restrict traffic bandwidth all times then you can use policing inbound on physical interface.

Remember shaping/policing work when there is no congestion.

Regards.

Alain.

Hi, Alain

cadetalain wrote:
you are not using CEF? 

I am using CEF (many things are just impossible without CEF), you can see it in my full config, there is global command "ip cef" there.

cadetalain wrote:

You have congestion surely then but shaping is not meant to alleviate congestion, you'd be better using congestion avoidance technique like cb-wred.

I know that, the reason I want to use shaping\policing is for some branches providers can not provide connection with bandwidth less than 10mbps, but our Cisco 870 cann't encrypt traffic at so high rates. This model can handle only 6-7mbps full duplex traffic with AES 256bit encryption, and on this rates it consumpts 100% of CPU.

I want to limit traffic bandwidth to\from the routers to prevent 100% CPU utilization. We are happy with 4-5mbps, so I wanted to shape outgoing traffic and police incoming.

cadetalain wrote:
Anyway if you want to restrict traffic bandwidth all times then you can use policing inbound on physical interface.

Why inbound only?

cadetalain wrote:
Remember shaping/policing work when there is no congestion.

Wow! I did not know that. But are you sure?

I already created policing config for my routers, just still did not try it. Here it is:

!I am using 2 classes for policing – authenticated traffic and left traffic as class-default

class-map match-any Police_Auth

match access-group name cp_esp

match access-group name cp_isakmp

exit

!Polcicies for spokes and HQ - 4.5mbps

policy-map BWLimiter

class Police_Auth

police 4500000 850000 1700000 conform-action transmit exceed-action drop

class class-default

police 200000 37500 75000 conform-action transmit exceed-action drop

exit

!Apply policies onto all external interfaces on the spokes and hubs

service-policy input BWLimiter

service-policy output BWLimiter

Alain, are you saying even those policies will not restrict the incoming and outgoing traffic in case of congestion?!

Hi Alen,

 are you saying even those policies will not restrict the incoming and outgoing traffic in case of congestion?!

What I'm saying is that policing and shaping are not congestion management or congestion avaoidance techniques.These are used for other

purposes like not oversubscribing a link or guarantee a CIR from a client.

I think that your cbwfq guaranteeing traffic for certain classes is a child policy applied to traffic being shaped but traffic will be shaped wheter there is congestion or not ( the same goes for policing). It seems your CPU problem comes from the fact you are doing VPN in software and not on a dedicated hardware and so the amaount of traffic your router must encrypt/decrypt is the cause of the cpu hog even if there is no congestion.

That's my opinion and I may be wrong but for me congestion is when you have much more input than what you can output- does the line not support 7-8

Megs of traffic? if the answer is yes then you have a congestion problem to solve otherwise I think you have a hardware hog problem and will shaping/policing solve the problem, I don't think so because instaed of placing traffic in tx queue directly then when shaping it will put into a buffer wainting to be output that tx queue anyway so your CPU will still have to do some crypto on it anyway don't you think.

Regards.

Alain.

cadetalain wrote:
What I'm saying is that policing and shaping are not congestion management or congestion avaoidance techniques.These are used for other
purposes like not oversubscribing a link or guarantee a CIR from a client.

Sure, I have never mentioned I want to use it as a QoS solution. Did you read my previous post carefully?

I think that your cbwfq guaranteeing traffic for certain classes is a child policy applied to traffic being shaped but traffic will be shaped wheter there is congestion or not ( the same goes for policing).

But in fact it is not shaped, that is my last problem.

As you can see from my tests result, shaping was not working. I suspect now it is because of applying shaping on the Tunnel interface, but I am not sure. I'll try to also apply shaping on the external interfaces.

It seems your CPU problem comes from the fact you are doing VPN in software and not on a dedicated hardware and so the amaount of traffic your router must encrypt/decrypt is the cause of the cpu hog even if there is no congestion.

Alain, that was what I told you in my post. That is a fact, 870 series is SOHO and it has quite poor (for current needs) CPU.

And that is why I want to limit in\out traffic - I want to prevent the router from utilizing CPU for 100% because of encryption of high volume traffic.

cadetalain wrote:

That's my opinion and I may be wrong but for me congestion is when you have much more input than what you can output- does the line not support 7-8 Megs of traffic?
if the answer is yes then you have a congestion problem to solve otherwise I think you have a hardware hog problem and will shaping/policing solve the problem, I don't think so because instaed of placing traffic in tx queue directly then when shaping it will put into a buffer wainting to be output that tx queue anyway so your CPU will still have to do some crypto on it anyway don't you think.

