We'll use the following network...:
...and the following configuration:
ip access-list extended PRIORITY-IN
permit ip 192.168.1.0 0.0.0.255 any
permit ip any 192.168.1.0 0.0.0.255
deny ip any any
ip access-list extended SCAVENGER-IN
permit ip 192.168.2.0 0.0.0.255 any
permit ip any 192.168.2.0 0.0.0.255
deny ip any any
!
class-map match-any PRIORITY
match dscp af41
class-map match-any SCAVENGER
match dscp cs1
!
class-map match-any PRIORITY-IN
match access-group name PRIORITY-IN
class-map match-any SCAVENGER-IN
match access-group name SCAVENGER-IN
!
policy-map REMARK_ALL
class PRIORITY-IN
set dscp af41
class SCAVENGER-IN
set dscp cs1
policy-map EGRESS-SHAPER
class PRIORITY
shape average percent 70
class SCAVENGER
shape average percent 5
policy-map EGRESS-BANDWIDTH
class PRIORITY
bandwidth percent 70
class SCAVENGER
bandwidth percent 5
!
For my first test, I set up the policy-map, "EGRESS-SHAPER," on interface eth3/0 on both routers, and set up the "REMARK_ALL" service policy on the ingress interfaces (fa0/0 on both routers, and fa1/0 on R1):
interface FastEthernet0/0
service-policy input REMARK_ALL
!
interface FastEthernet1/0
service-policy input REMARK_ALL
!
interface Ethernet3/0
service-policy output EGRESS-SHAPER
!
Then, I set up iperf as a service on host "Knoppix" and ran iperf as a client on both Knoppix Clones, using the flags "-i 1 -t 120," finding that Knoppix Clone 1 could send data at a little over 5Mbps, and Knoppix Clone 2 sent data at about 500Kbps. I then re-ran the test using the service policy "EGRESS-BANDWIDTH," where I saw a transfer speed of just over 4Mbps for Knoppix Clone 1 and about 1 1/3Mbps for Knoppix Clone 2. That surprised me; I didn't really understand why my bandwidth decreased in class PRIORITY (Knoppix Clone 1) and increased in class SCAVENGER (Knoppix Clone 2). To understand what was happening, I did some more tests, using both TCP and UDP transfers ("-u -b 10M" for the flags to set a UDP test at up to 10Mbps), and with both hosts in contention for bandwidth as well as with the hosts transferring data one at a time (i.e., run iperf on Knoppix Host 1, and then running it on Knoppix Clone 2 after the test completed on Knoppix Clone 1). Here are the results from all of the tests:
Congested:
TCP:
Using EGRESS-SHAPER:
192.168.1.x: 5.15Mbps
192.168.2.x: 0.48Mbps
Using EGRESS-BANDWIDTH:
192.168.1.x: 4.16Mbps
192.168.2.x: 1.36Mbps
UDP:
Using EGRESS-SHAPER:
192.168.1.x: 3.07Mbps
192.168.2.x: 0.16Mbps
Using EGRESS-BANDWIDTH:
192.168.1.x: 2.8Mbps
192.168.2.x: 1.26Mbps
Uncongested:
TCP:
Using EGRESS-SHAPER:
192.168.1.x: 5.76Mbps
192.168.2.x: 0.50Mbps
Using EGRESS-BANDWIDTH:
192.168.1.x: 5.52Mbps
192.168.2.x: 5.51Mbps
UDP:
Using EGRESS-SHAPER:
192.168.1.x: 5.82Mbps
192.168.2.x: 0.47Mbps
Using EGRESS-BANDWIDTH:
192.168.1.x: 6.03Mbps
192.168.2.x: 6.14Mbps
What's happening here is that "shape average" tells the router to strictly allocate the specified amount of bandwidth to the various traffic classes. Even if more bandwidth is available through the interface, the allocated bandwidth is all that the traffic class will receive. When using the "bandwidth" statement, however, the router will allow the traffic classes to use all of the available bandwidth. Since class PRIORITY takes, well, priority over class SCAVENGER, when there is traffic in both traffic classes, class SCAVENGER will only receive the allocated bandwidth. However, when there is little or no priority traffic on the interface, the router will allow class SCAVENGER to "borrow" bandwidth from the other traffic classes in the service policy (in this case, class PRIORITY). Consequently, when there was no contention for bandwidth, class SCAVENGER can get the full data rate on the interface*.
*Q: Wait a minute! An Ethernet port runs at 10Mbps, but these results are showing about 6Mbps. What happened to the other 4Mbps?
A: Keep in mind that an Ethernet port runs at half duplex, meaning that the same copper wire is used for both transmit and receive. Therefore, the 10Mbps bandwidth available on the Ethernet port has to be shared between transmit and receive.**
**Q: Okay, so that explains why it's not 10Mbps, but in that case, shouldn't the data rate be lower, like 5Mbps?
A: If both sides were transmitting data at line rate, then yes. However, in this case the flow of data is mostly one-sided, especially with the UDP traffic, where there is no ACK being sent back to the two Knoppix Clones.***
***Q: In that case, should the data rate be higher?
A: The devil is in the details, and there are a lot of details to consider ;) "Customer" data isn't all that is flowing between R1 and R2. R1 and R2 are also sending their own data back and forth, for example, OSPF updates, CDP updates, etc. Consequently, while the flow of data between R1 and R2 is mostly one-sided, it's not completely one sided. If you REALLY want a good understanding of what's happening, replace R2 with the Knoppix host and run wireshark to capture the packets during a test. I'll leave that as an exercise for the reader ;)