QoS Shaping and Policing (Part 5)

Both shaping and policing set a speed limit to traffic ingressing or egressing an interface.

Shaping delays traffic by holding it in a queue and de-queing packets at the dictated rate. Shaping can only be used for traffic egressing an interface.

Policing drops any traffic that exceeds the CIR. Policing can be used for traffic both ingressing or egressing an interface, but is typically used for ingress traffic.

Shaping

Terminology

First we need to look at the terminology used to describe shaping.

Tc (time interval)

Time interval in msec, over which the Bc (committed burst) is sent.

Bc (Committed Burst)

Bc = committed burst size in bits. This is the amount of traffic to send in the interval (Tc). The reason it is considered a “burst” is because the bits flow at the line rate out the interface, “bursting” above the CIR. However it is a committed burst because it will still conform to the CIR.

CIR (Committed Information Rate)

The CIR defines the “slower” rate the administrator whishes to send traffic at, out the interface.

Be (Excess Burst)

Be = Excess burst in bits. The number of bits beyond Bc that can be sent after some period of inactivity, allowing you to burst over the normal Bc.

Tc, Bc, and CIR are all related. The CIR divided into each Tc defines the amount of data that can be sent (Bc). If you have a serial interface with a clock rate of 512Kb/s but a CIR of 256Kb/s, at a 1/8 time interval you can send 1/8 of 256Kb/s which is 32Kb. If you send 32Kb eight times at an 1/8 second interval, you’ve sent 256Kb in one second.

Tc = Bc/CIR

Token Bucket System

Instead of basing the sending interval on a timer, IOS uses a token bucket system. The Bc for each interval is placed in a “token bucket” with one token per bit. As the router sends traffic, it removes a token per bit that is sent. When the bucket is empty, the router cannot send traffic any longer and queues and delays the traffic. The token bucket is refilled at each Tc (time interval) with new tokens to fill the bucket to the Bc again.

Burst excess is used when there is a period of inactivity. In this case, you can briely send over the Bc in the first time interval without exceeding the overall CIR. The amount you can burst over the Bc is the Be.

When using Be, the token bucket now has a capacity of Bc + Be. Bc is added at every time interval, and Be is added whenever there is a period of inactivity.

An example will help you understand how this works.

Example (Shaping at 100Mb/s on a 1Gb/s interface)

Let’s say you are a customer for an EPL which has a contracted rate of 100Mb/s with the provider. The provider will police traffic inbound to their device at 100Mb/s. In order to prevent packet loss, you wish to shape traffic out this gigabit interface at 100Mb/s.

To do this, the router must send at line rate (1Gb/s) but only for a tenth of the time. In a given second, if the router sends at 1Gb/s for .1 seconds, and does not send anything for .9 seconds, you have achieved 100Mb sent in one second.

To keep the math easy, let’s say the Tc (time interval) is .1 second. Every .1 second, the router will fill the Bc bucket with 10Mbs of tokens. The router can now send 10Mb of traffic which will take .01 seconds at 1Gbps. The router now waits .09 seconds until the token bucket is filled again with 10Mb worth of tokens. The process repeats.

In the diagram above, at every .1 second interval, 10Mbit of coins are placed in the bucket. As soon as the coins are available, 10Mbits of traffic are sent at line rate (1Gbps) for .01 seconds. This “spends” coins in the bucket. The router then waits .09 seconds until more coins are added to the bucket.

Adding Excess Burst (Be)

Without excess burst, if there is no traffic for a period of time, the excess coins are just wasted.

At .2 seconds, there was no more data to send, and coins were added to the bucket. The bucket is now full. At .3seconds, more coins are added, but the bucket is already full, so the excess coins are wasted. At .3 seconds, the router can only send 10Mbit of traffic. This is because the bucket is only the size of Bc, so no excess burst is allowed.

If we make the bucket twice as big, we can “bank” the excess and send twice as much traffic in the next interval:

Each interval still fills Bc, but now we can exceed Bc and fill the bucket up to Be if we don’t spend all our coins. At time interval .3 secconds, the router now sends 20Mbit of traffic instead of just 10Mbit.

Shaping Configuration

The operation of shaping is fairly complex, but the configuration is quite simple.

The most basic configuration is below:

policy-map shaper
 class class-default
  shape average 10m
!
int Gi1
 service-policy output shaper

Besides using a rate in bits per second, you can also use a percentage of the link bandwidth:

policy-map shaper
 class class-default
  shape average percent 50

By default, IOS will calculate the Bc and Be value. On the CSR1000v the Bc and Be appear to be based on a 4msec interval. The Be equals the Bc, effectively creating a bucket that is two times Bc.