I am just testing on my table with reserve routers, so the link is 100 mbps FD.

Answering on your question, no I don't think so. May be in my policing config I choose buffers sizes too big, that is another question. But I believe I can prevent CPU from overload by restricting traffic it should encrypt\decrypt. That is obviuos, IMHO.

I am going to test and report.

Thank you very much for your participation.

Hi alen,

according to this doc you can shape on the tunnel interface: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008017405e.shtml

May be in my policing config I choose buffers sizes too big,

Did you mean shaping? 

Sure, I have never mentioned I want to use it as a QoS solution. Did you read my previous post carefully?

Did I say that,  I just answered to the fact that shaping will work even when there is no congestion and you were linking the CBWFQ with the CB shaping.

I suspect now it is because of applying shaping on the Tunnel interface, but I am not sure

According to above Cisco link we now know that if you've got the right IOS you can apply to the tunnel.

I want to prevent the router from utilizing CPU for 100% because of encryption of high volume traffic.

I still believe that shaping won't do the trick but policing inbound traffic on LAN interface for traffic going through the tunnel will in my opinion achieve such a goal.But again this is only an opinion and I haven't got real hardware here at disposal to lab it.

Regards.

Alain.

Hi Alain

cadetalain wrote:
Hi alen,
according to this doc you can shape on the tunnel interface: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008017405e.shtml

I read that document, that was one of the most useful docs for me. That one and "Per tunnel QoS for DMVPN", which is newer and describes how to apply QoS policy to the DMVPN tunnel interface on the hubs.

I know shaping is supposed to work, but it does not. Please help me to find the reason.

cadetalain wrote:
May be in my policing config I choose buffers sizes too big,
Did you mean shaping?  

No. With shaping I did not mention Bc and Be, defaults are used. But I specify them for my policing policy, which I posted later (I thought you were talking about it).

cadetalain wrote:
I want to prevent the router from utilizing CPU for 100% because of encryption of high volume traffic.
I still believe that shaping won't do the trick but policing inbound traffic on LAN interface for traffic going through the tunnel will in my opinion achieve such a goal.But again this is only an opinion and I haven't got real hardware here at disposal to lab it.

And I believe, that you know more than me , but still cann't understand why incoming and outgoing traffic restriction on external interfaces can not help with the problem?

Anyway, yesterday I tried to apply my policing policy to external interfaces. I got an error while trying to apply them to the respective VLAN subinterface and I got non-working policy after successfully applying it onto physical interface (which is L2). Now, I'll try to google to find out why I cann't apply the policing policy to VLAN subinterface and what to do.

Anyway, the last objective of this thread is to provide traffic restriction on both directions. I want to set 4.5mbps limits. Hopping on your further help.

P.S. Why is that damn shaping on the tunnel interface not working?! Just have no idea...

People, I remember that congestion can not occur on the tunnel interface.

Does this have anything to do with the fact shaping is not really working on the tunnel interface? May be it should not and is just used as formal parent policy for HQF?

If yes, then may be I should create the same shaping policy and apply it on the external physical interface (or vlan subinterface, if physical is L2)?!

After many experiments I found out that polcing and shaping is not supported on vlan subinterfaces created on L2 switch interface (and could be applied but in fact is not working with L2 physical interface itself).

And that is also the reason why despite the fact my HQF QoS policy was showing packets matching in classes it was not working!

Does anyone know how to walk around this limitation?

And does such a limitation exist on higher models L2 switches modules?

Forgot to mention one more issue.

I found out that if you have 2 or more GRE tunnel interfaces having the same source physical interface and whant to apply QoS policy to both tunnel interfaces - you fail! It is not possible.

P.S. Not sure if this is important, but one of my tunnel interfaces was multipoint DMVPN tunnel interface, another one regular point-to-point tunnel interface. I doubt this makes any sense.

People!

Only one question left, please answer does any walk around exist for applying shaping and policing to VLAN subinterface created on the L2 physical interface?

People!
Only one question left, please answer does any walk around exist for applying shaping and policing to VLAN subinterface created on the L2 physical interface?

I conclude that no walk around for this issue exist. You should have fully functional L3 interface (that is integrated WAN ports or WAN modules like HWIC-2FE) to configure and get working QoS policies!

This case can be counted to be closed.

Thanks to cadetalain for his help.

P.S. As I found the reasons of non-functioning QoS myself, I did not mark any reply as "correct answer"...