topic Re: ASA QoS question in Network Security

ASA QoS question

david — Tue, 12 Mar 2019 01:37:28 GMT

I'm trying to better understand what the shape average command does in the following config? Assume that my Internet upload bandwidth is approximately 6Mbps and that I'd like to give priority to my voice traffic egressing the ASA. Another thing I'm unclear on is what if my voice traffic uses a site to site tunnel? Does the shaping below even work if voice traffic is being tunneled to the main office?

I noticed that running speedtest.net with the current config shows approximately 1Mbps upload speed. Changing shape average to 4000000 changes the upload speed results to 4Mbps and so on so it's doing something, but exactly what I'm still unsure.

Thanks!

class-map my-voice
match dscp ef
!
policy-map priority-policy
class my-voice
priority
policy-map shape-priority-policy
class class-default
shape average 1000000
service-policy priority-policy
!
service-policy global_policy global
service-policy shape-priority-policy interface outside

ASA QoS question

mvsheik123 — Thu, 02 May 2013 01:03:27 GMT

Hi David,

Please check the doc for sample configs.

https://supportforums.cisco.com/docs/DOC-1230

hth

ASA QoS question

lcambron — Thu, 02 May 2013 01:10:59 GMT

David,

Traffic shaping does not give priority, its usage it completely different.

See the command reference for more information.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1427655

For VPN you need to match the tunnel-group as shown in the above reply.

Regards,

Felipe

Security Team.

ASA QoS question

david — Thu, 02 May 2013 19:48:07 GMT

Based on the link above, it appears that shaping and priority for voice is what I'm doing? Seems like the only thing I was missing was the match tunnel-group command. I also have "priority-queue outside" in my config.

Traffic Shaping with Prioritization

Now, lets assume that we have the same ASA as in the previous case. And we now want to traffic shape all traffic and prioritize the voice through the VPN. In other words we will traffic shape all traffic for 900kbps, prioritize the voice and guarantee 100kbps for it. Again, we assume that the voice traffic is flagged with dhcp field ef and the tunnel group name is tunnel-grp1.

ASA(config)# priority-queue outside

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# policy-map priority-policy
ASA(config-pmap)# class TG1-voice-class
ASA(config-pmap-c)# priority

ASA(config-pmap-c)# policy-map shape-priority-policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average 900000
ASA(config-pmap-c)# service-policy priority-policy

ASA(config-pmap-c)# service-policy shape-priority-policy interface outside

Re: ASA QoS question

Julio Carvajal — Thu, 02 May 2013 21:04:55 GMT

Hello David,

Exactly,

I think you wanted to say DSCP instead of DHCP value but you got it

with the configuration shown above you will create a priority queue just for traffic that has the DSCP Expedited forwarding value (46) set on the IP header , and besides that, it must go over the VPN remote access tunnel group call tunnel-grp1

Regards,

Julio Carvajal

Re: ASA QoS question

david — Thu, 02 May 2013 22:35:55 GMT

Thanks Julio. Yeah, that was copied from the linked article above and yes, they meant to say DSCP.

So the only thing I'm unclear on is what happens to available bandwidth when you have 6Mbps upload and apply different shape averages? In the referenced article, they state that they have 1Mbps upload speed and by using shape average = 900000, they say 100Kbps is left over and/or guaranteed for voice. Does that mean that if I have 6Mbps upload speed and use shape average = 4000000, I'm prioritizing voice (DSCP - 46) and also guaranteeing approximately 2Mbps to voice?

Thanks!

Re: ASA QoS question

Julio Carvajal — Thu, 02 May 2013 22:54:30 GMT

Exactly,

You will be providing priority to what's left and if matches the traffic patterns you set on the class-map ofcourse