IP Traffic Shaping

Jun 3rd, 2009
Here is my architecture :

CISCO(3825)------FIREWALL-IPSEC----PASSPORT(7480 Nortel)---[WAN (E1_link)]----

My Passport provide a link to the WAN, It's a E1 link providing a 2048 kbps ATM link.

Cisco and Firewall are connected with a 100Mbps IP link.

I need to do QOS on my CISCO in order to prioritize my traffic before to send it to the Passport.

I made Bandwidth performance mesure to evaluate the available bandwidth throught all my equipment.

I wanted to evaluate the effective troughput, in other words, the available troughput without all the Header added by each equipment :

- My Cisco add GRE header among other typical header

- My Firewall add IPSEC header

- My Passport add ATM cells Header (and PAD in more)

So, here is the effective bandwidth I evaluated :

Frame Lenght--->Throughput(Frame per seconds)--->Throughput(Mbps)

64 ---> 1105 --> 0,57

128 ---> 892 --> 0,91

256 ---> 558 --> 1,14

512 ---> 344 --> 1,41

1024 ---> 187 --> 1,53

1280 ---> 154 --> 1,58

You can see a very low effective bandwidth due to a high number of header and PAD (ATM padding).

So, My aim would be to control traffic on the cisco thanks to TRAFFIC SHAPING in order to prioritize traffic

before it is lost on the Passport (no QOS in the Passport).

But, my problem is to obtain the same results in doing shapping than results I obtained due to bandwidth limit of the Passport (Let's see the results above)

I did this command on the Cisco (shaping to 1,5Mbps) :

service-policy QOS_policy

class WAN_shaping

shape average 1500000

I did the same tests in test plateform between two CISCO. I obtained this results :

Frame Lenght--->Throughput(Frame per seconds)--->Throughput(Mbps)

64 ---> 2122 --> 1,087

128 ---> 1237 --> 1,268

256 ---> 672 --> 1,378

512 ---> 353 --> 1,448

1024 ---> 184 --> 1,514

1280 ---> 148 --> 1,520

So, I didn't obtain the same results.

For a 512,1024 or 1280 frame size, the result is close, but much farther for 64 or 128 frame size.

How can I do to obtain better result (in sense of closer result than ATM results) for all my frame size?

Thanks for your Help.

Best Regards


Joseph W. Doherty Wed, 06/03/2009 - 03:55
You can't really precisely shape optimize because amount of overhead varies per packet. For instance, with ATM, 96 bytes of payload requires two cells of 106 byes but 97 byes requires three cells of 159 bytes.

You can shape for worse case. This guarantees consistent performance although effective bandwidth utilization is least. Or you can shape for average case, which improves effective bandwidth utilization but with less consistent performance. "Average" often works well except perhaps when you need to guarantee VoIP performance.


BTW, what can help is to avoid IP fragmentaion caused by IPSec and/or GRE. I.e. you may want to adjust your MTU on the 3845 Ethernet interface facing the firewall and should use the tcp mss-adjust command on the same interface (which should be in an IOS running on a 3845).


