Shaper isn't shaping 1

[OutOfHisElement]

Working with a 2821 router, I can't get shaping to have any affect. Our service provider polices traffic to around 5.5Mbps and that's what I see, even when trying to shape to 500kbps.

Here is the interface:

interface GigabitEthernet0/1
 description LAN
 no ip address
 ip mask-reply
 no ip proxy-arp
 ip flow egress
 ip virtual-reassembly
 duplex full
 speed auto
 traffic-shape rate 500000 5000 5000 1000
 no mop enabled

There's a VLAN involved as well. Notice that I've tried to shape it as well:

interface Vlan1
 description DEFAULT
 ip address 192.168.40.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 traffic-shape rate 500000 5000 5000 1000

500kbps is just so that we notice the change.

And here's the results of show traffic-shape:

Interface   Gi0/1
       Access Target    Byte   Sustain   Excess    Interval  Increment Adapt
VC     List   Rate      Limit  bits/int  bits/int  (ms)      (bytes)   Active
-             500000    1250   5000      5000      10        625       -

Interface   Vl1
       Access Target    Byte   Sustain   Excess    Interval  Increment Adapt
VC     List   Rate      Limit  bits/int  bits/int  (ms)      (bytes)   Active
-             500000    1250   5000      5000      10        625       -

I've tried disabling CEF, disabling flow switching (with no ip route-cache flow), and everything else I can think of. Interestingly, show cef interface Gi0/1's output includes IP CEF Flow Fast switching turbo vector.

The funny thing is that we had it working on a test router and then someone decided to rework the UPSes in the rack.

 

[Minue]

Hello
Pay attention to the direction.Your'e shaping the traffic that's going up to the ISP,unless you have public servers on network the upload could be less than 500Kbps because it's just acknowlegements and stuff like that.Is the ISP giving you 5.5Mbps in down and up?Also post a "show traffic-shape statistics"

Regards

 

[OutOfHisElement]

Thanks for the reply Minue.

The interface to the outside world is FastEthernet0/0/3. Gi0/1 is to the LAN. But yes, I did make that mistake yesterday.

Just for completeness, here's the configuration for FastEthernet0/0/3:

interface FastEthernet0/0/3
 description Supernet
 switchport mode trunk
 duplex full
 speed 10

There are two VLANs connected with that interface:

interface Vlan2
 ip address M.N.O.P 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly

interface Vlan4
 ip address W.X.Y.Z 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow

The results of show traffic-rate statistics are:

                  Acc. Queue Packets   Bytes     Packets   Bytes     Shaping
I/F               List Depth                     Delayed   Delayed   Active
Gi0/1                   0     1794      107640    0         0         no
Vl1                     0     3614      974831    234       121925    no

Very interesting.

 

[Minue]

Hello
As you can see the shaping is working.From the pieces of conf you post your network design isn't very clear.If you need help with fine tuning the conf,you will have to post a scrub conf and explain more about the network.

Regards

 

[OutOfHisElement]

I just tried spewing traffic the other direction with IPerf. It gets 5.28 Mb/s too.

I'll dump my whole config below, but let me describe my network in words here: This is for a small school with a gigabit LAN. On the Cisco 2821, GigabitEthernet0/1 connects to the school's LAN and uses the default VLAN (ie. 1). We connect to a government network via Vlan2 (for inter-school communication) and Vlan4 (to the outside world) through FastEthernet0/0/3. Pretty much everything else is disabled. The government network throttles traffic in both directions to 5.5Mb/s with policing. We're trying to more fairly share that bandwidth among users. Traffic shaping to avoid the policer is just the first step. CBWFQ is the goal.

I've inherited nine networks like this and am trying to get things in shape. I'm very open to suggestions, but my first priority right now is congestion management.

The configuration follows. Note that I have tried removing the ip route cache-flow lines from every interface as flow switching is supposed to be incompatible with shaping:

Using 9364 out of 245752 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname dwarf03
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
!
no aaa new-model
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
!
!
no ip bootp server
ip domain name domain.ca
ip name-server W.X.Y.Z
ip name-server K.L.M.N
ip ddns update method sdm_ddns1
 DDNS both
!
ip ddns update method sdm_ddns2
 DDNS both
!
!
!
!
crypto pki trustpoint TP-self-signed-XXXXXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXX
 certificate self-signed 01 nvram:IOS-Self-Sig#3939.cer
username mark privilege 15 secret 5 $1$-----------------
username derek privilege 15 secret 5 $1$----------------
username mitch privilege 15 secret 5 $1$----------------
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description DMZ
 ip address dhcp client-id GigabitEthernet0/0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description LAN
 no ip address
 ip mask-reply
 no ip proxy-arp
 ip flow egress
 ip virtual-reassembly
 ip route-cache flow
 duplex full
 speed auto
 no mop enabled
!
interface FastEthernet0/0/0
 description Unused
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet0/0/1
 description Unused
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet0/0/2
 description Unused
!
interface FastEthernet0/0/3
 description Supernet
 switchport mode trunk
 duplex full
 speed 10
!
interface Vlan1
 description DEFAULT
 ip address 192.168.40.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Vlan2
 ip address W.X.Y.Z 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Vlan4
 ip address K.L.M.N 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
!
interface Group-Async0
 physical-layer async
 no ip address
 encapsulation slip
 no group-range
!
ip route 0.0.0.0 0.0.0.0 Vlan4
ip route 10.0.0.0 255.0.0.0 Vlan2
ip route 192.0.0.0 255.255.255.0 Vlan2 permanent
ip route 192.168.0.0 255.255.0.0 Vlan2
ip route 192.168.40.0 255.255.255.0 Vlan1 permanent
ip route A.B.C.D 255.255.255.0 Vlan2
ip route E.F.G.H 255.255.255.240 GigabitEthernet0/1 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 3 interface Vlan4 overload
!
logging trap debugging
!
! access-list stuff deleted
!
snmp-server community public RO
no cdp run
route-map ; permit 10
!
!
!
control-plane
!
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 session-timeout 30
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

[Minue]

Hello
I don't know how well you know your network,but the interface GigabitEthernet0/1 can't use VLAN 1,because VLAN1 is part of HWIC-4ESW (VLAN1 is using interface FastEthernet0/0/3 becuase it's a Trunk).So this must be where the school's LAN is connected.Please clarify these facts before you can configure GTS properly
It seems that you have remove the access-list for the NAT, can you please confirm this and that the router is Natting?
Try doing a "show int g0/1" to see if it generating traffic,also if possible post a "show ip int brief" and "show int summ"

Regards

ps.Also what's the role of the DMZ on GigabitEthernet0/0
?Could this be the LAN instead of G0/1?

 

[OutOfHisElement]

Obviously, I don't know this network very well. I was assuming that it was set up how it is supposed to be.

The router is definitely NATing.

The role of the DMZ is on GE0/0 is that it is unfinished and doing nothing useful. That may change today.

It looks like you are right about GE0/1 not being connected to the LAN. Looking at the statistics on the ports it looks like FE0/0/0 is connected to the LAN and FE0/0/3 is connected to our service provider. That must be the case, because GE0/1 doesn't even have an IP address assigned.

So the problem is that I was shaping the wrong ports. Nice.

Doing what I can remotely, it seems that shaping either operates differently on the FE ports (which are switched on this router), or doesn't operate at all. In any case, it is probably best to reconfigure things so that the Gigabit ports are connected to the LAN and DMZ as they can definitely use the bandwidth.

I'll be at the school in a couple of hours and can confirm my ignorance and mistakes then.

 

[Minue]

Hello
Yes!It would be better if you map out the network properly before you apply QOS.From the interface description I thought the FE0/0/0 was unused.Let me know if you find something about the traffic pattern.

Regards

 

[OutOfHisElement]

Yup. That was the problem. Hilarious!

I reworked the router this morning, removed all the unused ports, and corrected the descriptions. Set up an ordinary generic shaper on the GigabitEthernet interface to the LAN and it works just as you'd expect.

On to CBWFQs.

Thanks Minue. I've slapped my head in your honour.

 

[Cluebird]

Instead of slapping your head, give Minue a star!!!

 

[burtsbees]

Or star him and THEN slap yourself in the head.

Then star myself and Clue for the hell of it, just because we're awesome.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

Don't forget ME!

CCNP