cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
172017
Views
25
Helpful
21
Comments
Panos Kampanakis
Cisco Employee
Cisco Employee

 

Introduction

The purpose of this article is to educate ASA administrators on the QoS functionality that the ASAs can provide. We will explain briefly the QoS mechanisms that are supported and provide a couple of examples that will show how to use them.

    • Traffic Policing

When the total amount of traffic exceeds a certain limit, many times it is essential to be policed. In that way the bandwidth is not consumed by one user or one application and traffic restrictions are applied to preserve it. The firewall can police inbound and outbound traffic to an interface. There are options to either drop or permit the limit exceeding traffic on the firewall.

    • Traffic Shaping

Traffic shaping was introduced in ASA 7.2.4 and is also supported in the 8.0 and 8.1 trains. With traffic shaping traffic that exceeds certain limits is actually queued up/buffered and sent when the traffic goes below the threshold. That option will actually not drop packets that exceed the threshold and will work better for applications that are badly affected by packet loss.

    • Priority Queueueing

Priority queueing is the ability to prioritize the packets that need prioritization. These could be delay sensitive applications like voice. The firewall can only do Low Latency Queueing (LLQ), unlike the routers that can provide more sophisticated prioritization mechanisms (WFQ,CBWFQ etc).

 

NOTE 1: The user has to bear in mind that traffic policed inbound on an interface cannot provide much as the packets have already hit the interface, which means they have already used the available bandwidth. There is an advantage of policing to a value a little less than the available download bandwidth and that is if we start dropping before oversubscribing the link TCP will converge to the optimal throughput value. Though, that  would be practically hard to achieve given that there are multiple flows going through the pipe.

NOTE 2: Priority queueing needs to be used with policing or traffic shaping. The reason is that unless the link that LLQ is saturated the packets will not be prioritized. Usually the interfaces of the ASA can be 100Mbps or 1Gbps or more, so saturating these links isn't something that will happen often . But implementing policing or traffic shaping along with LLQ actually makes LLQ kick in at the point the policing or shaping limits are met.

NOTE 3: If priority queueing is applied for applications running between two sites, it is advised to apply prioritization for the application traffic on both sites. The reason is that even prioritizing one side, the return traffic could be delayed and this could have the same effect as not prioritizing at all.

 

Traffic Policing with Prioritization

Lets assume that we have an ASA that is running voice over a VPN tunnel. And that we want to prioritize the voice traffic through the VPN. Also we want to police the VPN traffic that is not voice and the rest of the TCP traffic.

Lets say that the available upload bandwidth for the outside interface is 1Mbps. We want to dedicate 300kbps for the VPN, 100kbps of which will be guaranteed for voice (thus 200kbps for non-voice VPN traffic), 500kbps for the tcp traffic and 200kbps for everything else. Also, assume that the voice traffic is flagged with dscp field ef (as it is the default for most cases). The tunnel group name is tunnel-grp1.

 

 

 

 

ASA(config)# priority-queue outside

ASA(config)# access-list tcp-traffic-acl permit tcp any any
ASA(config)# class-map tcp-traffic-class
ASA(config-cmap)# match access-list tcp-traffic-acl

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# class-map TG1-rest-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match flow ip destination-address

ASA(config)# policy-map police-priority-policy
ASA(config-pmap)# class tcp-traffic-class
ASA(config-pmap-c)# police output 500000
ASA(config-pmap-c)# class TG1-voice-class
ASA(config-pmap-c)# priority
ASA(config-pmap-c)# class TG1-rest-class
ASA(config-pmap-c)# police output 200000
ASA(config-pmap-c)# class class-default
ASA(config-pmap-c)# police output 200000

ASA(config-pmap-c)# service-policy police-priority-policy interface outside

 

 

Traffic Shaping with Prioritization

Now, lets assume that we have the same ASA as in the previous case. And we now want to traffic shape all traffic and prioritize the voice through the VPN. In other words we will traffic shape all traffic for 900kbps, prioritize the voice and guarantee 100kbps for it. Again, we assume that the voice traffic is flagged with dhcp field ef and the tunnel group name is tunnel-grp1.

 

 

 

 

ASA(config)# priority-queue outside

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# policy-map priority-policy
ASA(config-pmap)# class TG1-voice-class
ASA(config-pmap-c)# priority

ASA(config-pmap-c)# policy-map shape-priority-policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average 900000
ASA(config-pmap-c)# service-policy priority-policy

ASA(config-pmap-c)# service-policy shape-priority-policy interface outside

 

 

Viewing QoS statistics

To view the statistics the user can run "show" commands (the examples below do not relate to the ones above).

For the policing statistics:

 

 

 

 

ASA# show service-policy police

Global policy:
     Service-policy: global_fw_policy

Interface outside:
     Service-policy: qos
          Class-map: browse
               police Interface outside:
                    cir 56000 bps, bc 10500 bytes
                    conformed 10065 packets, 12621510 bytes; actions: transmit
                    exceeded 499 packets, 625146 bytes; actions: drop
                    conformed 5600 bps, exceed 5016 bps
          Class-map: cmap2
               police Interface outside:
                    cir 200000 bps, bc 37500 bytes
                    conformed 17179 packets, 20614800 bytes; actions: transmit
                    exceeded 617 packets, 770718 bytes; actions: drop
                    conformed 198785 bps, exceed 2303 bps

 

 

For the prioritization statistics:

 

 

 

ASA# show service-policy priority
Global policy:
     Service-policy: global_fw_policy

Interface outside:
     Service-policy: qos
          Class-map: TG1-voice-class
               Priority:
                    Interface outside: aggregate drop 0, aggregate transmit 9383

 

 

For the shaping statistics:

 

 

 

ASA# show service-policy shape

Interface outside:
  Service-policy: shape
    Class-map: class-default

      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

      shape (average) cir 2000000, bc 16000, be 16000
      Service-policy: voip
        Class-map: voip

          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
        Class-map: class-default

          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
Comments
ccordes
Level 1
Level 1

.

ccordes
Level 1
Level 1

I haven't tried shaping on the 5525X but my ASA 5505 running 9.1(3) took the shaping config. You have to use nested policies to do shaping like this:

 

create the ACL "qos_priority_acl" to match prioritized traffic.

Then this is from my ASA, I added TEST so I would not mess with my existing policy-maps.

 

class-map qos_Priority_class
 match access-list qos_Priority_acl
!

policy-map qos_TEST-Priority_policy
 class qos_Priority_class
  priority

!

policy-map qos_TEST-Shape-Priority-outside_policy
 class class-default
  shape average 1600000
  service-policy qos_TEST-Priority_policy


!

You would then apply the "qos_TEST-Shape-Priority-outside_policy" policy to an interface using the service-policy command.

ccordes
Level 1
Level 1

Looks like you need to use the ASDM (ASA Device Manager) not the command line.

krishna.peri1
Level 1
Level 1

Team,

 I have similar Query on QOS applying at ingress interface. Will elobrate more on my end network and need experts suggestion can we go and do that.

We have our own telephone system and now we are planning to migrate to cloud. We got two connections for HA.

 

1. MPLS - Primary (Service provider link will come into our 3850 SW whcih is acting like Core in our DC)
2. Cisco ASA FW - Secondary when MPLS goes down. 

Now that, one of our client PMO asking to implement QOS with DSCP 46 on Cisco ASA for inbound traffic for the traffic which was initiated from our network. Please note that we are doing marking, shapping on our Cisco 3850-48 port stack switch at our DC.

And this Firewall is also connected to the same DC core sw. 

 

We don't have any RTR which will connect to SP for our internet service. We have service with our Partner connect, where our DC is shared one.


When the traffic is initiated internally, how can we apply the QOS on ingress interface ? 

If yes, we can apply. Can we do it in our environment where we have L2L VPN, Anyconnect & Plan internet traffic are mapped on same outside interface. 

Please help with your suggestion and guide me further.

krishna.peri1
Level 1
Level 1

Team,

 

All my Concerns is when VOIP traffic is initiated from internally, how can we apply QOS at ingress for the same VOIP traffic which will comeback for the initially originated VOIP traffic from inside. 

VOIP traffic will be UDP and no 3 way handshack required. However, voip traffic passing from the egress interface and reply coming from ingress interface can we apply QOS with DSCP 46 for all the VOIP traffic ?

As said, our Cisco ASA FW is sharing outside interface for L2L VPN, Anyconnect & Plain Internet as well

niima
Level 1
Level 1

Dear experts,

 

Is one able to rate limit below items when configuring security context on a ASA5520?

 

1) NAT

2)MAC Learning

3) Stateful packet inspections

 

My understanding is that only ASDM sessions rate and connections rate as well as syslog msg rates are the only options to rate limit? Am I wrong? your input is much appreciated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: