topic Re: QoS on ASA in Network Security

QoS on ASA

2044418Puts — Mon, 11 Mar 2019 16:51:52 GMT

Hi, I would like do use Priority Queuing for voice on the OUTSIDE interface. As far as I know the QOS meganism only kicks in when there is congestion on the interface. But my ASA 5505 is connected to a 80mbps down and 10 mbps up cable modem. How can I tell the ASA that it is not connected to an interface with 100/100 mbps bandwidth?

On a router I would use the bandwidth command, but this is not available on the ASA as far as I know.

Thanks!

Re: QoS on ASA

Kureli Sankar — Sun, 27 Dec 2009 15:24:52 GMT

You are correct.

Traffic shaping is used to match device and link speeds, thereby controlling packet loss, variable delay, and link saturation, which can cause jitter and delay.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/qos.html#wp1065649

Example: Shaping outside interface traffic to 2 Mbps and provide priority queueing for VoIP traffic that is tagged with DSCP EF and AF13:

    class-map voice_traffic
        match dscp EF AF13
    policy-map qos_class_policy
        class voice_traffic
           priority

    policy-map qos_outside_policy
       class class-default
          shape average 2000000 16000
          service-policy qos_class_policy

    service-policy qos_outside_policy interface outside

-KS

Re: QoS on ASA

Panos Kampanakis — Mon, 28 Dec 2009 23:50:11 GMT

You can also look at that has a similar example as KS's.

https://supportforums.cisco.com/docs/DOC-1230#Traffic_Policing_with_Prioritization

I hope it helps.

Re: QoS on ASA

2044418Puts — Thu, 31 Dec 2009 15:07:04 GMT

Sorry for my late response, but thanks a lot, I'm looking into it and see if it works.

Re: QoS on ASA

2044418Puts — Sat, 27 Feb 2010 14:26:34 GMT

Hi,

I've just tried to configure like you said, but for some reason no traffic is matching classes other than class-default.

priority-queue OUTSIDE

service-policy OUTSIDE_PM interface OUTSIDE

policy-map OUTSIDE_PM
class class-default
shape average 4504000
service-policy SHAPED_OUTSIDE_PM

policy-map SHAPED_OUTSIDE_PM
class VOICE_CM
priority
class LLQ_ACL_CM
priority
class IKE_ACL_CM
priority
class class-default

class-map VOICE_CM
match dscp cs3 af31 ef
class-map IKE_ACL_CM
match access-list IKE_ACL
class-map LLQ_ACL_CM
match access-list LLQ_ACL

access-list IKE_ACL line 1 extended permit udp any eq isakmp any

access-list IKE_ACL line 2 extended permit udp any any eq isakmp

access-list LLQ_ACL line 1 extended permit udp any eq 9987 any

I'm trying to achieve the following:

Shape the whole output to 4.500.000 bits / sec
Prioritize outgoing voicetraffic + voicecontrol to a priority queue within the shaper
- DSCP values have been verified using wireshare and the ASA capture feature.
- The match statement should match regular outgoing voice, but also the outgoing voice via VPN connections. I think the last thing happens by default since according to the manual the ASA uses QOS Pre-classification by default.
Prioritize outgoing traffic according to the LLQ_ACL
- Inside my DMZ network i'm also running a Teamspeak server on UDP port 9987. This port has been PAT'ed through the asa from the OUTSIDE to the DMZ.
- Since the packets are being send from DMZ UDP port 9987 to clients with a random high port number, I've set the ACL accordingly.
Prioritize outgoing VPN Control / IKE traffic.
- This one speaks for itself. There are two VPN connections running.

I let this configuration running for a while, then I did a "show service-policy int OUTSIDE" and it turned out that only the class class-default had any matches:

Interface OUTSIDE:
Service-policy: OUTSIDE_PM
Class-map: class-default

      shape (average) cir 4504000, bc 18016

      (pkts output/bytes output) 85882/21745072
      (total drops/no-buffer drops) 99/0

Service-policy: SHAPED_OUTSIDE_PM
Class-map: VOICE_CM

priority

          Queueing
          queue limit 75 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

Class-map: LLQ_ACL_CM

priority

          Queueing
          queue limit 75 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

Class-map: IKE_ACL_CM

priority

          Queueing
          queue limit 75 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

Class-map: class-default

          Default Queueing
          queue limit 75 packets
          (queue depth/total drops/no-buffer drops) 0/99/0
          (pkts output/bytes output) 85884/21745154

Can anyone tell my why this is happening and why the other classes are not being matched?

Thanks!