Cisco has something they call Cisco Validated Designs (CVD). These are network designs from different perspectives like QoS, high availability, WAN etc that Cisco recommends and have tested.
For QoS they have 3 different designs with 4, 8 or 12 classes which can be seen in the picture below.
Starting with the 4 class model:
! This section defines the 4-Class class-maps
! (three are explicitly defined and one is default)
Router(config)# class-map match-any REALTIME
Router(config-cmap)# match dscp ef
! Matches VoIP
Router(config-cmap)# match dscp cs5
! Matches Broadcast Video
Router(config-cmap)# match dscp cs4
! Matches Realtime-Interactive
Router(config)# class-map match-any CONTROL
Router(config-cmap)# match dscp cs6
! Matches Network-Control
Router(config-cmap)# match dscp cs3
! Matches Signaling (control-plane traffic for voice/video infrastructure)
Router(config-cmap)# match dscp cs2
! Matches Network Management
Router(config)# class-map match-any CRITICAL-DATA
Router(config-cmap)# match dscp af41 af42 af43
! Matches Multimedia Conferencing on AF4
Router(config-cmap)# match dscp af31 af32 af33
! Matches Multimedia Streaming on AF3
Router(config-cmap)# match dscp af21 af22 af23
! Matches Transactional Data on AF2
Router(config-cmap)# match dscp af11 af12 af13
! Matches Bulk Data on AF1
! This section defines the 4-Class Policy-Map
Router(config)# policy-map WAN-EDGE-4-CLASS
Router(config-pmap)# class REALTIME
Router(config-pmap-c)# priority percent 33
! Provisions 33% LLQ for REALTIME class
Router(config-pmap-c)# class CONTROL
Router(config-pmap-c)# bandwidth percent 7
! Provisions 7% CBWFQ for CONTROL class
Router(config-pmap-c)# class CRITICAL-DATA
Router(config-pmap-c)# bandwidth percent 35
! Provisions 35% CBWFQ for CRITICAL-DATA class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on CRITICAL-DATA class
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on CRITICAL-DATA class
Router(config-pmap-c)# random-detect dscp af11 50 64
! Tunes WRED min and max drop-thresholds for AF11/10 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af12 45 64
! Tunes WRED min and max drop-thresholds for AF12/12 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af13 40 64
! Tunes WRED min and max drop-thresholds for AF13/14 to 40 and 64 packets
Router(config-pmap-c)# random-detect dscp af21 50 64
! Tunes WRED min and max drop-thresholds for AF21/18 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af22 45 64
! Tunes WRED min and max drop-thresholds for AF22/20 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af23 40 64
! Tunes WRED min and max drop-thresholds for AF23/22 to 40 and 64 packets
Router(config-pmap-c)# random-detect dscp af31 50 64
! Tunes WRED min and max drop-thresholds for AF31/26 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af32 45 64
! Tunes WRED min and max drop-thresholds for AF32/28 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af33 40 64
! Tunes WRED min and max drop-thresholds for AF33/30 to 40 and 64 packets
Router(config-pmap-c)# random-detect dscp af41 50 64
! Tunes WRED min and max drop-thresholds for AF41/34 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af42 45 64
! Tunes WRED min and max drop-thresholds for AF42/36 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af43 40 64
! Tunes WRED min and max drop-thresholds for AF43/38 to 40 and 64 packets
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# bandwidth percent 25
! Provisions 25% CBWFQ for default (Best-Effort) class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on default (Best-Effort) class
Router(config-pmap-c)# queue-limit 128 packets
! Expands queue-limit to 128 packets
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on default (Best-Effort) class
Router(config-pmap-c)# random-detect dscp default 100 128
! Tunes WRED min and max drop-thresholds for DF/0 to 100 and 128 packets
Router(config-pmap-c)# random-detect dscp cs1 60 100
! Tunes WRED min and max drop-thresholds for CS1/8 to 60 and 100 packets
As you can see it matches on different DSCP values. DSCP EF is generally used for VoIP. This means that your packets should already have been marked as early as possible in your network. The bandwidth values are entered in percent which means that the policy can applied on different speed interfaces and still provide good values compared to entering them in kbit/s. On very high speed interfaces like 10 Gbit it could be a lot to use 7% for control traffic though since that would be 700 Mbit/s.
Both the data and the class-default uses fair-queue which is a way of queueing packets based on DSCP and packet size to provide fair queueing even for small packet flows. To be able to use this you need an image supporting Hierarchical Queing Framework (HQF) which is 12.4(20)T or newer.
Weighted Random Early Detection (WRED) is also applied to take care of issues like TCP synchronization where TCP flows will speed up and back off at the same time.
Then you have the 8 class model.
! This section defines the 8-Class class-maps
! (seven are explicitly defined and one is default)
Router(config)# class-map match-all VOICE
Router(config-cmap)# match dscp ef
! Matches VoIP
Router(config)# class-map match-any INTERACTIVE-VIDEO
Router(config-cmap)# match dscp cs5
! Matches Broadcast Video
Router(config-cmap)# match dscp cs4
! Matches Realtime-Interactive
Router(config)# class-map match-any NETWORK-CONTROL
Router(config-cmap)# match dscp cs6
! Matches Network Control
Router(config-cmap)# match dscp cs2
! Matches Network Management
Router(config)# class-map match-all SIGNALING
Router(config-cmap)# match dscp cs3
! Matches Signaling
Router(config)# class-map match-all MULTIMEDIA-STREAMING
Router(config-cmap)# match dscp af31 af32 af33
! Matches Multimedia-Streaming on AF3
Router(config)# class-map match-any CRITICAL-DATA
Router(config-cmap)# match dscp af41 af42 af43
! Matches Multimedia-Conferencing on AF4
Router(config-cmap)# match dscp af21 af22 af23
! Matches Transactional-Data on AF2
Router(config-cmap)# match dscp af11 af12 af13
! Matches Bulk-Data on AF1
Router(config)# class-map match-all SCAVENGER
Router(config-cmap)# match dscp cs1
! Matches Scavenger
! This section configures the 8-class policy-map
Router(config)# policy-map WAN-EDGE-8-CLASS
Router(config-pmap)# class VOICE
Router(config-pmap-c)# priority percent 10
! Provisions 10% LLQ for VOICE class (dual LLQ-policy)
Router(config-pmap-c)# class INTERACTIVE-VIDEO
Router(config-pmap-c)# priority percent 23
! Provisions 23% LLQ for INTERACTIVE-VIDEO class (dual-LLQ policy)
Router(config-pmap-c)# class NETWORK-CONTROL
Router(config-pmap-c)# bandwidth percent 5
! Provisions 5% CBWFQ for NETWORK-CONTROL class
Router(config-pmap-c)# class SIGNALING
Router(config-pmap-c)# bandwidth percent 2
! Provisions 2% CBWFQ for SIGNALING class
Router(config-pmap-c)# class MULTIMEDIA-STREAMING
Router(config-pmap-c)# bandwidth percent 10
! Provisions 10% CBWFQ for MULTIMEDIA-STREAMING class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on MULTIMEDIA-STREAMING class
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on MULTIMEDIA-STREAMING class
Router(config-pmap-c)# random-detect dscp af31 50 64
! Tunes WRED min and max drop-thresholds for AF31/26 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af32 45 64
! Tunes WRED min and max drop-thresholds for AF32/28 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af33 40 64
! Tunes WRED min and max drop-thresholds for AF33/30 to 40 and 64 packets
Router(config-pmap-c)# class CRITICAL-DATA
Router(config-pmap-c)# bandwidth percent 24
! Provisions 24% CBWFQ for CRITICAL-DATA class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on CRITICAL-DATA class
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on CRITICAL-DATA class
Router(config-pmap-c)# random-detect dscp af11 50 64
! Tunes WRED min and max drop-thresholds for AF11/10 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af12 45 64
! Tunes WRED min and max drop-thresholds for AF12/12 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af13 40 64
! Tunes WRED min and max drop-thresholds for AF13/14 to 40 and 64 packets
Router(config-pmap-c)# random-detect dscp af21 50 64
! Tunes WRED min and max drop-thresholds for AF21/18 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af22 45 64
! Tunes WRED min and max drop-thresholds for AF22/20 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af23 40 64
! Tunes WRED min and max drop-thresholds for AF23/22 to 40 and 64 packets
Router(config-pmap-c)# random-detect dscp af41 50 64
! Tunes WRED min and max drop-thresholds for AF41/34 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af42 45 64
! Tunes WRED min and max drop-thresholds for AF42/36 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af43 40 64
! Tunes WRED min and max drop-thresholds for AF43/38 to 40 and 64 packets
Router(config-pmap-c)# class SCAVENGER
Router(config-pmap-c)# bandwidth percent 1
! Constrains Scavenger class to 1% CBWFQ
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# bandwidth percent 25
! Provisions 25% CBWFQ for default (Best-Effort) class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on default (Best-Effort) class
Router(config-pmap-c)# queue-limit 128 packets
! Expands queue-limit to 128 packets
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on default (Best-Effort) class
Router(config-pmap-c)# random-detect dscp default 100 128
! Tunes WRED min and max drop-thresholds for DF/0 to 100 and 128 packets
This policy is more granular for the realtime applications like video, streaming and signaling for these protocols.
