Cisco IOS TrafficShaping for ADSL traffic

Well, I upped the burst size and it seems to allow a 96000bps police value to work.

Strange, not sure if its the laptop or the wireless AP that is giving a burst size of 1000bytes issues as my friend on an identical DSL line can use 96000bps with a burst size of 1000 fine.
 
Well, tested some VOIP with only 12kb/sec of allocated upload on the restricted vlan and its perfect, so I'm not complaining :)

My final config looks like this:

Code: 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sinhome
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging console critical
enable secret 5 *******
enable password 7 *******
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.101 192.168.1.254
ip dhcp excluded-address 192.168.2.101 192.168.2.254
!
ip dhcp pool sdm-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254 
   dns-server 213.133.223.11 
   lease 0 2
!
ip dhcp pool pool-vlan2
   import all
   network 192.168.2.0 255.255.255.0
   domain-name sin.local
   dns-server 213.133.223.11 
   default-router 192.168.2.254 
!
!
ip tcp synwait-time 10
ip ftp username *******
ip ftp password 7 *******
no ip bootp server
ip domain name sin.local
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW https
!
!
crypto pki trustpoint TP-self-signed-4281229074
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4281229074
 revocation-check none
 rsakeypair TP-self-signed-4281229074
!
!
crypto pki certificate chain TP-self-signed-4281229074
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34323831 32323930 3734301E 170D3032 30333031 30323433 
  35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383132 
  32393037 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D776 2D080092 06EE0645 9164B647 C44D9A72 F9718B24 CC83CD7D 18481D60 
  538DEA20 DE7E5D77 7785CF87 A9694044 383574B4 C077D247 45868296 5BBC09A7 
  051CFF07 595C2CBD 0FA14CA7 1EEBEDD6 BD33F52E 854EC2C0 FDCF991C 0E15B081 
  A99E6836 2C3134B1 E17BECE6 C7701090 A5E65EB3 619F08E1 CFC579BC A9176604 
  78870203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 14FD5244 939A8D2A 264483C2 8166F370 8F990754 
  16301D06 03551D0E 04160414 FD524493 9A8D2A26 4483C281 66F3708F 99075416 
  300D0609 2A864886 F70D0101 04050003 81810019 3B928E96 EDEE91F2 64B8EC61 
  187EF75D 386C0A58 E8CC8CA2 BECFCE1D A8786959 DF47F43F 52CEFF05 8F802E4A 
  F05B5203 308DB2EC A8D84FE6 39E9DEA9 219B407F AA26837F 00390084 4362D91B 
  DC6AFAD1 F5582ED4 F77E8168 1EF8D8D4 8E7A10F0 0994D22C 3FCFF1E2 766E3E1C 
  D2197683 7BC95092 E841D274 0B5B0EA0 3E0361
  quit
username root privilege 15 secret 5 $1$JQsP$EaVbgA7xJAHtnPxRQa.tD0
!
!
class-map match-any LOWBW
 match any 
!
!
policy-map 256000BPS
  class LOWBW
  police cir 256000
    conform-action transmit 
    exceed-action set-qos-transmit 4
    violate-action drop 
policy-map 96000BPS
  class LOWBW
  police cir 96000 bc 12000 be 12000
    conform-action transmit 
    exceed-action set-qos-transmit 4
    violate-action drop 
!
! 
!
!
!
!
interface ATM0
 description $ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto 
 dsl enable-training-log
!
interface FastEthernet0
 description LAN
!
interface FastEthernet1
 description WIRELESS-AP Access
 switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan2
 description $FW_INSIDE$
 ip address 192.168.2.254 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 service-policy input 96000BPS
 service-policy output 256000BPS
!
interface Dialer1
 description newtel-DSL$FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 no cdp enable
 ppp pap sent-username ******* password 7 *******
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat source static udp 192.168.1.1 6100 interface Dialer1 6100
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.1 12360 interface Dialer1 12360
ip nat inside source static tcp 192.168.1.1 12359 interface Dialer1 12359
ip nat inside source static tcp 192.168.1.1 12358 interface Dialer1 12358
ip nat inside source static tcp 192.168.1.1 12357 interface Dialer1 12357
ip nat inside source static tcp 192.168.1.1 12356 interface Dialer1 12356
ip nat inside source static tcp 192.168.1.1 12355 interface Dialer1 12355
ip nat inside source static tcp 192.168.1.1 12354 interface Dialer1 12354
ip nat inside source static tcp 192.168.1.1 12353 interface Dialer1 12353
ip nat inside source static tcp 192.168.1.1 12352 interface Dialer1 12352
ip nat inside source static tcp 192.168.1.1 12351 interface Dialer1 12351
ip nat inside source static tcp 192.168.1.1 12350 interface Dialer1 12350
ip nat inside source static udp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 5005 interface Dialer1 5005
ip nat inside source static tcp 192.168.1.1 5004 interface Dialer1 5004
ip nat inside source static tcp 192.168.1.1 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.1.1 5002 interface Dialer1 5002
ip nat inside source static tcp 192.168.1.1 5001 interface Dialer1 5001
ip nat inside source static tcp 192.168.1.1 5000 interface Dialer1 5000
ip nat inside source static tcp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 113 interface Dialer1 113
ip nat inside source static udp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.1 3784 interface Dialer1 3784
ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.1 12345 interface Dialer1 12345
ip nat inside source static tcp 192.168.1.1 5900 interface Dialer1 5900
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 10 permit 192.168.1.1
access-list 11 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.2.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq ftp
access-list 101 permit udp any any eq 113
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 permit udp any any eq 3784
access-list 101 permit tcp any any eq 3784
access-list 101 permit tcp any any eq 5900
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 12345
access-list 101 permit tcp any any range 12350 12360
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 54321
access-list 101 permit udp any any eq 54321
access-list 101 permit tcp any any eq ident
access-list 101 permit tcp any any eq 5000
access-list 101 permit tcp any any eq 5001
access-list 101 permit tcp any any eq 5002
access-list 101 permit tcp any any eq 5003
access-list 101 permit tcp any any eq 5004
access-list 101 permit tcp any any eq 5005
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   icmp any any echo-reply
access-list 101 deny   icmp any any time-exceeded
access-list 101 deny   icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 103 remark Vlan2 inbound
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 remark 127.0.0.1
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
no cdp run
!
!
control-plane
!
banner login 
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device. 
This feature requires the one-time use of the username "cisco" 
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI. 
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use. 

For more information about SDM please follow the instructions in the QUICK START 
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------

banner motd CC
			You are Accessing Restricted Equipment
			All Activities are Monitored and Logged
			Unauthorised Use Prohibited

			Vy accessing you agree to have your activites Monitored and Logged

!
line con 0
 password 7 *******
 no modem enable
 transport output telnet
line aux 0
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Input and Output on the fe2 is reversed when looking at Upload/Download on the Dialer1 interface.
 
Last edited:
God SDM doesn't half generate some rubbish...

If it works for you then fair enough, stick with it, it's not particularly elegant but I can't immediately suggest better as I haven't done much work with the lower end kit for a while...
 
There is some stuff I need to tidy up myself but could you point out what you think is rubbish?

As for not being elegant, it will do for now - at least until I can find out if there is a better solution on an 877.
 
Hi,

From what I can remember, if you want to put a shaper or any form of Qos onto a DSL router, you need to do it via an ATM subinterface, so it looks like:

interface ATM0
description $ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output shaper


Also, all forms of ATM interfaces do not have any capability to detect congestion, so the hardware simply doesn't know when its saturated and packet loss occurs without any queueing whatsoever.
This makes adding Qos challenging because with Ethernet the interface knows when its congested based on its bandwidth and load, this allows an attached Qos policy to kick in.
To get around this on an ATM interface, you need to apply a nested shaper at the same bandwidth of the DSL interface. This means the shaper takes the responsibility of detecting the congestion (Cisco call it backpressure) which means once the shaper starts dropping packets the congestion is detected, and the nested Qos policy then kicks in to perform fancy queueing. To configure this outbound on the DSL interface where your upload speed is 768Kbps, you would do the following:

1.> Configure 2x ACL's one matching your critical traffic, and one matching standard traffic.

2.> Configure a marker on the inbound Ethernet interface (vlan1) to mark traffic going into the Ethernet interface (outbound flow), looks like:

class-map match-all markCS5
match access-group 102
class-map match-all markCS1
match access-group 101
!
policy-map marker
class markCS5
set ip dscp cs5
class markCS1
set ip dscp cs1
!
Interface Vlan 1
bandwidth 8000
Ip address 1.1.1.1 255.0.0.0
(etc)
service-policy input marker

3.> Now traffic is being marked as it hits the Ethernet interface, you need to match it and queue based on the DSCP values, and apply it to the atm subinterface:


class-map match-all critical
match ip dscp cs5
class-map match-all standard
match ip dscp cs1
!
!
policy-map qospolicyOUT
class critical
bandwidth 512000 (adjustable values)
random-detect dscp-based
class standard
bandwidth 128000 (adjustable values)
random-detect dscp-based
!
policy-map shaper
class class-default
shape peak 768000
service-policy qospolicyOUT
!
interface ATM0
description $ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output shaper


4.> you will now be using CBWFQ (Class based weighted fair queuing) in the outboud direction, but this is only for traffic leaving the router outbound. In order to queue in the other direction you need to reverse the process, by marking inbound on the ATM, setting the values, then queuing outbound on the Vlan interface minus the shaper (As this is now Ethernet) Example where your bandwidth is 8Mbit.


policy-map qospolicyIN
class critical
bandwidth 5012000 (adjustable values)
random-detect dscp-based
class standard
bandwidth 1028000 (adjustable values)
random-detect dscp-based
!
interface ATM0
description $ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output shaper
service-policy inbound marker
!
Interface Vlan 1
bandwidth 8000
Ip address 1.1.1.1 255.0.0.0
(etc)
service-policy input marker
service-policy output qospolicyIN


I helped develop and test the IOS that supports this with Cisco a few years ago, but its just basic ATM based Qos for ADSL. Some people will question why I'm adding DSCP values inbound for an internet connection that will set them all to 0.
The reason is that it allows the router to use DSCP-Based random early detection, which is very effective with low bandwidth traffic across the router, especially application and TCP. Its far more effective and flexible than standard policing and shaping.

You might prefer the results, but its been ages since I worked with this - you may need to upgrade the IOS to support the queueing, if you want to give it a bash remind me and i'll dig out the version you need if it doesn't like the queuing.


FYI, I have a similar config running on my 1841 at home (cable modem), and I can play Quake3 with a ping of 35, with unlimited torrents running :-)
 
Last edited:
Awesome stuff V-Spec, the explanations ontop of the config is appreciated!

Will this work with access-groups matching against IPs or do I still have the NATing screwing that up?

I'm running the latest 12.4 IOS with Advanced IP, which I guess will support this.
 
Sin_Chase said:
Awesome stuff V-Spec, the explanations ontop of the config is appreciated!

Will this work with access-groups matching against IPs or do I still have the NATing screwing that up?

I'm running the latest 12.4 IOS with Advanced IP, which I guess will support this.
Click to expand...

No problem, boring Friday - sat here waiting to go home :]

In the outbound direction you can do what you like, because you'll be marking the traffic as it hits the Ethernet interface by using the ACL's. NAT will not remove the DSCP values from the packets, therefore they will still be queued correctly by the ATM interface, based on CS5 or CS1 DSCP markings, as they leave for the internet.

In the inbound direction, as you know - the destination address from the outside world will be the public provider assigned address and not your internal 192.168.x.x private range... Off the top of my head I can't remember whether the Qos engine does the marking before OR after NAT takes place, so you have 2 options, which you'll need to test because I can't remember off the top of my head :)


1.> As a packet comes into the atm0.1 with a destination of your routers public IP address (dialer 1) If the Qos engine applies the attached policy AFTER nat has taken place, you can set extended ACLs to match the destination address of the internal NATTED (inside private) range, remember to use extended ACL "access-list 101 permit ip any 192.168.x.x 0.0.255.255) as you only care about the destination.

OR

2.> As a packet comes into the atm0.1 with a destination address of your routers public Dialer1 (before NAT) If the Qos engine applies the attached policy map to the packet BEFORE nat takes place, it won't work with ACLs matching your internal LAN range as the destination, because all traffic inbound will be to the same address (the public dialer address) In which case you'll need to use an extended access-list matching destination service ports from any source. Depending on what applications you want as critical you may need to tweak and test a few times. Remember to check ACLs to see if they're getting hits - proves the marker is working. Or use "show policy-map int atm0.1" this could take some time because the ports may be random, or you may need to match source ports.
 
Hopefully Option 1 is applicable as I am not shaping my traffic on service priority. Shaping it so that a host range has a set maximum.

Shall have a nose but my police hack job will work for now.

Could you perhaps post an example of tagging ALL packets on Vlan1 with a higher priority?
 
Last edited:
Sin_Chase said:
Hopefully Option 1 is applicable as I am not shaping my traffic on service priority. Shaping it so that a host range has a set maximum.

Shall have a nose but my police hack job will work for now.

Could you perhaps post an example of tagging ALL packets on Vlan1 with a higher priority?
Click to expand...

In terms of marking stuff on Vlan1 with a higher priority outbound, you'd simply need to split the class-maps in half and apply one to vlan1 marking everything with CS5, then the other one to vlan2 marking everything with CS1.
Outbound queueing and shaping on the atm0.1 will remain the same, obviously this is for outbound traffic only:


class-map match-all markCS5
match access-group 102
class-map match-all markCS1
match access-group 101
!
policy-map markVLAN1
class markCS5
set ip dscp cs5
!
policy-map markVLAN2
class markCS1
set ip dscp cs1
!
Interface Vlan 1
Ip address 1.1.1.1 255.0.0.0
(etc)
service-policy input markVLAN1
!
Interface Vlan 2
Ip address 2.2.2.2 255.0.0.0
(etc)
service-policy input markVLAN2


In terms of traffic coming back inbound, you will need to split your total available downstream bandwidth into two pieces across each Vlan interface. For example, with 8Mbps available download bandwidth, you may wish hosts on Vlan1 to have 7Mbps of bandwidth, and hosts on Vlan2 to have only 1Mbps of bandwidth inbound. To do this split the original Qos policy in half once again but across Vlan1 and 2 like so:

class-map match-all critical
match ip dscp cs5
class-map match-all standard
match ip dscp cs1

policy-map Vlan1_IN
class critical
bandwidth 7000000 (adjustable values)
random-detect dscp-based
!
policy-map Vlan2_IN
class standard
bandwidth 1000000 (adjustable values)
random-detect dscp-based
!
Interface Vlan 1
bandwidth 7000
Ip address 1.1.1.1 255.0.0.0
(etc)
service-policy input markVLAN1
service-policy output Vlan1_IN
!
Interface Vlan 2
bandwidth 1000
Ip address 2.2.2.2 255.0.0.0
(etc)
service-policy input markVLAN2
service-policy output Vlan2_IN


This will allow each Vlan interface to queue according to its own bandwidth statement (7Mbit or 1Mbit) once you start downloading like hell, CBWFQ will kick in and start randomly dropping packets and the rate will be enforced...

I haven't actually tried this method across two different SVI's on an 877 before so I'm not 100% sure it'll work, but it works on an 1841 so it should be ok...
 
Last edited:
Hmmm, I wonder if NBAR could be used in the class-map instead of standard/extended ACL's to ensure application performance regardless of which port the application in question is using....

One for monday I think! Anyway, thanks for the config, definatley interesting.

Also, talking of 'Cant remember wether X happens before or after NAT' from one of your previous posts, do you by any chance know of a flow diagram style MAP of IOS functions?

For example, the following diagram for IPTables often used to help me when wondering why a configuration has made XYZ happen:

http://l7-filter.sourceforge.net/PacketFlow.png

Obviously IOS is a much bigger fish, but if there is one i'd very much like to prep the A1 Printer! I think it would be useful for getting your head round more of the complex IOS features, especially when involving NAT into the mix.

//TrX
 
Was in the Didsbury Cisco office today, put a couple of feelers out regarding the IOS logic map, will let you know if anything comes of it.

//TrX
 
You must log in or register to reply here.
Back
Top Bottom