topic Re: QoS in ASA in Network Security

QoS in ASA

andre.ortega — Mon, 11 Mar 2019 16:49:18 GMT

Hi, I have a 2 Mb link and wish dedicate 800 Kb for specific host. The another host in network can use only 1.2 Mb.

Look the configuration that I did:

access-list acl_qos extended permit ip host 172.16.1.10 any

access-list acl_qos_default extended permit ip any any

class-map class_qos

match access-list acl_qos

class-map class_qos_default

match access-list acl_qos_default

policy-map qos_policy

class class_qos

police output 812000 conform transmit exc transmit

class class_qos_default

police output 1258000 conform transmit exc drop

service-policy qos_policy interface outside

Well, I have this questions:

1°) The configuration is ok?

2°) The service-policy is applied before or after nat process?

3°) Traffic in default class (class_qos_default) never will use more that 1.2 Mb? Or, if host 172.16.1.10 not consume your cote (800 Kb) default class can use more that 1.2 Mb?

The last one: In show service-policy interface outside I see conform-action and exceed-action DROP in default class. Is it right?

fw# sh service-policy interface outside

Interface outside:

Service-policy: qos_policy

Class-map: class_qos_ib

Output police Interface outside:

cir 812000 bps, bc 25375 bytes

conformed 1862 packets, 1931904 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: transmit

conformed 145248 bps, exceed 0 bps

Class-map: class_qos_default

Output police Interface outside:

cir 1258000 bps, bc 39312 bytes

conformed 3686 packets, 704579 bytes; actions: drop

exceeded 0 packets, 0 bytes; actions: drop

conformed 51144 bps, exceed 0 bps

Best Regards.

Re: QoS in ASA

Panos Kampanakis — Wed, 16 Dec 2009 18:28:19 GMT

Hi,

1) No, one minor change

access-list acl_qos_default extended deny ip host 172.16.1.10 any

access-list acl_qos_default extended permit ip any any

2) After

3) If they are mutually exclusive (see 1) each can take its max.

last) You set the action in the police command. Usually it doesn't make sense to police if you are not dropping.

I hope it helps.

Re: QoS in ASA

andre.ortega — Wed, 16 Dec 2009 18:44:25 GMT

Thanks pkampana, your help is very useful.

1) But I have two acl and two class, for differents policys. Is it wrong?

2) Ok, thanks.

3) Maybe I was not articulate. My question is: If traffic in policy 1 has not reached its limit, so the traffic policy 2 can use the "band" of the policy 1?

4) I set conform-action transmit and only excedeed action drop, but in show service-policy appear both as DROP... is it normal?

Re: QoS in ASA

Panos Kampanakis — Wed, 16 Dec 2009 19:05:24 GMT

1) No, but if you have 2 classes they should not match the same traffic. If they match the same traffic there is no point in policing them differently.

3) No, if class 2 is hitting its limit 1200 then it will not use the leftovers of class1, it will just be policed.

4) No, I am not sure why that shows. Please try to reapply the policing and see if it fixes.

Re: QoS in ASA

andre.ortega — Wed, 16 Dec 2009 19:13:34 GMT

One more time, thanks pkampana.

Now I understood.

I try many times remove and apply the configuration (about number 4)... I will open a TAC.

Regards.

Re: QoS in ASA

Parminder Sian — Fri, 18 Dec 2009 07:13:12 GMT

Hey,

Have a look at this link before opening a TAC case.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#intro

You might just hit it right and solving it on your own would be priceless.

Regards,

Sian