Traffic Shaping and Policing

Recently I had the opportunity to work with a customer that needed some help with traffic shaping and policing on their network. I had poked around in the past with this, trying to get guaranteed bandwidth for my VoIP phone, but the last time I checked, that setup no longer worked, so it was shelved until further notice. I just had to take care that when I was on the phone, I could not do any large downloads that would rob the bandwidth from my voice packets.

The customer gave me impetus to re-learn Linux Traffic Control. The main tool offered to us is called tc, meaning traffic control. You can learn all about tc at the Linux Advanced Routing and Traffic Control website. I spent several hours there trying to remember all I had forgotten. I also looked around at several other websites with howtos on the matter, but it seemed that they were all pointing back to lartc.org anyway. I poked around long enough to understand the recipes in their cookbook and then wrote up a script of my own.

I wanted to have about 90kb/s of guaranteed bandwidth for VoIP and then some other high priority bandwidth for things like ICMP packets, TCP ACK packets, and other low-latency stuff (things that mark the TOS field in the IP header.) In other words, I wanted to be able to:

  1. Make sure my VoIP traffic gets through so I don't have choppy phone calls
  2. Perform uploads without killing my downloads (let the ACK packets through)
  3. Be able to type in an SSH session while doing a large download
  4. Not starve my VPN to work when the network is busy (no more 3-12 second latencies, please.)
  5. Have fast ping times so I can brag to all my friends

Sounds like I am hoping for a miracle, right? Well, not really. Simply dividing the traffic into several classes and then giving each one a slice of the pie will do a lot on my quest for the Well Tempered Network. I know the VoIP bandwidth, so that is easy. Then the rest, I decided to split into quarters -- high priority gets at least 1/4 of the remaining bandwidth, medium priority gets the same, while bulk transfers and the rest of the stuff get anything that is left over (a little less than 1/2 the pipe).

Without this QoS script, I am unable to do a large download (or upload) without killing my VoIP call, uploads kill downloads, ssh is very non-interactive, and pings range in the 400-1100ms range. With this QoS script, I can do simultaneous large downloads and large uploads without hurting my VoIP call quality AND at the same time, ssh interactivity goes up (to the same as with no other traffic) and ping times range in the 80-200ms range. VPN traffic seems to be better too, though sometimes it suffers from latencies beyond my control. I think this means I reached all my goals. I was very happy with it and thought it might be nice to share.