cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1020
Views
11
Helpful
15
Replies

Newbie ASA QoS question

steve.frank
Level 1
Level 1

Pardon the probably simple question, but is QoS enforced only when an interface is maxed out and congested? I'm setting to policy traffic for a single IP address, limiting it to 384K of bandwidth with a single T-1 connected. It doesn't seem to "kick in" and limit it under normal traffic, so I'm thinking QoS doesn't matter until best effort is bumping up against the maximum speed of the line?

Hopefully I worded that correctly! Thanks!

Steve

1 Accepted Solution

Accepted Solutions

cool..so try running the DSL speed test now on any of your internal host and see the fun...:-)

yes you are right...if you exceed 384kbps ..fw will either reset the connection or drop your request

did you configured it globally or just on your inside Interface ?

The other commands that would help are

(config)# sh service-policy global

(config)# sh service-policy police

ASA5510-Single(config)# sh service-policy

Global policy:

Service-policy: global

Class-map: myclass

Inspect: pptp, packet 0, drop 0, reset-drop 0

Class-map: global-class

Inspect: icmp error, packet 0, drop 0, reset-drop 0

Inspect: pptp, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0

Inspect: http, packet 0, drop 0, reset-drop 0

Inspect: icmp, packet 0, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: dns, packet 0, drop 0, reset-drop 0

Class-map: telnet

Set connection policy:

Set connection timeout policy:

tcp 24:00:00

Class-map: IPS-CLASS

IPS: card status Up, mode inline fail-open

packet input 0, packet output 0, drop 0, reset-drop 0

ASA5510-Single(config)#

View solution in original post

15 Replies 15

suschoud
Cisco Employee
Cisco Employee

qos starts working as soon as you define the traffic which needs to be prioritized.

Here's the link which gives extensive detail as to how to configure QOS on the firewall:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_g

d/qos.htm

Here' a sample configuration :

ASA-5520-CSC-Standalone(config)# access-list test1 line 1 extended permit ip host

12.32.236.47 host 38.99.138.243

ASA-5520-CSC-Standalone(config)#access-list test2 line 1 extended permit ip host

38.99.138.243 host 10.21.190.33

ASA-5520-CSC-Standalone(config-cmap)# exit

ASA-5520-CSC-Standalone(config)# class-map source_desti

ASA-5520-CSC-Standalone(config-cmap)# match access-list test1

ASA-5520-CSC-Standalone(config-cmap)# exit

ASA-5520-CSC-Standalone(config)# class-map source_desti1

ASA-5520-CSC-Standalone(config-cmap)# match access-list test2

ASA-5520-CSC-Standalone(config-cmap)# exit

ASA-5520-CSC-Standalone(config)# policy-map AllExternalTraffic

ASA-5520-CSC-Standalone(config-pmap)# description Give AllExternalTraffic packets

priority

ASA-5520-CSC-Standalone(config-pmap)# class source_dest1

ASA-5520-CSC-Standalone(config-pmap-c)# priority

ASA-5520-CSC-Standalone(config-pmap-c)# exit

ASA-5520-CSC-Standalone(config-pmap)# exit

ASA-5520-CSC-Standalone(config)# service-policy AllExternalTraffic interface outside

Yes, I have the config set up. Here's what I'm doing, IP addresses changed to protect the guilty (me!):

access-list any-host-acl extended permit ip host 192.168.0.1 any

class-map host-traffic

match access-list any-host-acl

!

!

policy-map host-policy

class wynn-traffic

police 384000 72000

!

service-policy host-policy interface outside

priority-queue outside

queue-limit 200

tx-ring-limit 100

I'm just basically trying to limit all bandwidth to this particular host. I try to test it by doing a copy of data from that host , and the monitor on the ASA ASDM goes right past my 384K limit. Doing show service-policy interface outsie shows that exceeded 0 packets, 0 bytes, so it appears it's not applying the policing.

Hopefully my example is more clear as to why I don't understand why it's not enforcing. :)

access-list any-host-acl extended permit ip host 192.168.0.1 any

(config)#class-map host-traffic

match access-list any-host-acl

exit

policy-map host-policy

class host-traffic

priority

exit

exit

this will work for ya!!

Two, things.

First off, in my efforts to not reveal internal hostnames I did that in the class host-traffic line. Rest assured the typo isn't there in my config. :-)

I'm not interested in just priority, I want to police. My understanding is that if I cannot do "priority" and "police" against the same class ? Is that right?

hi,

if you have defined the traffic in a class map " blah ",then under the policy map,you need to use the same class map name .

class-map blah

match access-list abc

policy-map global_policy

class blah

___________

in your config. i belive you are using different names...class-map's name is different and under the policy map,the class's name is something else.....

yes,policing and prioritizing cannot be done on same interface/for the same traffic.

-----

ASA-5520-CSC-Standalone(config)# access-list abc permit ip any any

ASA-5520-CSC-Standalone(config)# class-map myqos

ASA-5520-CSC-Standalone(config-cmap)# match access-list abc

ASA-5520-CSC-Standalone(config-cmap)# exit

ASA-5520-CSC-Standalone(config)# policy-map myqoss

ASA-5520-CSC-Standalone(config-pmap)# class myqos

ASA-5520-CSC-Standalone(config-pmap-c)# ?

MPF policy-map class configuration commands:

csc Content Security and Control service module

exit Exit from MPF class action configuration mode

help Help for MPF policy-map class/match submode commands

inspect Protocol inspection services

ips Intrusion prevention services

no Negate or set default values of a command

police Rate limit traffic for this class

priority Strict scheduling priority for this class

quit Exit from MPF class action configuration mode

set Set connection values

ASA-5520-CSC-Standalone(config-pmap-c)# police ?

mpf-policy-map-class mode commands/options:

input Police traffic in input direction

output Police traffic in output direction

ASA-5520-CSC-Standalone(config-pmap-c)# police input

ERROR: % Incomplete command

ASA-5520-CSC-Standalone(config-pmap-c)# police input ?

mpf-policy-map-class mode commands/options:

<8000-2000000000> Bits per second

ASA-5520-CSC-Standalone(config-pmap-c)# police input 760000

ASA-5520-CSC-Standalone(config-pmap-c)# priority

ERROR: Must deconfigure police in this class before issuing this command

ASA-5520-CSC-Standalone(config-pmap-c)#

ASA-5520-CSC-Standalone(config-pmap-c)# exit

ASA-5520-CSC-Standalone(config-pmap)# exit

ASA-5520-CSC-Standalone(config)# service-policy myqoss ?

configure mode commands/options:

global Enter this keyword to specify a global policy

interface Enter this keyword to specify an interface policy

ASA-5520-CSC-Standalone(config)# service-policy myqoss interface outside

ASA-5520-CSC-Standalone(config)#

________________

what say ??

yes, this is my config with the typo correction. Note that I made the typo error only in this question, not on my actual config.

access-list any-host-acl extended permit ip host 192.168.0.1 any

class-map host-traffic

match access-list any-host-acl

!

!

policy-map host-policy

class host-traffic

police 384000 72000

!

service-policy host-policy interface outside

priority-queue outside

queue-limit 200

tx-ring-limit 100

I assume there's nothing wrong with this?

why dont you tie the class host-traffic in the global policy

FYI..policing and priority doesnt work simultaneously for the same" match traffic"

In this case I guess it wouldn't matter to me if it's in the global policy or not. I can try that, it's just when I use show service-policy interface outside it doesn't seem to show any counters increasing on the police traffic.

Yep, I think I asked about policing and priority. I have some other traffic that's simple telnet that I'm doing priority (different ACL) on, and that seems to be working.

Putting it in the global policy and applying it is like putting it on all interfaces at once, right?

yes you are right,

also QoS-related policies under policy-map-name apply only to the outbound traffic, not to the inbound traffic of the named interface.

When you apply it globally , does it help you ?

read this :-

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/qos.htm

I think that's what I read to get to here. :-)

Here's what I see now on my inside interface:

police Interface inside:

cir 384000 bps, bc 72000 bytes

conformed 4179 packets, 1334622 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 3912 bps, exceed 0 bps

Does this mean it's working? If I request a boatload of data to that host from inside, should I not see exceeded increase in terms of packets and bytes when I start getting data in excess of 384K + the burst?

Did I mention I'm a newbie at this? :)

cool..so try running the DSL speed test now on any of your internal host and see the fun...:-)

yes you are right...if you exceed 384kbps ..fw will either reset the connection or drop your request

did you configured it globally or just on your inside Interface ?

The other commands that would help are

(config)# sh service-policy global

(config)# sh service-policy police

ASA5510-Single(config)# sh service-policy

Global policy:

Service-policy: global

Class-map: myclass

Inspect: pptp, packet 0, drop 0, reset-drop 0

Class-map: global-class

Inspect: icmp error, packet 0, drop 0, reset-drop 0

Inspect: pptp, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0

Inspect: http, packet 0, drop 0, reset-drop 0

Inspect: icmp, packet 0, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: dns, packet 0, drop 0, reset-drop 0

Class-map: telnet

Set connection policy:

Set connection timeout policy:

tcp 24:00:00

Class-map: IPS-CLASS

IPS: card status Up, mode inline fail-open

packet input 0, packet output 0, drop 0, reset-drop 0

ASA5510-Single(config)#

Sorry for the delay, I actually got a day off here.

Yep, we're working great, I set it to the global interface and now I see it cutting things off nicely. We've got ourselves a DSL line right there in the middle of the T-1. :-)

Thank a ton.

Does PIX support low LLQ with upper limit? How do you define it? On routers you typically define it like below.

R2#show access-list

Extended IP access list 155

permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 17000 18000

permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 20000 21000

Next, create the class map that will call the access list.

R2(config)#class-map VOICE_QUEUE

R2(config-cmap)#match access-group 155

Now, create the policy map itself. Use IOS Help to verify the unit of measurement of any Cisco routing command - it can be kilobits per second, megabits per second, or bits per second!

R2(config-cmap)#policy-map VOICE

R2(config-pmap)#class VOICE_QUEUE

R2(config-pmap-c)#priority ?

<8-2000000> Kilo Bits per second

R2(config-pmap-c)#priority 100

R2(config-pmap-c)#class class-default

R2(config-pmap-c)#fair-queue

Finally, apply the policy map with the service-policy command on the appropriate interface - and in the appropriate direction with the input or output option!

R2(config-pmap-c)#interface serial0

R2(config-if)#service-policy output VOICE

What I see on PIX is it has command "priority" but you can't set a limit on priority queue. How do you say that "priority 300". That means priority the traffic up to 300K after that its ok to drop it.

The PIX commands for priority queue size are in number of packets not the bandwidth.

Thanks,

Sam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: