Low latency queueing over Tunnel interfaces

Maybe this document will help.

Thanks, KK

Scooty wrote:

OK.

This really, really works. I have been hacking at this for about a year and finally, recently, I got it to actually work. One problem is that the behaviour varies between platforms. To me this is not at all documented on CCO.

The following does work on a 2801 and does not work on an 837. It looks like it will work on an 877/878. It does not work on an 857.

Shapes then priority queues.

class-map match-any ClM.voice match dscp ef match dscp cs3 match access-group name ACL.voice.sources ! above line is hack since our QoS is not really OK, ! ! policy-map PM.450000.child class ClM.voice priority 200 ! 200kbps for voice set dscp ef ! We need to set the DSCP values for pkts that ! are not already set since once it is in the GRE then IPSEC ! tunnel we cannot match by address. policy-map PM.450000.parent class class-default shape average 450000 ! this is for a 512k ADSL. //BE CONSERVATIVE// !! 256k link is OK with 210000 but gets wrecked with 220000. service-policy PM.450000.child

interface Tunnel17000 ip address 172.19.6.1 255.255.255.252 service-policy output PM.450000.parent

The above tunnel is over an ADSL with 512k bps.

The plan is to shape the traffic so that the ADSL can handle it when it gets there and then to prioritise voice traffic within that limit.

Here is some stuff I wrote the other day - It is the whole thing, proven test results everything. QoS over tunnels really works.

We can control the behaviour of a slow interface (say an ADSL) with/from a tunnel.

This works on a 2801 by the way: (yes really really works)

Not on 837:-(

flash:c2800nm-advipservicesk9-mz.124-8.bin

class-map match-any ClM.voice match dscp ef match dscp cs3 match access-group name ACL.voice.sources ! dscp not working correctly so use addresses ! should do something for ospf too.

!Hierarchical policy maps:

policy-map PM.450000.child class ClM.voice priority 200 set dscp ef ! set DSCP so that tunnel and crypto traffic can be matched.

policy-map PM.450000.parent class class-default shape average 450000 ! FIRST shape to 512k (inc crypto) service-policy PM.450000.child ! SECOND do priority queuing as defined in ...child.

interface Tunnel17000 ip address 172.17.6.1 255.255.255.252 ip access-group ACL.block.home-home in ip mtu 1400 ! We do crypto later, avoid double fragmentation. ip tcp adjust-mss 1360 ip ospf cost 1 load-interval 30 keepalive 7 3 ! for management but choose timer to bring down OSPF ! to avoid interference with ospf hello timer ! WHY NOT try to keep clear of bugs? tunnel source FastEthernet0/0 tunnel destination x.x.x.x service-policy output PM.450000.parent

vpn1#sh policy-map int tu 17000 Tunnel17000 Service-policy output: PM.450000.parent ! SHAPING Class-map: class-default (match-any) 813489 packets, 268760589 bytes 30 second offered rate 1000 bps, drop rate 0 bps Match: any Traffic Shaping

Target/Average Byte Sustain Excess Interval Increment Rate Limit bits/int bits/int (ms) (bytes) 450000/450000 2700 10800 10800 24 1350

Adapt Queue Packets Bytes Packets Bytes Shaping Active Depth Delayed Delayed Active - 0 813093 249714100 174677 137403351 no ! not at present

Service-policy : PM.450000.child ! PRIORITY QUEUING

Class-map: ClM.voice (match-any) 261799 packets, 54848070 bytes 30 second offered rate 0 bps, drop rate 0 bps

Match: dscp ef (46) 0 packets, 0 bytes 30 second rate 0 bps

Match: dscp cs3 (24) 0 packets, 0 bytes 30 second rate 0 bps

Match: access-group name ACL.voice.sources 261799 packets, 54848070 bytes 30 second rate 0 bps

Queueing Strict Priority Output Queue: Conversation 40 Bandwidth 200 (kbps) Burst 5000 (Bytes) (pkts matched/bytes matched) 74935/15218890 (total drops/bytes drops) 0/0 QoS Set dscp ef Packets marked 245666

Class-map: class-default (match-any) 551690 packets, 213912519 bytes 30 second offered rate 1000 bps, drop rate 0 bps Match: any

Using: shape average 200000 on our end since we are limited in this case by the 256k upload chez moi.

No load

H:\\>ping 172.17.7.192

Pinging 172.17.7.192 with 32 bytes of data: Reply from 172.17.7.192: bytes=32 time=26ms TTL=250 Reply from 172.17.7.192: bytes=32 time=28ms TTL=250 Reply from 172.17.7.192: bytes=32 time=24ms TTL=250 Reply from 172.17.7.192: bytes=32 time=27ms TTL=250

10 of these ought to fill it up. H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0 H:\\>start cmd /c fping 172.17.7.192 -i -s 1300 -n 10000 -t 0

And full it is :-)

Reply[217] from 172.17.7.192: bytes=1300 time = 555 ms TTL=250 Reply[218] from 172.17.7.192: bytes=1300 time = 524 ms TTL=250 Reply[219] from 172.17.7.192: bytes=1300 time = 552 ms TTL=250 Reply[220] from 172.17.7.192: bytes=1300 time = 527 ms TTL=250 Reply[221] from 172.17.7.192: bytes=1300 time = 552 ms TTL=250 Reply[222] from 172.17.7.192: bytes=1300 time = 558 ms TTL=250 Reply[223] from 172.17.7.192: bytes=1300 time = 530 ms TTL=250 Reply[224] from 172.17.7.192: bytes=1300 time = 545 ms TTL=250 Reply[225] from 172.17.7.192: bytes=1300 time = 555 ms TTL=250 Reply[226] from 172.17.7.192: bytes=1300 time = 556 ms TTL=250 Reply[227] from 172.17.7.192: bytes=1300 time = 526 ms TTL=250

Ping from VOICE VLAN C:\\>ping 172.17.7.192 -t Pinging 172.17.7.192 with 32 bytes of data: Reply from 172.17.7.192: bytes=32 time=82ms TTL=251 Reply from 172.17.7.192: bytes=32 time=78ms TTL=251 Reply from 172.17.7.192: bytes=32 time=39ms TTL=251 Reply from 172.17.7.192: bytes=32 time=78ms TTL=251

PERFECTO!!! Or even better?

In action:-

vpn1#sh policy-map int tu 17000 Tunnel17000 Service-policy output: PM.450000.parent Class-map: class-default (match-any) 821618 packets, 276772681 bytes 30 second offered rate 200000 bps, drop rate 0 bps Match: any Traffic Shaping Target/Average Byte Sustain Excess Interval Increment Rate Limit bits/int bits/int (ms) (bytes) 200000/200000 2000 8000 8000 40 1000

Adapt Queue Packets Bytes Packets Bytes Shaping Active Depth Delayed Delayed Active - 9 821214 257523298 181177 144980711 yes

Service-policy : PM.450000.child

Class-map: ClM.voice (match-any) 261923 packets, 54857194 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: dscp ef (46) 0 packets, 0 bytes 30 second rate 0 bps Match: dscp cs3 (24) 0 packets, 0 bytes 30 second rate 0 bps Match: access-group name ACL.voice.sources 261923 packets, 54857194 bytes 30 second rate 0 bps Queueing Strict Priority Output Queue: Conversation 40 Bandwidth 200 (kbps) Burst 5000 (Bytes) (pkts matched/bytes matched) 75002/15223866 (total drops/bytes drops) 0/0 QoS Set dscp ef Packets marked 245790

Class-map: class-default (match-any) 559695 packets, 221915487 bytes 30 second offered rate 199000 bps, drop rate 0 bps Match: any vpn1#

There are no drops since I am using ping to generate the test traffic and we are just waiting for the return traffic to come back before we send anything else.

Crap I know but it's what there is right now.

Now add a voice call:- (G.711 codec)

RTT doubles

Reply[947] from 172.17.7.192: bytes=1300 time = 995 ms TTL=250 Reply[948] from 172.17.7.192: bytes=1300 time = 1000 ms TTL=250 Reply[949] from 172.17.7.192: bytes=1300 time = 980 ms TTL=250 Reply[950] from 172.17.7.192: bytes=1300 time = 1002 ms TTL=250 Reply[951] from 172.17.7.192: bytes=1300 time = 1004 ms TTL=250 Reply[952] from 172.17.7.192: bytes=1300 time = 980 ms TTL=250 Reply[953] from 172.17.7.192: bytes=1300 time = 1021 ms TTL=250 Reply[954] from 172.17.7.192: bytes=1300 time = 996 ms TTL=250 Reply[955] from 172.17.7.192: bytes=1300 time = 981 ms TTL=250 Reply[956] from 172.17.7.192: bytes=1300 time = 1014 ms TTL=250 Reply[957] from 172.17.7.192: bytes=1300 time = 966 ms TTL=250 Reply[958] from 172.17.7.192: bytes=1300 time = 1010 ms TTL=250 Reply[959] from 172.17.7.192: bytes=1300 time = 996 ms TTL=250

PING RTT unchanged by adding voice call

C:\\>ping 172.17.7.192 -t

Pinging 172.17.7.192 with 32 bytes of data:

Reply from 172.17.7.192: bytes=32 time=89ms TTL=251 Reply from 172.17.7.192: bytes=32 time=91ms TTL=251 Reply from 172.17.7.192: bytes=32 time=91ms TTL=251 Reply from 172.17.7.192: bytes=32 time=92ms TTL=251 Reply from 172.17.7.192: bytes=32 time=93ms TTL=251 Reply from 172.17.7.192: bytes=32 time=95ms TTL=251

vpn1#sh policy-map int tu 17000 Tunnel17000

Service-policy output: PM.450000.parent

Class-map: class-default (match-any) 829781 packets, 282801361 bytes 30 second offered rate 201000 bps, drop rate 0 bps Match: any Traffic Shaping Target/Average Byte Sustain Excess Interval Increment Rate Limit bits/int bits/int (ms) (bytes) 200000/200000 2000 8000 8000 40 1000

Adapt Queue Packets Bytes Packets Bytes Shaping Active Depth Delayed Delayed Active - 15 829370 263354478 189333 150811891 yes

Service-policy : PM.450000.child

Class-map: ClM.voice (match-any) 265516 packets, 55656742 bytes 30 second offered rate 82000 bps, drop rate 0 bps Match: dscp ef (46) 0 packets, 0 bytes 30 second rate 0 bps Match: dscp cs3 (24) 0 packets, 0 bytes 30 second rate 0 bps Match: access-group name ACL.voice.sources 265516 packets, 55656742 bytes 30 second rate 82000 bps Queueing Strict Priority Output Queue: Conversation 40 Bandwidth 200 (kbps) Burst 5000 (Bytes) (pkts matched/bytes matched) 78595/15937266 (total drops/bytes drops) 0/0 QoS Set dscp ef Packets marked 249383

Class-map: class-default (match-any) 564265 packets, 227144619 bytes 30 second offered rate 117000 bps, drop rate 0 bps Match: any

########################################### # Has anyone managed to get crypto queuing working? # I set it all up but there is no actual queuing? ###########################################