Finally this is the 12 class model.
! This section configures the class-maps
! (eleven class maps are explicitly defined and one is default)
Router(config)# class-map match-all VOICE
Router(config-cmap)# match dscp ef
! Matches VoIP
Router(config)# class-map match-all BROADCAST-VIDEO
Router(config-cmap)# match dscp cs5
! Matches Broadcast Video
Router(config)# class-map match-all REALTIME-INTERACTIVE
Router(config-cmap)# match dscp cs4
! Matches Realtime-Interactive
Router(config)# class-map match-all NETWORK-CONTROL
Router(config-cmap)# match dscp cs6
! Matches Network Control
Router(config)# class-map match-all SIGNALING
Router(config-cmap)# match dscp cs3
! Matches Signaling
Router(config)# class-map match-all NETWORK-MANAGEMENT
Router(config-cmap)# match dscp cs2
! Matches Network Management
Router(config)# class-map match-any MULTIMEDIA-CONFERENCING
Router(config-cmap)# match dscp af41
Router(config-cmap)# match dscp af42
Router(config-cmap)# match dscp af43
! Matches Multimedia-Conferencing
! One match statement per Drop Precedence increases visibility
Router(config)# class-map match-any MULTIMEDIA-STREAMING
Router(config-cmap)# match dscp af31
Router(config-cmap)# match dscp af32
Router(config-cmap)# match dscp af33
! Matches Multimedia-Streaming
! One match statement per Drop Precedence increases visibility
Router(config)# class-map match-any TRANSACTIONAL-DATA
Router(config-cmap)# match dscp af21
Router(config-cmap)# match dscp af22
Router(config-cmap)# match dscp af23
! Matches Transactional-Data
! One match statement per Drop Precedence increases visibility
Router(config)# class-map match-any BULK-DATA
Router(config-cmap)# match dscp af11
Router(config-cmap)# match dscp af12
Router(config-cmap)# match dscp af13
! Matches Bulk-Data
! One match statement per Drop Precedence increases visibility
Router(config)# class-map match-all SCAVENGER
Router(config-cmap)# match dscp cs1
! Matches Scavenger
! This section configures the 12-Class policy-map
Router(config)# policy-map WAN-EDGE-12-CLASS
Router(config-pmap)# class VOICE
Router(config-pmap-c)# priority percent 10
! Provisions 10% LLQ to VOICE class (multi-LLQ policy)
Router(config-pmap-c)# class BROADCAST-VIDEO
Router(config-pmap-c)# priority percent 10
! Provisions 10% LLQ to BROADCAST-VIDEO class (multi-LLQ policy)
Router(config-pmap-c)# class REALTIME-INTERACTIVE
Router(config-pmap-c)# priority percent 13
! Provisions 13% LLQ to REALTIME-INTERACTIVE class (multi-LLQ policy)
Router(config-pmap-c)# class NETWORK-CONTROL
Router(config-pmap-c)# bandwidth percent 2
! Provisions 2% CBWFQ to NETWORK-CONTROL class
Router(config-pmap-c)# class SIGNALING
Router(config-pmap-c)# bandwidth percent 2
! Provisions 2% CBWFQ to SIGNALING class
Router(config-pmap-c)# class NETWORK-MANAGEMENT
Router(config-pmap-c)# bandwidth percent 3
! Provisions 3% CBWFQ to NETWORK-MANAGEMENT class
Router(config-pmap-c)# class MULTIMEDIA-CONFERENCING
Router(config-pmap-c)# bandwidth percent 10
! Provisions 10% CBWFQ to MULTIMEDIA-CONFERENCING class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on MULTIMEDIA-CONFERENCING class
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on MULTIMEDIA-CONFERENCING class
Router(config-pmap-c)# random-detect dscp af41 50 64
! Tunes WRED min and max drop-thresholds for AF41/34 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af42 45 64
! Tunes WRED min and max drop-thresholds for AF42/36 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af43 40 64
! Tunes WRED min and max drop-thresholds for AF43/38 to 40 and 64 packets
Router(config-pmap-c)# class MULTIMEDIA-STREAMING
Router(config-pmap-c)# bandwidth percent 10
! Provisions 10% CBWFQ to MULTIMEDIA-STREAMING class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on MULTIMEDIA-STREAMING class
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on MULTIMEDIA-STREAMING class
Router(config-pmap-c)# random-detect dscp af31 50 64
! Tunes WRED min and max drop-thresholds for AF31/26 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af32 45 64
! Tunes WRED min and max drop-thresholds for AF32/28 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af33 40 64
! Tunes WRED min and max drop-thresholds for AF33/30 to 40 and 64 packets
Router(config-pmap-c)# class TRANSACTIONAL-DATA
Router(config-pmap-c)# bandwidth percent 10
! Provisions 10% CBWFQ to TRANSACTIONAL-DATA class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on TRANSACTIONAL-DATA class
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on TRANSACTIONAL-DATA class
Router(config-pmap-c)# random-detect dscp af21 50 64
! Tunes WRED min and max drop-thresholds for AF21/18 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af22 45 64
! Tunes WRED min and max drop-thresholds for AF22/20 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af23 40 64
! Tunes WRED min and max drop-thresholds for AF23/22 to 40 and 64 packets
Router(config-pmap-c)# class BULK-DATA
Router(config-pmap-c)# bandwidth percent 4
! Provisions 4% CBWFQ to BULK-DATA class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on BULK-DATA class
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on BULK-DATA class
Router(config-pmap-c)# random-detect dscp af11 50 64
! Tunes WRED min and max drop-thresholds for AF11/10 to 50 and 64 packets
Router(config-pmap-c)# random-detect dscp af12 45 64
! Tunes WRED min and max drop-thresholds for AF12/12 to 45 and 64 packets
Router(config-pmap-c)# random-detect dscp af13 40 64
! Tunes WRED min and max drop-thresholds for AF13/14 to 40 and 64 packets
Router(config-pmap-c)# class SCAVENGER
Router(config-pmap-c)# bandwidth percent 1
! Constrains Scavenger to 1% CBWFQ
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# bandwidth percent 25
! Provisions 25% CBWFQ for default (Best-Effort) class
Router(config-pmap-c)# fair-queue
! Enables fair-queuing pre-sorter on default (Best-Effort) class
Router(config-pmap-c)# queue-limit 128 packets
! Expands queue-limit to 128 packets
Router(config-pmap-c)# random-detect dscp-based
! Enables DSCP-based WRED on default (Best-Effort) class
Router(config-pmap-c)# random-detect dscp default 100 128
! Tunes WRED min and max drop-thresholds for DF/0 to 100 and 128 packets
This policy has even more classes for interactive traffic and also more classes for different types of data and a management class.
Finally you have to apply the policy to an interface like this.
int gix/x
service-policy output WAN-EDGE-12-CLASS
Here is a link to WAN QoS CVD.
Now, I've been told that routers with inbound QoS policies are capable of leveraging the TCP congestion avoidance mechanism by dropping ACKs in order to rate-shape inbound traffic. I've never seen this done in practice, or at least never seen it work; is this a real thing? If so, is it effective? Wouldn't it result in a run of dropped packets every time that a new connection ramped up to speed, before the congestion algorithm could start slowing things down?
I doubt it, certainly for queues as these are relatively TCP friendly anway. Some routers might have tried this strategy to build tcp-friendly policers but I doubt this would be a decent solution. First of all, an ACK can be accompanied by data so you can't really only drop 'ACK's. Secondly, even if that is true for some streams, why would you drop only on the return path? For the TCP stream it's just as good to simply drop the original data and that way you don't waste bandwidth and processing resources between your edge router and receiver.
More likely is to have H-QoS, with a 30Mbps queue/scheduler on the circuit/user level and then multiple smaller-tier queues feeding into that. A simple setup could be to let both TCP and UDP feed into two different 25Mbps queues, so TCP can still leave 5Mbps for UDP and vice versa. Of course more complex variations exist.
Also, consider that ssthresh is usually adapted fairly quick towards your available bandwidth (here 30Mbps - your voice BW). While TCP does not stop increasing cwnd at ssthresh, it will only increase slowly afterwards and disturbing your voice stream only slightly when congestion is reached. However, at the start of the TCP connection, before ssthresh is adapted to a realistic value this will probably significantly disturb your voice flow (albeit shortly). Finally, while it might work okay with only a few TCP streams, when somebody starts 100s of TCP connections (e.g. P2P app) it gets more difficult. It's unlikely that all ssthresh and cwnd values stabilize (quickly) to guarantee fairness, even more if those connections are quite volatile (as is often the case with P2P).
Also, next to drops notice that a saturated connection also has a negative impact on your jitter, this might sometimes be just as problematic (or even worse) than a few packet drops.
In addition to that, however, what if the traffic utilizing the circuit is largely UDP? If a request for a large amount of UDP data is sent to a server, it's naturally going to send the data as quickly as feasible, flood the queue and cause dropped voice packets - but maybe I'm overreacting to that scenario. Is UDP used for any high-throughput internet technologies these days?
You're 100% correct, UDP has no fairness built-in. Many real-time multimedia applications (voip, video conferencing, ...) still use UDP. Tunnels (e.g. for VPN) also usually use UDP to avoid TCP-in-TCP retransmit timer conflicts. So yes, you certainly can have quite some high-throughput UDP traffic on a connection.
More specifically, have you ever personally seen a QoS method that let VoIP work without constant quality problems on a frequently-saturated internet connection without ISP-provided QoS? Have you ever heard of a DSL or cable provider implementing edge router QoS for an application like this? I've only ever heard of that offered as part of MPLS products, is that pretty much a necessity if someone wants downstream QoS?
Well, here the question is of course if many modern internet connections are frequently saturated. In my experience the available BW for a fixed connection often exceeds the average usage. There are always exceptions but usually the bulk of the people have loads of BW, it might still get saturated somewhere, but not that often on your direct access circuit. However, you might encounter it more often in mobile access as this is a relatively low-bandwidth low-reliability shared medium. Currently 4G helps a lot but that will only last this long as mobile BW usage is still growing heavily.
Yes, I have heard providers implementing QoS for multimedia applications. For which applications that might differ a lot from provider to provider. Assume they just qualify traffic as BE unless there is a good reason to do otherwise. But some might indifferently prioritize SIP/RTP.
MPLS is certainly not a necessity for QoS, any decent BNG today also includes quite significant QoS options.
Best Answer
Unfortunately, I don't think there's a good way to do what you want without the provider's involvement. Working within that restriction, your best bet may be to implement an outbound policy on your LAN interface. For example, if you are PATing the business network and guest networks separately, so that the return traffic can be identified by destination IP, then a hierarchical policy that guarantees bandwidth to the business network will help. Essentially, the parent policy would shape all traffic to 10 Mbps. The parent would then call a child policy that guarantees 7 Mbps for the business network. The remaining traffic (guest network) would then be able to use whatever is left over.
Keep in mind that this is imperfect, since the traffic has already traversed the WAN. However, if the guest traffic is TCP, and starts getting dropped by your outbound LAN policy, the TCP session should throttle itself. This won't work for UDP at the transport layer.
A sample policy would look something like this:
This is an imperfect example, but is the best I can come up with without provider involvement.