on 05-15-2012 06:20 PM
ASA VPN: QoS for Voice/Video Traffic
BACKGROUND
Generally, voice and video traffic are not able to tolerate long latencies. Using QOS can help to reduce latency and prioritize mission critical traffic. A Cisco IOS router has the ability to prioritize voice traffic and also command option to reserve bandwidth for voice and video traffic. The bandwidth reservation command is not available on the ASA. This document describes how to prioritize voice/video traffic on a VPN network, reserve bandwidth for voice/video traffic and also the best practices for configuring QOS for voice/video traffic on CISCO ASA.
ASA QOS OVERVIEW
NOTE: If a packet is not classified as priority or rate limited, it is forwarded to the low-priority queue (Egress Interface QOS) and any existing rate limiting polices are not applied to this kind of traffic.
Standard Priority Queuing
Example: Assume our ASA has a VPN tunnel group named “2.2.2.2 “and also the ASA has a bandwidth of 1 mpbs (1000000 bps). We want to prioritize voice and also reserve a bandwidth of 0.1 mbps (100000 bps) for voice. Remember the ASA does not mark or classify voice packet; we assume that the voice traffic is already marked with a DSCP value of EF in this example
In this example, a nested approach is also used in the policy map and the default class traffic is policed. The ASA provides a way to apply actions to traffic not matched by any configured class maps. This is done by using the “class-default” class-map command. Using the “class-default” class-map is not supported for priority traffic. Since we are using the standard priority queue, we manually configure the standard priority queue on the outside interface.
On ASA 5580, a standard priority queue cannot be created for Ten Gig Ethernet interface. It can only be created on ASA 5585-X with Ten Gig Ethernet interface. Also, Priority queuing is not supported on the management interface “management 0/0” on ASA 5512-X through ASA 5555-X.
When priority queuing is configured, packet in IPSEC may be received out-of-order and not within the anti-replay window. This will cause a false positive warning Syslog messages to be generated. Configuration of the IPsec anti-replay window size can be used to avoid this false positive warning
GORIASA(config)# interface g0/0
GORIASA(config-if)# nameif outside
GORIASA(config-if)# speed auto
GORIASA(config-if)# duplex auto
GORIASA(config)# interface g0/1
GORIASA(config-if)# nameif inside
GORIASA(config-if)# speed auto
GORIASA(config-if)# duplex auto
ORIASA(config-if)# sysopt connection tcpmss 1200
GORIASA(config)# mtu outside 1380
GORIASA(config)# crypto IPsec df-bit clear-df outside
GORIASA(config)# crypto IPsec fragmentation before-encryption outside
GORIASA(config)# crypto IPsec security-association replay window-size 1024
GORIASA(config)# priority-queue outside
GORIASA(config-priority-queue)# tx-ring-limit 512
GORIASA(config-priority-queue)# queue-limit 2048
GORIASA(config)# class-map voice-qos
GORIASA(config-cmap)# match tunnel-group 2.2.2.2
GORIASA(config-cmap)# match dscp ef
GORIASA(config-cmap)# exit
GORIASA(config)# policy-map Gori-police
GORIASA(config-pmap)# class voice-qos
GORIASA(config-pmap-c)# priority
GORIASA(config-pmap-c)# exit
GORIASA(config-pmap)# class class-default
GORIASA(config-pmap-c)# police output 900000 conform-action transmit exceed-action drop
GORIASA(config)# service-policy Gori-police interface outside
The policing rate is in bits per seconds (bps). The link below can be used for data rate unit conversion.
http://www.sengpielaudio.com/calculator-transferrate.htm
Hierarchical Priority Queuing
In this example, a nested approach is used in the policy map and the default class traffic is shaped. On ASA, shaping can only be applied to outgoing traffic using class-default, because ASA requires all traffic to be matched for traffic shaping. Traffic shaping is similar to policing except that shaping will place the packet into a buffer and smoothen the traffic flow to match the limit imposed. Whereas policing will drop the packet once the limit has been exceeded. Generally, traffic shaping applies to all types of traffic leaving the ASA. You cannot enable policy and traffic shaping for the same type of traffic even thou the ASA allows the configuration.
The total maximum traffic size for shaped traffic includes IPSEC overhead and layer two (L2) headers. Shaping usually takes place after encryption and does not allow for prioritization on the inner packet or tunnel-group basis for VPN. When using hierarchical priority queuing for encrypted VPN traffic, only the DSCP/IP precedence value can be used to match the traffic, the tunnel group cannot be used.
Since we are using the hierarchical priority queue, in this example, we do not need to configure priority queuing on the outside ASA. It is important to know that traffic shaping is not yet supported on ASA 5580.
GORIASA(config)# interface g0/0
GORIASA(config-if)# nameif outside
GORIASA(config-if)# speed auto
GORIASA(config-if)# duplex auto
GORIASA(config)# interface g0/1
GORIASA(config-if)# nameif inside
GORIASA(config-if)# speed auto
GORIASA(config-if)# duplex auto
ORIASA(config-if)# sysopt connection tcpmss 1200
GORIASA(config)# mtu outside 1380
GORIASA(config)# crypto IPsec df-bit clear-df outside
GORIASA(config)# crypto IPsec fragmentation before-encryption outside
GORIASA(config)# crypto IPsec security-association replay window-size 1024
GORIASA(config)# class-map voice-qos
GORIASA(config-cmap)# match dscp ef
GORIASA(config)# policy-map voice-qos
GORIASA(config-pmap)# class voice-qos
GORIASA(config-pmap-c)# priority
GORIASA(config-pmap-c)# policy-map gory-shape
GORIASA(config-pmap)# class class-default
GORIASA(config-pmap-c)# shape average 896000
GORIASA(config-pmap-c)# service-policy voice-qos
GORIASA(config)# service-policy gory-shape interface outside
NOTE: Target Bit Rate (bits per second) for traffic shapping needs to be in multiple of 8000.
Using the “sh priority-queue statistics” command tells us if the ASA is actually prioritizing the traffic. As show below; it displays the statistics of both traffic that are forwarded using BE (best effort) and LLQ.
Sh priority-queue statistics before QOS is configured
Priority-Queue Statistics interface OUTSIDE
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 642459
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Queue Type = LLQ
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 0
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Sh priority-queue statistics after QOS is configured
Priority-Queue Statistics interface OUTSIDE
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 1618882
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Queue Type = LLQ
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 757
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
NOTES:
ASA QOS Commands
Clear service-policy policyname interface ifname
sh service-policy global
sh service-policy interface ifname
sh service-policy priority
sh priority-queue statistics
sh service-policy shape
Clear service-policy policyname interface ifname
show running-config priority-queue
clear configure priority-queue
The following bugs are introduced by the traffic shaping feature:
CSCsq08550 | Traffic shaping with priority queueing causes traffic failure on ASA |
CSCsx07862 | Traffic shaping with priority queueing causes packet delay and drops |
CSCsq07395 | Adding shaping service-policy fails if policy-map has been edited |
GORI DAWODU
CISCO TAC VPN, SAN JOSE
Good. Thank you for sharing.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: