Solution: Bandwidth+Police actions in CB-WFQ

Most of the respondents to my last week’s challenge got it almost right. The minor (common) error was the assumption that police rate percent 50 would result in a TCP session getting 50% of the bandwidth. Eyal got that right: the TCP throughput is always significantly lower than that due to frequent drops caused by low burst sizes assumed by the police command and resulting TCP restarts (the most I was able to push through was around 90 kbps; half of the bandwidth would be 128 kbps).

Many respondents got the third case (bandwidth class, police class and default-class all active at the same time) wrong. Vaidotas was guessing in the right direction and Petr knows the correct answer, but did not want to spoil the fun. Here’s the surprising result: the bandwidth class gets almost all the bandwidth. Sometimes the TCP sessions in other classes wouldn’t even start.

To understand that behavior, we’d need to go deep into the bowels of Weighted Fair Queuing. Topic for another blog post… in the meantime I found an old article by Petr Lapukhov on Internet Archive.


If a single class in an outbound service-policy uses the bandwidth action, all the other classes should use the bandwidth action as well. The classes without the bandwidth action and the default class might get starved during congestions.


  1. Hi Ivan,

    thanks for referring to my blog post! As some "extra" reading I may refer folks to the following document:

    It breaks down a few QoS topics in "scenario/solution" manner and covers Hold-Queue, WFQ and IP RTP Reserve features (I spent a lot of time on simulations for those). I found that many people have poor understanding of WFQ and knowing this technology is essential to understanding CBWFQ.


  2. Hi peter,

    That was an excellent explanation. But I'm not able to download QoS.teaser.pdf.

  3. Hi Ivan,

    I have tryed similar situation, with two paralel TTCP sessions on different ports to one host. It wasn't work for me !

    I used Cisco 1811 with IOS 15.0M

    config is:

    int fa 1
    bandwith 8000

    policy-map QoS-policy
    class c5251
    bandwidth percent 75

    #sh policy-map int fa 1

    Class-map: c5251 (match-all)
    687796 packets, 846416624 bytes
    30 second offered rate 3581000 bps, drop rate 0 bps
    Match: access-group 121
    queue limit 64 packets
    (queue depth/total drops/no-buffer drops) 0/0/0
    (pkts output/bytes output) 91515/112700526
    bandwidth 75% (6000 kbps)

    Class-map: class-default (match-any)
    1503050 packets, 1217110950 bytes
    30 second offered rate 4901000 bps, drop rate 0 bps
    Match: any

    queue limit 64 packets
    (queue depth/total drops/no-buffer drops) 0/0/0
    (pkts output/bytes output) 134072/136457440

    Do you have an idea why is Qos not working ???
  4. Hi Ivan & Petr,

    I am deploying QoS in our offices, and still finalizing Head Office QoS, here's our remote office QoS setup.

    Branch Offices Setup
    Class Voice = priority 1mb/s
    Critical App = bandwidth 1mb/s
    Less Critical App = bandwidth 500kb/s
    Best Effirt = bandwidth 500kb/s

    Head Office
    Class Voice = priority 1mb/s
    Critical App = bandwidth 5mb/s
    Less Critical App = bandwidth 3mb/s
    Best Effirt = bandwidth 2mb/s

    Say for example, I got 3 branches, each has 1mb/s for Critical application. My question is since I guarranted 5mb/s bandwidth for Ciritical application in HO during congestion, how would I control that HO would not transfer morethan 1mb/s (critical application) to Branches during network congestion. I'm worried since 5mb/s is guarranted for critical application in HO, it might transfer that size to branches which for sure could cause huge inbound traffic to remote offices.

    Hope you can give me some suggestion how to address this kind of setup.



    Read more:
  5. Hi Arnold,

    contrary to what you might believe, I consider posting three identical comments to three different posts asking for free solution to your business problem spamming.

    As you left no contact details, it's quite impossible to get back to you and I will not discuss non-trivial design problems in comments to blog posts. Interestingly, there a "contact me" link at the top of each page that gives you details how to get in touch with me.

Add comment