Solved: nested traffic shaping - asymmetric nvpn

agaskill · ‎08-29-2006

Hello,

We recently implemented a hosted NVPN solution in which each site has a T1 to the carrier, who manages the routing between sites. In a sense it's like a fully-meshed frame-relay, except it's ATM and we get an ethernet handoff. The problem is that the primary site has a 3Mbps connection (two T1s) while all the others have 1.5Mbps connections. I want to set up traffic shaping on this 3Mb outbound interface such that traffic to each remote site gets no more than 1.5Mb, while the total does not exceed 3Mb. It seems like it should be easy, but you can't nest GTS policies inside GTS policies. So my question is what is the best way to do this? Should I do 3Mb traffic shaping on the parent class then do 1.5Mb policing on the sub-classes? Should I do 3Mb rate-limiting on the interface then 1.5Mb shaping on each of the sub-classes? The primary goal here is to keep VoIP high priority and low latency. My prposed config is included below:

policy-map VoipPolicy

class VoIP

priority percent 50

class class-default

fair-queue

random-detect

policy-map NVPN_Multisite

class ToSite1

shape average 1500000

service-policy VoipPolicy

class ToSite2

shape average 1500000

service-policy VoipPolicy

class ToSite3

shape average 1500000

service-policy VoipPolicy

class ToSite4

shape average 1500000

service-policy VoipPolicy

class ToSite5

shape average 1500000

service-policy VoipPolicy

interface FastEthernet0/1

ip address 10.10.0.2 255.255.255.0

rate-limit output 3000000 200000 400000 conform-action transmit exceed-action drop

service-policy output NVPN_Multisite

I'm afraid with this setup though that voice packets would be equally eligible for dropping as data packets when the 3Mb limit is reached.

wochanda · ‎08-29-2006

Hey Andrew,

It is definately not a good idea to put a shaper behind a rate limiter, since like you said: voice packets will be equally eligable for drop.

There isn't a perfect solution here, since we cant shape twice on the output interface. Since we can only shape once, you have 2 choices:

1. shape to 3 megs, and apply voice qos to FE

2. shape to less than 1.5 mbps on individual sites

The drawbacks to each are:

1. no ability to control traffic on a per-site basis

2. wont efficiently utilize 3mb link

From what I can see about your network, I think you're best bet is #1.

policy-map SHAPE

class class-default

shape average 3000000

service-policy VoipPolicy

int fa0/1

service-policy out SHAPE

With this configuration, it will be impossible to send more than 1.5Mbps of voice out to any particular remote site, since the 'priority' statement applies a policer to that class of traffic.

All that being said, another big thing we need to look at is what kind of guarantee the provider is giving you for voice. Most of the time, when you buy an NVPN circuit from the telco, you can buy a low latency guarantee for voice traffic, where you set DSCP or precedence values in your voice packets. This helps out in the scenario that more than 1.5Mbps of traffic is destined for one of your endpoints, and packets (voice and data) are being dropped by the PE router.

Will

View solution in original post

wochanda · ‎08-29-2006

Hey Andrew,

It is definately not a good idea to put a shaper behind a rate limiter, since like you said: voice packets will be equally eligable for drop.

There isn't a perfect solution here, since we cant shape twice on the output interface. Since we can only shape once, you have 2 choices:

1. shape to 3 megs, and apply voice qos to FE

2. shape to less than 1.5 mbps on individual sites

The drawbacks to each are:

1. no ability to control traffic on a per-site basis

2. wont efficiently utilize 3mb link

From what I can see about your network, I think you're best bet is #1.

policy-map SHAPE

class class-default

shape average 3000000

service-policy VoipPolicy

int fa0/1

service-policy out SHAPE

With this configuration, it will be impossible to send more than 1.5Mbps of voice out to any particular remote site, since the 'priority' statement applies a policer to that class of traffic.

All that being said, another big thing we need to look at is what kind of guarantee the provider is giving you for voice. Most of the time, when you buy an NVPN circuit from the telco, you can buy a low latency guarantee for voice traffic, where you set DSCP or precedence values in your voice packets. This helps out in the scenario that more than 1.5Mbps of traffic is destined for one of your endpoints, and packets (voice and data) are being dropped by the PE router.

Will

agaskill · ‎08-29-2006

Thanks Will,

That's the way I had it set up at first, and the problem I had was that it will try to send 3Mb total (voice + data) to any one site if requested, which it can't, so the congestion point becomes the telco router rather than ours and packets get dropped equally there.

The provider's SLA is the same for all traffic, but it meets requirements for toll-quality voice. I guess they should still honor precedence within our own traffic though, I'll check on that.

agaskill · ‎08-29-2006

You know, I just realized that of course we need the telco to use precedence on their interface to the CPE router, because no matter how much we prioritize outbound traffic, if two sites are sending data to a third site they have no way of knowing the other is also sending data to that site and so the congestion point will once again be the telco router.