Traffic Policing vs. Traffic Shaping
Article Contents
One of the 'hot' topics when studying almost Quality of Service (QoS) is Traffic Policing versus Traffic Shaping. In this article, nosotros volition hold off at these QoS features individually, compare them, in addition to also run across how they are used inwards the existent world.
Network Quality
There are iv major factors that demeanour upon the character of a network including:
- Bandwidth: The most familiar cistron of a network is the bandwidth which is a mensurate of the capacity available on a network link i.e. the fatness of a link. It is commonly measured inwards bits per minute (bps).
- Delay: Also known equally latency, delay deals alongside how long it takes for a bundle to acquire from the sender to the receiver. Of course, the to a greater extent than the delay, the slower the network "seems". Delay is commonly measured inwards milliseconds (ms).
- Jitter: This is a mensurate of the variation inwards delay betwixt packets. For example, if a bundle takes 30ms to acquire from indicate Influenza A virus subtype H5N1 to indicate B (that is delay), in addition to some other bundle takes 40ms to acquire from the same indicate Influenza A virus subtype H5N1 to indicate B, thence the jitter is 10ms (i.e. 40ms – 30ms).
- Loss: As packets 'fly' through a network, some of them tin dismiss acquire lost i.e. non acquire to their destination.
Note: Bandwidth is non necessarily the same affair equally speed fifty-fifty though both damage are sometimes used interchangeably. You tin dismiss read this article to acquire to a greater extent than almost the subtle difference.
To expire along our tidings simple, nosotros volition hold off at how these factors demeanour upon ii wide categories of networks – Local Area Networks (LANs) in addition to Wide Area Networks (WANs):
- Devices on a LAN are commonly inwards unopen proximity to each other piece the devices that brand upward a WAN are typically inwards dissimilar geographical areas in addition to to a greater extent than than a few kms apart. This agency that y'all typically don't take hold to worry almost delay/jitter on a LAN but these factors must survive considered on a WAN peculiarly for delay-sensitive applications similar Voice.
- A LAN is commonly nether the command of the organization in addition to they tin dismiss construct the network to their liking commonly at a lower toll than a WAN where they (usually) take hold to expire through a 3rd-party service provider. This agency that bandwidth is to a greater extent than readily available on a LAN (at lower cost) than over a WAN where y'all typically acquire what y'all pay for.
From these ii points, it is clear that a WAN is to a greater extent than susceptible to existence affected past times these 4 factors than a LAN in addition to that is why most discussions almost improving the character of a network focus on the WAN.
This brings us to the topic of Quality of Service (QoS). With QoS, the goal is to ensure that of import applications (as defined past times the user) acquire the best service on the network, commonly at the expense of less of import applications. For example, since phonation does non handgrip delay well, whatever phonation bundle that arrives at the WAN border should survive sent commencement fifty-fifty if at that spot were other packets that arrived earlier that phonation packet.
Note: QoS tin dismiss also survive applied on a LAN peculiarly for phonation traffic. However, a pocket-size to medium-sized LAN that is properly built in addition to non oversubscribed volition commonly non require QoS features.
Two QoS features that are commonly applied at the WAN Edge are Traffic Policing and Traffic Shaping. We volition right away hold off at these topics individually.
Traffic Policing
One of the most of import duties of the police pull is to maintain law in addition to order. If y'all equally a citizen abide (conform) to the rules, y'all commonly take hold zilch to worry about. However, if y'all are constitute violating a rule, at that spot is commonly repercussion.
In the same way, Traffic Policing is almost performing an activeness (typically transmit/pass) to packets that conform to a specified rate and performing some other activeness (typically drop) to packets that violate that rate.
Now let's accept it a stair farther inwards technical understanding. When an organization goes to an Internet access provider for say an Internet service, the Internet access provider tin dismiss deliver this service through several physical infrastructure including fiber, radio, VSAT, etc. Let us assume the Internet access provider uses fiber inwards this instance in addition to the organization alone wants to buy a 5Mbps service. How does the Internet access provider ensure that the organization alone gets what they pay for (5Mbps) fifty-fifty though the physical fiber connection to the organization tin dismiss back upward far to a greater extent than speed (e.g. 100Mbps)? This is i of the uses of Traffic Policing. The Internet access provider volition take hold a contract alongside the organization that says anything exterior 5Mbps volition survive dropped, in addition to this volition survive implemented using traffic policing on the Internet access provider side.
From our example, nosotros tin dismiss highlight a few technical terms:
- The 5Mbps is known equally the Committed Information Rate (CIR) which is the average speed that the Internet access provider guarantees the client.
- The maximum charge per unit of measurement that the physical medium (e.g. the fiber) tin dismiss transmit at is known equally the Access Rate (AR).
- There's also something called the Committed Burst (Bc) which defines the amount of packets (usually inwards bytes) that tin dismiss survive sent equally a grouping without causing whatever violations or exceeding the CIR.
Cisco's implementation of Traffic Policing
To farther sympathise how traffic policing works, allow us consider how Cisco implements this characteristic on their devices. Cisco uses a token bucket metaphor for both traffic policing in addition to shaping. From a high level, this is how it works:
- A token tin dismiss survive "spent" in addition to tin dismiss survive idea of the correct to ship a for certain amount of traffic. In traffic policing, i token represents i byte of traffic.
- Tokens are deposited into the bucket at a for certain charge per unit of measurement – nosotros volition verbalize over this charge per unit of measurement later.
- When packets come upward in, the policier volition banking concern check that at that spot are plenty tokens inwards the bucket to ship that traffic.
- If at that spot are plenty tokens inwards the bucket to ship the packet, thence that packet conforms and is sent out. The appropriate number of tokens are taken out of the bucket. For example, if at that spot are K tokens inwards the bucket in addition to a bundle of 514 bytes comes in, that traffic conforms in addition to is sent out. Also, 514 tokens are "spent" in addition to removed from the bucket.
- If at that spot aren't plenty tokens inwards the bucket, the packet exceeds and is commonly dropped (or reclassified depending on the configuration). No tokens are taken from the bucket.
- The bucket tin dismiss fill upward up e.g. to a greater extent than tokens than the bucket tin dismiss hold. In this case, the extra tokens are either discarded or set inwards some other bucket for excess buckets.
The charge per unit of measurement at which tokens are replenished within the bucket is based on the next formula:
Note: The argue y'all separate past times 8 bits is to convert it to bytes since token (in policing) are measured inwards bytes.
Let's accept an example. Imagine that an Internet access provider has an understanding of 16Kbps with their customer in addition to has said that the customer tin dismiss ship 1500 bytes inwards a unmarried burst. This agency that nosotros take hold the following:
- CIR = 16Kbps = 16000bps
- Bc = 1500 bytes.
Now, if a bundle comes inwards at 514 bytes, since the bucket starts total alongside 1500 bytes, in addition to the bundle conforms, 514 tokens are taken out of the bucket. The bucket right away has 986 tokens left (1500 – 514). If some other bundle arrives 150ms (i.e. 0.15sec) later, the bucket is replenished with:
This agency that the bucket volition right away take hold (986+300) tokens i.e. 1286 tokens. If that bundle that arrived is less than or equal to 1286 bytes, thence it conforms in addition to it is sent out. However, if that bundle is say 1300 bytes, it exceeds in addition to the overstep activeness is taken (e.g. dropped).
Lab: Traffic Policing inwards GNS3
Let us implement this instance in GNS3 and run across what happens. The lab setup is equally shown below:
The "HOST" is genuinely simply a Cisco router alongside a changed symbol. We volition implement Traffic Policing on the ISP_RTR in addition to the configuration is equally follows:
ip access-list extended CUST_ACL permit ip 172.16.1.0 0.0.0.255 whatever ! class-map match-all CUST_CMAP jibe access-group advert CUST_ACL ! policy-map CUST_PMAP flat CUST_CMAP police pull cir 16000 bc 1500 ! interface FastEthernet0/0 ip address 192.1.2.1 255.255.255.0 ! interface FastEthernet0/1 ip address 192.0.2.1 255.255.255.0 service-policy input CUST_PMAP ! ip route 172.16.1.0 255.255.255.0 192.0.2.2 !
In the configuration above, traffic from 172.16.1.0/24 is matched inwards a flat map called CUST_CMAP. Influenza A virus subtype H5N1 CIR of 16000 in addition to Bc of 1500 is thence applied to this flat map nether a policy map called CUST_PMAP. The policy map is thence applied inbound the Fa0/1 interface.
We tin dismiss stance this configuration using the show policy-map command:
As y'all tin dismiss see, the conform-action of "transmit" in addition to the exceed-action of "drop" take hold been applied past times default. We tin dismiss also purpose the show policy-map interface command to stance the condition of our traffic policing:
Let's evidence this. We volition ping from the HOST to the SERVER. To run across the policing inwards action, nosotros volition growth the ping bundle size in addition to also the number of ping packets.
As y'all tin dismiss see, some packets were dropped. We tin dismiss banking concern check the ISP_RTR to run across why this happened:
Traffic Shaping
While traffic policing is almost dropping or reclassifying packets, traffic shaping tries to brand traffic adapt to a for certain charge per unit of measurement by delaying the packets inwards a buffer and sending them out equally "space" becomes available.
For example, if the Internet access provider is using traffic policing to ensure that their client's traffic does non expire past times 5Mbps, the customer tin dismiss purpose traffic shaping on their side to brand for certain that all their traffic conforms to the 5Mbps charge per unit of measurement fifty-fifty earlier getting to the ISP. The argue to create this is that in i lawsuit excess traffic gets to the ISP, it volition survive dropped. Instead, it volition survive to a greater extent than beneficial to delay the packets on their side to avoid dropping.
Cisco's implementation of Traffic Shaping
Similar to Traffic Policing, Traffic Shaping equally implemented past times Cisco also uses a token bucket metaphor equally follows:
- A token tin dismiss survive "spent" in addition to tin dismiss survive idea of the correct to ship a for certain amount of traffic. In traffic shaping, i token represents i flake of traffic.
- Tokens are deposited into the bucket at a for certain charge per unit of measurement – nosotros volition verbalize over this charge per unit of measurement later.
- When packets come upward in, the shaper volition banking concern check that at that spot are plenty tokens inwards the bucket to ship that traffic.
- If at that spot are plenty tokens inwards the bucket to ship the packet, thence that bundle is sent out.
- If at that spot aren't plenty tokens inwards the bucket, the bundle volition survive delayed until at that spot are plenty tokens to ship that traffic out.
- The bucket tin dismiss fill upward up e.g. to a greater extent than tokens than the bucket tin dismiss hold. In this case, the extra tokens are either discarded or set inwards some other bucket for excess buckets.
When discussing traffic shaping, tokens are added at for certain fourth dimension intervals (Tc) using the formula:
However, the existent interrogation is, "How create y'all ensure a for certain CIR past times delaying packets?" For example, let's say nosotros take hold a 256Kbps physical interface. That interface volition ever ship traffic at 256Kbps – y'all cannot physically deadening downward that rate. This agency that over a catamenia of 1 sec, a 256Kbps interface volition theoretically ship 256,000 bits of data.
So let's assume y'all desire to brand for certain that alone 64Kbps is sent over that link. How tin dismiss y'all brand a 256Kbps interface ship say 64,000 bits over a catamenia of 1 minute instead? What y'all tin dismiss create is interruption 1 minute downward into intervals (Tc) in addition to alone ship a for certain number of bits during each interval.
For example, if our fourth dimension interval is 125 msec, it agency nosotros are dividing 1 minute into 8 parts. To survive able to ship 64,000 bits over 1 minute using 8 intervals, it agency nosotros must ship 8,000 bits every interval (i.e. 64,000 / 8 = 8,000).
However, since the interface can physically ship 32,000 bits every 125 msec (i.e. 256,000/8), it agency that to hit 8,000 bits per interval, nosotros must alone ship at Access charge per unit of measurement for 31.25 msec every interval i.e. [(8,000/32,000) * 125 msec].
From this example, 8,000 bits is our Bc required to maintain a CIR of 64Kbps over a catamenia of 1 second, at 125 msec fourth dimension interval. We tin dismiss also calculate Bc using that formula higher upward i.e. Bc = Tc * CIR.
Note: Remember that piece Tc is commonly expressed inwards msec, when used inwards that calculation, it is converted to seconds. For example, 125 msec is 0.125 second.
So inwards the instance of traffic shaping in addition to using our example, if a bundle of 514 bytes (which is 4112 bits) arrives at fourth dimension 0sec, it volition survive sent without whatever delay because at that spot are plenty tokens (8000 bits) inwards the bucket. However, if some other 514 bytes packet arrives within the same fourth dimension interval, that bundle volition survive delayed until the adjacent interval.
One to a greater extent than term nosotros volition verbalize almost earlier going dorsum to our lab is the Excess Burst (Be). Basically, it's the might to shop upward tokens that y'all did non purpose during a fourth dimension interval. For example, if I didn't ship whatever bundle during the 250ms fourth dimension interval, I tin dismiss ship upward to (Bc + Be) during the adjacent interval:
Lab: Traffic Shaping inwards GNS3
Using the same lab equally inwards traffic policing above, allow us configure traffic shaping on all traffic leaving EDGE_RTR to adapt to the 16Kbps CIR in addition to a Bc of 1500 bytes (or 12,000 bits):
policy-map SHAPE_PMAP flat class-default shape average 16000 12000 0 ! interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/1 ip address 192.0.2.2 255.255.255.0 service-policy output SHAPE_PMAP ! ip route 192.1.2.0 255.255.255.0 192.0.2.1 !
In this case, I take hold used the default flat map called "class-default" that matches all traffic that is non explicitly matched past times some other flat map. Also noticed that I take hold applied the policy map inwards the outbound direction. On Cisco devices, traffic shaping tin dismiss alone survive applied outbound. Finally, I take hold explicitly configured the CIR, Bc, in addition to Be values. However, if y'all alone specify the CIR, the Cisco software volition automatically calculate the Bc in addition to Be values.
We tin dismiss stance our configuration using the show policy-map command:
We tin dismiss also stance the condition of our traffic shaping using the show policy-map interface command:
As y'all tin dismiss see, some packets take hold already been matched because nosotros are using the class-default class map. Let's right away initiate our ping from HOST to SERVER:
Compared to the lawsuit for traffic policing (84% success rate), nosotros take hold a amend success charge per unit of measurement here. However, also notice that the average round-trip fourth dimension has gone upward to 230ms from 136ms when nosotros did it alongside traffic policing. This tells us that some packets are existence delayed. We tin dismiss confirm this using the show policy-map interface command:
Note: In this case, nosotros even thence lost packets. Influenza A virus subtype H5N1 amend choice volition survive to purpose a CIR less than (e.g. 80-85%) of the i the Internet access provider is using thence that shaping takes house earlier it hits that CIR. By changing my CIR to 12800 (80% of 16000) in addition to keeping my Bc at 12000, I was able to acquire 100% success rate.
In our labs thence far, nosotros take hold non used the Be value. If y'all desire to enable this value, at that spot are for certain things to expire along inwards mind:
- If y'all enable Be on your traffic shaping policy, y'all require to brand for certain that it is also enabled on the traffic policing side.
- The maximum flake size that tin dismiss survive sent during i fourth dimension interval inwards traffic shaping is Bc+Be.
- On the traffic policing side, every bundle volition survive compared to either the Bc value (conformed) or Be value (exceeded). This agency that the Be y'all configure on the traffic policing side must survive at to the lowest degree equal to the Bc+Be value y'all configured on the traffic shaping side.
- By enabling Be, y'all right away take hold iii states a bundle tin dismiss survive in: conformed (<=Bc), exceeded (<=Be), violated (>Be). You tin dismiss configure an activeness for each state e.g. transmit, reclassify+transmit, drop.
So for example, if nosotros take hold the next traffic shaping policy:
- CIR = 16000bps
- Bc = 12000 bits
- Be = 12000 bits
Then the corresponding traffic policing policy volition survive (or cannot survive less than):
- CIR = 16000bps
- Bc = 1500 bytes (i.e. 12000 bits/8)
- Be = 3000 bytes (i.e. shaping Bc+Be)
Let us alter the configuration on our devices to jibe these settings. On EDGE_RTR, the novel policy map volition be:
policy-map SHAPE_PMAP flat class-default shape average 16000 12000 12000 !
On ISP_RTR, the configuration becomes:
policy-map CUST_PMAP flat CUST_CMAP police pull cir 16000 bc 1500 survive 3000 conform-action transmit exceed-action set-dscp-transmit default violate-action driblet !
For the policing, nosotros are transmitting packets that conform, transmitting packets that overstep but reclassifying them to a lower DSCP value (Best Effort), in addition to dropping all packets that violate.
With this novel configuration, allow us evidence over again past times pinging from HOST to SERVER:
We tin dismiss banking concern check the output of the present policy-map interface command on both EDGE_RTR in addition to ISP_RTR:
As y'all tin dismiss see, fifty-fifty though some of those packets exceeded, they were even thence transmitted without issues. You tin dismiss play around alongside higher ping bundle sizes till y'all uncovering the i that causes a violation.
Conclusion
This brings us to the terminate of this article where nosotros take hold looked at ii QoS features that are oftentimes used inwards a complementary manner. While traffic policing is commonly used to enforce a difficult charge per unit of measurement limit, traffic shaping is used to conformto that charge per unit of measurement bound past times delaying packets inwards a buffer.