R1(config-if)#do sho policy-map int gi1
 GigabitEthernet1 

  Service-policy output: shaper

    Class-map: class-default (match-any)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
      shape (average) cir 10000000, bc 40000, be 40000
      target shape rate 10000000

!  Bc   /   CIR    = Tc
! 40000 / 10000000 = .004 sec = 4 msec

If for some reason you want to adjust the Tc yourself, you have to do this by specifying the Bc and Be values. Remeber, Tc = Bc/CIR, so adjusting Bc adjusts the Tc value. You normally shouldn’t need to do this. Cisco recommends that you let the router calculate this automatically. But if you want to, the configuration is below. Setting the Bc lower decreases the time interval, while a large Bc increases the time interval and increases delay for packets waiting in the queue.

policy-map shaper
 class class-default
  shape average <bps> <Bc-in-bits> [Be-in-bits]
  • If you don’t specify Be, it is automatically equal to Bc.

Using queuing with shaping

The simple examples above only use the class-default. All traffic egressing the interface is shaped at the rate. But what if you want to create multiple queues and give preferential treatment to voice traffic, all while shaping overall traffic to the CIR?

To do this, you nest policy-map maps inside each other. One policy-map defines the queuing, and one defines the shaping and applies the queuing policy-map.

policy-map queuing
 class voip
  priority 10000
 class class-default
  fair-queue
!
policy-map shaping
 class class-default
  shape average 100m
  service-policy queuing

When the shaping policy-map is applied outbound on an interface, two queues are created: the voip LLQ queue, and the class-default which uses WFQ. The queuing controls removing packets from the two queues, and placing them into the overall queue for the shaping policy-map, which is shaped at 100m. By creating two queues, you allow voice traffic to “cut infront” of class-default traffic. It is a bit like the fast-pass lane in Disneyland. The fast-pass and general admission lanes are separate at the beginning when you get in line, but the lanes eventually funnel into one single lane once you get closer to getting on the ride.

This ability to nest policy-maps within eachother is called hierarchical QoS, or HQF (hierarchical QoS framework). This simply allows you to manage QoS at multiple levels. In this example we managed QoS for the interface itself (the 100m shaper), plus the QoS for each class (voip and class-default) within that shaper.

Policing

The simplest policer has only two categories for traffic: conforming and exceeding. Either the traffic conforms to the CIR, or it exceeds the CIR. If it exceeds, the policer can drop or just re-mark the traffic. This is called a two color policer. It uses a single token bucket.

A policer can also allow for burst. In this case there are three categories: conforming, exceeding, and violating. In the exceeding state, the packet is using up the burst. In the violate state, the packet is outside the CIR plus burst rate. This is called a three-color policer, and it uses two token buckets.

Single-rate, two-color

A policer uses a similar token bucket concept as seen with shaping. When a packet arrives at the policer, if there are available tokens in the bucket, the policer “spends” the tokens (removes them from the bucket) and the packet is conforming. If there aren’t enough tokens in the bucket, the packet is exceeding and tokens are not removed. (There is no negative balance concept in the bucket).

The way tokens are replenished in the bucket is slightly different from shaping. In policing, everytime a packet arrives, tokens are replenished in the bucket. The amount of tokens added to the bucket is based on the difference in time from when the previous packet arrived. So if the previous packet arrived 100ms ago, then 1/10 of the tokens for a full second are added to the bucket. The formula is the following:

(current packet arrival time - previous packet arrive time) * police rate / 8

The police rate is in bits per second, and the token bucket for policing is in bytes. So you divide this result by 8 to determine the number of bytes to place in the bucket. Essentially this means that the policer puts a proportional amount of tokens into the bucket based on the variable Tc (time interval). The Tc is dynamically calculated every time a packet arrives.

Using this definition, you can now see how policing and shaping are so different. With policing, it simply forwards the packet or discards it. With shaping, packets are queued up and slowly sent out the interface to conform to a certain speed. Policing results in much more packet loss than shaping, although shaping introduces delay.

