09-16-2013 08:51 AM - edited 03-11-2019 07:39 PM
Hi All.
I am going crazy with the Hierarchical priority queuing on asa 5505 .
Basically here is an example of my setup but when I use show service-policy interface outside or the interface name all the class defaults have their counter increased apart from any of the priority queues
Class-map http
Match port tcp eq www
Class-map https
Match port tcp eq https
Class-map default
Match any
Policy-map priority-policy
Class http
Priority
Exit
Policy-map standard-policy
Class default
Shape average 200000 1600
Service-policy priority-policy
Exit
Service-policy standard-policy interface outside
But all traffics do go through the normal queue which is driving me mad
When I type show service-policy priority nothing comes up
And when typing show service-policy interface outside , the counter for none of the priority classes increase
many thanks
09-16-2013 11:23 AM
Can you share the output of the following command:
show service-policy flow tcp host inside_ip host 4.2.2.2 eq 80
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-23-2013 06:34 AM
Thanks very much for this . sorry for the delay but here it is
btw , would I have to enable flow checking on the specific interface and if so how ?
Interface x1:
Service-policy:priority-policy Class-map: class-default
Match: any
Action:
Output flow: Shape average 200000 1600
Output flow: police input 2000000 2500 conform-action transmit exceed-action transmit
Interface x2
etc
But what is relevant to the traffic should be interface x1 which shows it but the wrong policy which aplies to all traffic and not the specific policy which applies to the specific port 80 and 443
by the way what is the output that I should expect to see from flow command ?
09-23-2013 06:39 AM
Also why does it show both as output flow? one should be for download which is the police thus input and one for upload which is the shape command but shows both as output .
Also what plays with my mind is , if the flow command is to tell you which policy the asa is going to apply to it , why does it show the service policy from other interfaces which will not apply to this traffic in any circumstances
The way i have my bandwidth management setup is, I have applied the traffic management on the internal interface and not the internet one thus upload in here means download and vice versa as the internal interface has to pass traffic through the internet interface
09-24-2013 04:50 AM
You will not see the packets in the standard priority queue if you use Hierarchical priority queuing. Priority packets are sent ahead of all others in your setup, but will not be seen in the counters of a show service-policy priority as that queue is not used. Dont think there is a way to see the trasmitted priority packets using this method, a little trust involved.
You may be better off doing the following so you can be sure your required traffic is hitting the LLQ.
Policy-map standard-policy
Class default
Shape average 200000 1600
Exit
Policy-map priority-policy
Class http
Priority
Class https
Priority
Service-policy standard-policy
Exit
Service-policy prioirty-policy interface outside
This will of course not shape the priority traffic but you will see the stats.
Using the priority queue is usually for voip etc, which is significantly less traffic than HTTP so you should be sure you want to prioritise this over all else. If the standard prioirty queue is used, this will be serviced first always and if you are sending loads of traffic to this queue you could starve all other comms through the ASA.
HTH
Andy
09-24-2013 08:42 AM
thanks for this, I tried to put the standard queue under priority queue as suggested but didn't work and returned
ERROR: The service-policy (
standard-policy
) that is being installed contains actions other than 'priority'. Only 'priority' is allowed in a child policy.
I have seen a guide in the internet which suggests this way I am doing it is correct but obviously it is not .
if I take of the service-policy under the standard-policy , all priority queues disappear form the show service-policy but when there the queues show up but the counter does not raise
also it seems like I don't have to enable priority queue interface name in the global config for heirarical queue as is the case with the standard/priority queue so I have not enable it which I don't know If i am making a mistake or not. I did also enabl it but it did not make any difference
09-24-2013 09:01 AM
Ah Nuts!
sorry my bad
You will need to police the default class, not shape. This does have slightly different permitations in that it will drop traffic that exceeds the police parameter. Its going to be a little bit of a trade off.
You can only shape all and nest priority within that shape.
so:
Policy-map priority-policy
Class http
Priority
Class https
Priority
Class Default (you may need to use the built in class-default class here, I cannot remember)
Police output 200000 1600
Exit
Service-policy priority-policy interface outside
You cannot shape and use standard priority queueing on the same interface....you can only nest a priority policy in a shape policy which will not use the standard priority queue.
HTH
Andy
09-25-2013 03:30 AM
thanks for this.
I know I did look at the cisco document and read it all and here is aqoute from it
"
You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed."
This means if I used Hierarchical priority queuing I can use shaping which is what I am doing , isn't that correct ?
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html
09-26-2013 01:28 AM
Hi,
You are correct. But what you will not see is the standard priority queue stats as this queue is not used in hierachical priority queuing. You will not be able to see your prioirty packets, although the process is to send these within the shape first.
So if you shape and nest priority, the standard queue is not used, hence why you dont see any hits on the commands you are running. BUT - the ASA should be prioritising your traffic as required.
The config including policing above was to get stats into the priority queue for you to see the difference.
HTH
Andy
09-26-2013 02:56 AM
Thanks for taking time and replying. I am trying to understand this standard vs heirarichal queuing and have a hard time grasping a concept which may be very easy.
Basically I know that asa has two qos mode, standard and heirarchical .
standard has two queues , standard and priority and no shaping is allowed
heirarchical has two queues which are again normal and priority . so when you reference standard in the text above, is that a reference to the heirarchical standard queue or the basic model standard queue.
"But what you will not see is the standard priority queue stats as this queue is not used in hierachical priority queuing"
I don't have standard queue in my config , it is heirarchical which has 2 queues of standard and priority.
what you are explaining is that the traffic is first shapped and then prioritised hence why If i have shaping i can not see the counter go up . I don't understand the comment which says "
the standard queue is not used, hence why you dont see any hits on the commands you are running"
thanks once again
09-26-2013 04:28 AM
Hi,
Apologies for any confusion.
There are two queues per interface. One of these is the standard-priority queue and the other the default queue which you can optionally configure shaping or policing on. So with no service-policy configuration the default queue is used FIFO (first in first out).
You then have two methods of priority queuing. Standard or Hierarchical. Standard requires that packets are placed in the standard-priority queue and the rest of the traffic is placed in the default queue, which you can optionally police. You cannot shape in this scenario.
If you need to shape and use priority, hierarchical queuing is necessary, which means the standard-priority queue is not used at all. This is because of the way the standard-priority queue sits around the scheduler to deliver packets very quickly in a LLQ manner. If shaping or policing needed to happen in this queue, it would defeat the point as would need much more additional processing. All traffic is placed in the default queue with the necessary restrictions, but the scheduler will place the priority traffic identified within the hierarchy into the queue first.
So regardless of the methodology of priority queuing you are using, there are only ever two actual output queues on the interface. Unlike a 3750 switch for example which has four output queues.
Hope that make things a little clearer. Its the terminology I think. Think of the standard-priority queue as the LLQ and the default queue as the shape/policing queue. Then "standard priority" and "hierarchical priority" are methods to utilize these queues in different combinations. Policing and Shaping are needing to be processed, so dont touch the LLQ (standard-priority queue).
This is why you are getting the statistics you are when using hierarchical priority queuing, IE no hits in the standard-priority queue when you run "show priority-queue statistics"
if you run a:
hostname# show service-policy standard-policy
What do you see?
This should show you some info on the hierarchical service-policy in terms of packets transmitted in the nested class. I.E. in your original setup policy "priority-policy".
Cheers
Andy
09-26-2013 05:43 AM
much apprecited and thank you. You explained it better than the cisco book.
One thing though, based on my understanding the hierarchical queue is even processed quicker than standard-priority hence why nothing it logged. I know you mentioned that there are fifo and llq queues and standard and heirarchical queue are llq and are almost the same but it looks like hei.. is even higher compared to standard queue.
if this is the case, why does cisco shows the queues but no increament on the data when shapping is enabled?
my asa is 9.1(3) and does not support
show service-policy standard-policy
.
However I tried show service-policy priority and it shows the priority queue which I have on another interface ( it is simple, fifo and priority ) but
shows nothing about heirarchical queues
however I do get some info about heirarchical queue if I typre show service-policy as below
Interface outside:
Service-policy : standard-policy
Class-map: class-default
shape (average) cir 2000000, bc 20000 Input police Interface outside:
cir 2000000 bps, bc 2500 bytes
conformed 480675 packets, 74135176 bytes; actions: transmit
exceeded 735 packets, 1036335 bytes; actions: transmit
conformed 1640 bps, exceed 0 bps
(pkts output/bytes output) 215886/71418262
(total drops/no-buffer drops) 0/0
Service-policy: ITWireless-QOS-Priority
Class-map: ITWireless-QOS-Priority-80
priority
Queueing
queue limit 83 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: http
priority
Queueing
queue limit 83 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: https
priority
Queueing
queue limit 83 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: default
Default Queueing
queue limit 83 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 215896/71419176
09-26-2013 06:17 AM
which way are you testing this traffic? In to the outside interface or from the inside out? do you have a quick diagram of your scenario?
try "show service-policy shape", mostly the same info I think.
So your shape policy is outbound on the outside interface. If you are connecting to a web server on the inside, the policy would not be hit, but return traffic would be shaped due to the L4 port. Hierarchical priority queuing is egress only due to the parent shaper.
Just a quick ask at this juncture to understand a little more of what you are testing. Pictures and a thousand words and all that!
If you are using the Hierarchical queueing method, you wont be using the LLQ, you will be using a tuned default queue. So the technically "slower" queue, due to the work performed to shape/buffer the traffic flow. LLQ or standard-priority queue is effectively a "short cut".
Cheers
Andy
09-26-2013 06:15 AM
I had this same exact problem last month when I tried QoS, couldn't get anything in the shape priority queue. I ended up putting all my priority traffic into the standard priority LLQ queue and then policing the rest of the traffic to 1/5th of the pipe, but the result has been less than optimal. It seams that when the upload pipe gets saturated the LLQ traffic still suffers greatly. I wish I could get shaping to work I hope somebody knows why...
09-26-2013 06:42 AM
here it is ,
basically outside is my internal network ( don't ask why I have named it that way )
Internet is the real outside, so traffic goes through outside out to internet and then out
[IMG]http://i39.tinypic.com/2v167o1.jpg[/IMG]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide