cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1219
Views
15
Helpful
12
Replies

ASA - QoS

alieas007
Level 1
Level 1

Hello all.  ASA IOS is v8.22.   I have setup overall police (10 down 5 up) on outside interface to match ISP bandwidth (for congestion determination) as well as two rules to put packest into LLQ.  First rule is for all traffic to DataCenter and it is working as I can see the LLQ packet count increasing during access.  Second rule is for all traffic coming from our internal ProxyServer to outside, but it is not working.  No packets from this second rule are entering the LLQ.  Thank you to anyone who can assist or point me in direction of clues to priorty queue packets from our ProxyServer.

name 77.77.77.0 DataCenter

name 192.168.1.158 ProxyServer

access-list MIConnection_mpc extended permit ip any DataCenter 255.255.192.0

access-list MIConnection_mpc extended permit ip host ProxyServer any

priority-queue MIConnection

class-map QOS

match access-list MIConnection_mpc

class-map mi_band

match any

policy-map mi_band_police

class mi_band

  police input 10000000

  police output 5000000 2500

class QOS

  priority

service-policy mi_band_police interface outside

12 Replies 12

So the ACL does not match at all?  Have you tried replacing the ProxyServer name with the actual IP and see if you get any matches then?

--
Please remember to select a correct answer and rate helpful posts

Marius, thank you for the reply.  Yes it does not appear the ACL is matching.  Yes I am using the IP address, I actually only changed to a name for this post to help make it easier to understand.  Sorry for the confusion.   I will continue testing this afternoon and post whatever I come up with.  Thanks again!

What version ASA are you running?

The outside interface, I assume that is connecting to the Internet or is it a WAN link?

Are there any NAT statements that might be messing with the traffic not being able to match the ACL?

--
Please remember to select a correct answer and rate helpful posts

Marius:  My ASA IOS is v8.22.  The outside interface is connected to a cable modem.  In my current setup, I have the cable ISP policed at 10/5 Mbit.  If I adjust down to 2/1 Mbit speedtest.net adjusts accordingly, so I know the police on the cable ISP is working.  The 1st QoS Rule (QOS) is priorty for our datacenter, and I can see packets hitting the LLQ when this rule is applied.  The 2nd QoS rule (DropAmazon) I cannot get to work.   It is suppose to police all input and output traffic to AmazonS3 servers at 0.05 Mbit (our offsite backups), but it refuses.   I have all the IP ranges for AmazonS3 defined, and I have sniffed the traffic and verified it is going to these ranges, however with the rule active uploads to Amazon still run at full ISP bandwidth (5 Mbit).   I will continue to research and test but have been working on this for weeks now.  Hopefully I can find out why I cannot police bandwidth to AmazonS3.   I can also provide you with the full configuration if you can offer your assistance.  Thank you!

names

name 72.15.192.0 Peak10

name 72.21.192.0 AmazonS3.1

name 207.171.160.0 AmazonS3.2

name 176.0.0.0 AmazonS3.3

name 205.251.192.0 AmazonS3.4

interface Ethernet0/2

nameif MIConnection

security-level 0

ip address 24.224.90.78 255.255.255.0

access-list MIConnection_mpc_1 extended permit ip any object-group AmazonS3

access-list MIConnection_mpc_1 extended permit ip object-group AmazonS3 any

access-list MIConnection_access_in extended permit icmp any any

access-list MIConnection_mpc extended permit ip host 192.168.1.158 any inactive

access-list MIConnection_mpc extended permit ip any Peak10 255.255.192.0

access-list MIConnection_mpc extended permit ip Peak10 255.255.192.0 any

priority-queue MIConnection

class-map QOS

match access-list MIConnection_mpc

class-map mi_band

match any

class-map DropAmazon

match access-list MIConnection_mpc_1

class-map inspection_default

match default-inspection-traffic

class-map http-map1

match access-list http-list2

policy-map mi_band_police

class mi_band

  police input 10000000

  police output 5000000 2500

class QOS

  priority

class DropAmazon

  police input 50000 1500

  police output 50000 1500

service-policy mi_band_police interface MIConnection

I am thinking the mi_band class is catching the traffic that is going to the AmazonS3 sites.

class-map mi_band

match any

If you are in a position to test this, try removing the mi_band from the policy map and see if DropAmazon matches then.

--
Please remember to select a correct answer and rate helpful posts

Or just move DropAmazon to the top of the policy-map configuration

--
Please remember to select a correct answer and rate helpful posts

Marius, thank you for the help.  You we're correct, I moved it to the top and it took effect.  However I am know interested in shaping, and am having a problem maybe you can offer some assistance.  I have setup shaping on the interface with one priority policy but cannot seem to get the ACL to match again.  Please take a look:

------------

access-list global_mpc_2 extended permit ip any Peak10 255.255.192.0

class-map DM_INLINE_Child-Class

match access-list global_mpc_2

policy-map DM_INLINE_Child-Policy

class DM_INLINE_Child-Class

  priority

policy-map MI-SHAPE

class class-default

  shape average 4000000

  service-policy DM_INLINE_Child-Policy

---------

However no packets showing the the priority queue.  I even tried changing the ACL to match any and "hitcnt" always equals 0 as shown here:

AssetFirewall# sh access-list global_mpc_2

access-list global_mpc_2; 1 elements; name hash: 0xeb994e93

access-list global_mpc_2 line 1 extended permit ip any Peak10 255.255.192.0 (hitcnt=0) 0x2d9af57d

Interface MIConnection:

  Service-policy: MI-SHAPE

    Class-map: class-default

      shape (average) cir 4000000, bc 16000

      (pkts output/bytes output) 171542/216278411

      (total drops/no-buffer drops) 3105/0

      Service-policy: DM_INLINE_Child-Policy

        Class-map: DM_INLINE_Child-Class

          priority

          Queueing

          queue limit 66 packets

          (queue depth/total drops/no-buffer drops) 0/0/0

          (pkts output/bytes output) 0/0

        Class-map: class-default

          Default Queueing

          queue limit 66 packets

          (queue depth/total drops/no-buffer drops) 50/3105/0

          (pkts output/bytes output) 172584/217549709

Any ideas why the priority queue is not matching traffic?  Thank you for your help

You need to re structure the policy map.  This way shapes the traffic to 4Mb while prioritizing the traffic going to Peak10.  Now I am not 100% sure why it doesn't work the way you originally did it, But I believe it is because the ASA is a firewall and not all functionality of a route is available. Please correct me if I am wrong.

access-list global_mpc_2 extended permit ip any Peak10 255.255.192.0

class-map DM_INLINE_Child-Class

match access-list global_mpc_2

policy-map MI-SHAPE

class DM_INLINE_Child-Class

  priority

class class-default

  shape average 4000000

--
Please remember to select a correct answer and rate helpful posts

Marius, original way should have been correct as it was constructed by the ASDM software, however I will try your changes and report.  Thank you

Unfortunately met with error, SHAPE cannot be used on a policy-map already using Standard Priority.

Sorry my bad, a different policy-map is needed for the priority.

Just out of curiosity, are you in a position to do a test with the ACL?  Could you create an ACL that matches an exact port and not IP... for example

access-list global_mpc_2 extended permit tcp any Peak10 255.255.192.0 eq 80

and see if the hitcount on the priority increases.  I have seen that with some features on the ASA it needs the exact ports to match for the feature to take effect.  I wonder if it is the same with the shaping.

--
Please remember to select a correct answer and rate helpful posts

Thanks changed ACL to "tcp eq 80" and still no hit counts on ACL.  It gets hit counts in standard priority/police mode, although I went back using standard priority today and I'm having problems making ACL's match that too, so I'm wondering if there is some governing setting in my config that is causing all these problems.  The shaping on the outside interface with heirerachal priority queue should be working as far as I can tell...

Review Cisco Networking for a $25 gift card