A note on bursting

Bursting (going above the policed CIR for a brief moment) in policing is controlled by the size of the Bc bucket. A bigger bucket allows you to “bank” more tokens, and then spend them all at once if a lot of traffic comes in too quickly. A very shallow bucket only allows you to bank a very low amount of tokens, preventing any bursting. By default IOS will calculate the size of the Bc bucket for you, using the CIR in bytes over a .25 second period. The CIR is in bits per second, so the formula for the default Bc is as follows:

Bc = CIR * .25 seconds / 8 

Bc = CIR * 1/4   /   8

Bc = CIR / 32

Single-rate, three-color

A three-color policer uses a dual token bucket system to categorize traffic into either conforming, exceeding, or violating.

In this system, one bucket is used for Bc and one bucket is used for Be. The policer replenishes the Bc bucket as with the previous two-color policer - when packets arrive. However, if the replenishment is more than the size of the Bc bucket, the extra “spills over” into the Be bucket.

If the packet does not conform (there are not enough tokens in the Bc bucket), but there are enough tokens in the Be bucket, the packet is now exceeding and the policer removes tokens from the Be bucket.

If there are not enough tokens in the Bc bucket nor the Be bucket, the packet is now violating.

Note that the size of the Be bucket uses the same formula by default in IOS: Be = CIR / 32.

You may want to take the following actions for each category:

  • conforming = transmit

  • exceeding = transmit but mark down

    • A device further upstream may discard this traffic in the case of congestion. If no congestion is present upstream, this traffic gets through.

  • violating = discard

Dual-rate, three-color

With dual-rate, you can set two completely different sustained rates of traffic, instead of a byte amount of burst excess. You configure a CIR for conforming traffic, and a PIR (Peak Information Rate) for exceeding traffic.

There are still two buckets, but they have different names. There is a CIR bucket and a PIR bucket. This time, the CIR bucket does not “spill over” into the PIR bucket. They are two separate buckets.

  • The PIR bucket is bigger because the PIR > CIR

Both buckets are filled by the arrival of a single packet, using the same formula as before. A packet arrives, and each bucket is filled proportionally based on the time delta of the previous packet arrival and the CIR/PIR rate. The PIR is larger (higher bandwidth) than the CIR, so the PIR is always filled with more tokens.

When a packet arrives, if there are tokens available in the CIR bucket, tokens are removed from both the CIR and PIR bucket and the packet is conforming.

If there are no tokens available in the CIR bucket, but there are available tokens in the PIR bucket, tokens are only removed from the PIR bucket and the packet is exceeding.

This process is quite intuitive when you realize that the CIR and PIR buckets are completely separate. In a way it is like running two separate single-rate two color processes at the same time.

Policing Configuration

Just like shaping, policing configuration can be extremely simple.

policy-map policer
 class class-default
  police 10m
!
int Gi1
 service-policy input policer

The above configuration uses a single rate two-color policer. By default, the conform-action is transmit, and the exceed action is drop. You can confirm this using the below show command:

R1(config-pmap-c-police)#do sho policy-map policer
  Policy Map policer
    Class class-default
     police cir 10000000 bc 312500
       conform-action transmit 
       exceed-action drop

As you can see, the Bc was automatically calculated. The Bc is the size of the Bc bucket. A larger size allows for more burst. By default it uses the formula Bc = CIR/32 because it is calculated using a 250msec interval, and the bucket is in bytes, not bits. (The Bc and Be values are in bytes, while the CIR is in bits).

To turn this into a single-rate, three-color policer, you simply add a violate action.

policy-map policer2
 class class-default
  police 10m
   violate-action drop

R1(config-pmap-c-police)#do sho policy-map policer2 
  Policy Map policer2
    Class class-default
     police cir 10000000 bc 312500 be 312500
       conform-action transmit 
       exceed-action drop 
       violate-action drop

Notice that there is now a Be bucket. This is a single-rate three color policer, so excess tokens from the Bc bucket “spill into” the Be bucket. By default the conform-action and exceed-action are still transmit and drop, respectively.

To configure a dual-rate three-color policer, you add the pir keyword:

policy-map policer3
 class class-default
  police 10m pir 15m 

R1(config-pmap-c-police)#do sho policy-map policer3
  Policy Map policer3
    Class class-default
     police cir 10000000 bc 312500 pir 15000000 be 468750
       conform-action transmit 
       exceed-action drop 
       violate-action drop

Notice that we didn’t have to specify a violate-action. Since we specified the PIR, IOS knows that this has to be a three-color policer, so all three actions are present with their default values. The violate-action is the same as the exceed-action by default.

If you want to transmit but mark-down exceeding traffifc you use the following configuration:

policy-map policer3
 class class-default
  police 10m pir 15m
   exceed-action set-dscp-transmit default

R1(config-pmap-c-police)#do sho policy-map policer3
  Policy Map policer3
    Class class-default
     police cir 10000000 bc 312500 pir 15000000 be 468750
       conform-action transmit 
       exceed-action set-dscp-transmit default
       violate-action set-dscp-transmit default

Notice that the violate-action took the exceed-action by default after we changed it. To keep violate as drop we need to set it explicitly.

policy-map policer3
 class class-default
  police 10m pir 15m
   exceed-action set-dscp-transmit default
   violate-action drop

R1(config-pmap-c-police)#do sho policy-map policer3
  Policy Map policer3
    Class class-default
     police cir 10000000 bc 312500 pir 15000000 be 468750
       conform-action transmit 
       exceed-action set-dscp-transmit default
       violate-action drop

You can also police only a single class of traffic. This works the same way when policing using LLQ. The below policer only polices scavenger traffic. No action is taken on any other traffic.

policy-map policer4
 class my-scavenger-class
  police 20m
 class class-default

Lab

We will re-use the lab from the previous article, but this time use iperf3 to test throughput.

All policy-maps from the previous article have been deleted on R2.

R2 wishes to limit traffic received on Gi2 to 1mbps. To do this, a policer is applied as follows:

policy-map 1M-POLICER
 class class-default
  police 1m
!
int Gi2
 service-policy input 1M-POLICER

I’ll now run iperf server mode on the Server and connect to it from HostA. In iperf, the “client” uploads traffic to the “server.” HostA will send traffic towards the Server.

#Server
iperf3 -s

#HostA
cisco@hostA:~$ iperf3 -c 10.0.2.2
Connecting to host 10.0.2.2, port 5201
[  5] local 10.0.1.2 port 40714 connected to 10.0.2.2 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   297 KBytes  2.43 Mbits/sec   55   2.83 KBytes       
[  5]   1.00-2.00   sec  63.6 KBytes   521 Kbits/sec   16   8.48 KBytes       
[  5]   2.00-3.00   sec   127 KBytes  1.04 Mbits/sec    0   15.6 KBytes       
[  5]   3.00-4.00   sec   127 KBytes  1.04 Mbits/sec    0   19.8 KBytes       
[  5]   4.00-5.00   sec   127 KBytes  1.04 Mbits/sec    0   24.0 KBytes       
[  5]   5.00-6.00   sec   191 KBytes  1.56 Mbits/sec    0   41.0 KBytes       
[  5]   6.00-7.00   sec   127 KBytes  1.04 Mbits/sec    0   70.7 KBytes       
[  5]   7.00-8.00   sec   445 KBytes  3.65 Mbits/sec    0    110 KBytes       
[  5]   8.00-9.00   sec   382 KBytes  3.13 Mbits/sec    0    164 KBytes       
[  5]   9.00-10.00  sec  0.00 Bytes  0.00 bits/sec    0    222 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  1.84 MBytes  1.55 Mbits/sec   71             sender
[  5]   0.00-11.95  sec  1.34 MBytes   943 Kbits/sec                  receiver

Notice that 55 retransmits occured within the first second. Checking the policy-map counters on Gi2 (below) we can see that the 71 retransmits directly correlated with the 71 packets dropped by the policer:

R2#show policy-map int gi2
 GigabitEthernet2 

  Service-policy input: 1M-POLICER

    Class-map: class-default (match-any)  
      927 packets, 1383496 bytes
      5 minute offered rate 37000 bps, drop rate 4000 bps
      Match: any 
      police:
          cir 1000000 bps, bc 25000 bytes
        conformed 856 packets, 1276002 bytes; actions:
          transmit 
        exceeded 71 packets, 107494 bytes; actions:
          drop 
        conformed 35000 bps, exceeded 4000 bps

To improve preformance, let’s add a shaper to Gi2 of R1. R1 will shape traffic out Gi2 at 1Mbps so that traffic won’t exceed the policer CIR on R2.

#R1
policy-map 1M-SHAPER
 class class-default
  shape average 1m
!
int Gi2
 service-policy output 1M-SHAPER

We run the iperf test again, and see less retransmissions:

cisco@hostA:~$ iperf3 -c 10.0.2.2
Connecting to host 10.0.2.2, port 5201
[  5] local 10.0.1.2 port 40722 connected to 10.0.2.2 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   263 KBytes  2.15 Mbits/sec    0   46.7 KBytes       
[  5]   1.00-2.00   sec   223 KBytes  1.83 Mbits/sec    0   52.3 KBytes       
[  5]   2.00-3.00   sec   127 KBytes  1.04 Mbits/sec    0   58.0 KBytes       
[  5]   3.00-4.00   sec   127 KBytes  1.04 Mbits/sec    0   66.5 KBytes       
[  5]   4.00-5.00   sec   191 KBytes  1.56 Mbits/sec    0   86.3 KBytes       
[  5]   5.00-6.00   sec   445 KBytes  3.65 Mbits/sec    0    120 KBytes       
[  5]   6.00-7.00   sec  0.00 Bytes  0.00 bits/sec   20   83.4 KBytes       
[  5]   7.00-8.00   sec  0.00 Bytes  0.00 bits/sec    0   89.1 KBytes       
[  5]   8.00-9.00   sec   255 KBytes  2.09 Mbits/sec    1    100 KBytes       
[  5]   9.00-10.00  sec  0.00 Bytes  0.00 bits/sec    7   70.7 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  1.59 MBytes  1.34 Mbits/sec   28             sender
[  5]   0.00-10.61  sec  1.22 MBytes   960 Kbits/sec                  receiver

We still see some retransmissions at the 6-7 second interval because iperf tried to go way over the contracted rate at 3.65Mbps.

If we check R1, we can see that these drops were actually caused by the shaper, not the policer:

R1#show policy-map int gi2
 GigabitEthernet2 

  Service-policy output: 1M-SHAPER

    Class-map: class-default (match-any)  
      995 packets, 1455279 bytes
      5 minute offered rate 28000 bps, drop rate 0000 bps
      Match: any 
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/28/0
      (pkts output/bytes output) 957/1411747
      shape (average) cir 1000000, bc 4000, be 4000
      target shape rate 1000000

To improve preformance, let’s lengthen the queue length.

policy-map 1M-SHAPER
 class class-default
  shape average 1000000   
  queue-limit 240 packets

Interestingly this just delayed the point at which iperf ran into retransmissions. Now packet loss happens at the last 9-10 second interval:

cisco@hostA:~$ iperf3 -c 10.0.2.2
Connecting to host 10.0.2.2, port 5201
[  5] local 10.0.1.2 port 40726 connected to 10.0.2.2 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   178 KBytes  1.46 Mbits/sec    0   45.2 KBytes       
[  5]   1.00-2.00   sec   322 KBytes  2.64 Mbits/sec    0   50.9 KBytes       
[  5]   2.00-3.00   sec   127 KBytes  1.04 Mbits/sec    0   56.6 KBytes       
[  5]   3.00-4.00   sec   127 KBytes  1.04 Mbits/sec    0   65.0 KBytes       
[  5]   4.00-5.00   sec   191 KBytes  1.56 Mbits/sec    0   86.3 KBytes       
[  5]   5.00-6.00   sec   191 KBytes  1.56 Mbits/sec    0    119 KBytes       
[  5]   6.00-7.00   sec   255 KBytes  2.09 Mbits/sec    0    163 KBytes       
[  5]   7.00-8.00   sec   382 KBytes  3.13 Mbits/sec    0    222 KBytes       
[  5]   8.00-9.00   sec   636 KBytes  5.21 Mbits/sec    0    280 KBytes       
[  5]   9.00-10.00  sec  0.00 Bytes  0.00 bits/sec    0    338 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  2.35 MBytes  1.97 Mbits/sec    0             sender
[  5]   0.00-12.90  sec  1.48 MBytes   960 Kbits/sec                  receiver

Packet drops increased even more on the shaper:

R1#show policy-map int gi2
 GigabitEthernet2 

  Service-policy output: 1M-SHAPER

    Class-map: class-default (match-any)  
      2467 packets, 3621417 bytes
      5 minute offered rate 67000 bps, drop rate 3000 bps
      Match: any 
      Queueing
      queue limit 240 packets
      (queue depth/total drops/no-buffer drops) 0/151/0
      (pkts output/bytes output) 2291/3394294
      shape (average) cir 1000000, bc 4000, be 4000
      target shape rate 1000000

Testing policing/shaping using VyOS

CSR1000v limits throughput to 2Mbps without a license, which makes it very hard to test policing and shaping. I setup a simple three-node VyOS lab and preformed policing and shaping on the middle node, while running iperf between the edge nodes. VyOS is FOSS (free open source software).

With a simple policing policy at 100mbps, the iperf test suffers horribly from the packet loss. The packet loss prevents the sliding window from getting big enough to take advantage of the bandwidth.

#Middle node
set int eth eth0 traffic-policy in POLICER
set traffic-policy limiter POLICER default bandwidth 100mbit
vyos@vyos:~$ iperf3 -c 10.2.3.3
Connecting to host 10.2.3.3, port 5201
[  6] local 10.1.2.1 port 56456 connected to 10.2.3.3 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  6]   0.00-1.00   sec   380 KBytes  3.12 Mbits/sec   86   2.83 KBytes       
[  6]   1.00-2.00   sec   710 KBytes  5.81 Mbits/sec  178   2.83 KBytes       
[  6]   2.00-3.00   sec   782 KBytes  6.41 Mbits/sec  184   2.83 KBytes       
[  6]   3.00-4.00   sec   650 KBytes  5.33 Mbits/sec  174   2.83 KBytes       
[  6]   4.00-5.00   sec   714 KBytes  5.85 Mbits/sec  176   2.83 KBytes       
[  6]   5.00-6.00   sec   713 KBytes  5.84 Mbits/sec  172   2.83 KBytes       
[  6]   6.00-7.00   sec   718 KBytes  5.88 Mbits/sec  181   1.41 KBytes       
[  6]   7.00-8.00   sec   713 KBytes  5.84 Mbits/sec  175   2.83 KBytes       
[  6]   8.00-9.00   sec   781 KBytes  6.39 Mbits/sec  186   2.83 KBytes       
[  6]   9.00-10.00  sec   713 KBytes  5.84 Mbits/sec  170   2.83 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  6]   0.00-10.00  sec  6.71 MBytes  5.63 Mbits/sec  1682             sender
[  6]   0.00-10.00  sec  6.63 MBytes  5.56 Mbits/sec                  receiver

If we delete the policer and implement a 100m shaper outbound on the other interface on the middle node, the test is much better:

set traffic-policy shaper SHAPER bandwidth 100mbit
set traffic-policy shaper SHAPER default bandwidth 100mbit
set int eth eth1 traffic-policy out SHAPER
delete int eth eth0 traffic-policy
vyos@vyos:~$ iperf3 -c 10.2.3.3
Connecting to host 10.2.3.3, port 5201
[  6] local 10.1.2.1 port 56460 connected to 10.2.3.3 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  6]   0.00-1.00   sec  13.4 MBytes   112 Mbits/sec   35    197 KBytes       
[  6]   1.00-2.00   sec  11.2 MBytes  93.8 Mbits/sec    0    236 KBytes       
[  6]   2.00-3.00   sec  11.2 MBytes  93.8 Mbits/sec    0    272 KBytes       
[  6]   3.00-4.00   sec  11.2 MBytes  94.3 Mbits/sec    0    301 KBytes       
[  6]   4.00-5.00   sec  11.2 MBytes  93.8 Mbits/sec    5    247 KBytes       
[  6]   5.00-6.00   sec  11.2 MBytes  93.9 Mbits/sec    0    279 KBytes       
[  6]   6.00-7.00   sec  11.4 MBytes  95.9 Mbits/sec   16    230 KBytes       
[  6]   7.00-8.00   sec  11.2 MBytes  93.8 Mbits/sec    0    266 KBytes       
[  6]   8.00-9.00   sec  11.2 MBytes  93.8 Mbits/sec    0    297 KBytes       
[  6]   9.00-10.00  sec  11.2 MBytes  94.4 Mbits/sec   13    247 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  6]   0.00-10.00  sec   114 MBytes  96.0 Mbits/sec   69             sender
[  6]   0.00-10.00  sec   112 MBytes  94.3 Mbits/sec                  receiver

iperf Done.

As you can see, the low bandwidth of 1mbps when testing using CSR1000v hid the problems that policing causes. This is why you want to shape outbound traffic towards a provider that is implementing a policer.

Further Reading

Cisco QoS Exam Guide, Wendell Odom and Michael Vacanaugh, Ch. 6

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_plcshp/configuration/xe-17/qos-plcshp-xe-17-book/qos-plcshp-oview.html

  • See additional sections in this “book”

https://www.youtube.com/watch?v=xp1V_NRf0qY

https://www.youtube.com/watch?v=be7mvlCJ67w

Last updated