03-22-2007 07:42 AM - edited 02-21-2020 01:27 AM
Pardon the probably simple question, but is QoS enforced only when an interface is maxed out and congested? I'm setting to policy traffic for a single IP address, limiting it to 384K of bandwidth with a single T-1 connected. It doesn't seem to "kick in" and limit it under normal traffic, so I'm thinking QoS doesn't matter until best effort is bumping up against the maximum speed of the line?
Hopefully I worded that correctly! Thanks!
Steve
Solved! Go to Solution.
03-22-2007 04:48 PM
cool..so try running the DSL speed test now on any of your internal host and see the fun...:-)
yes you are right...if you exceed 384kbps ..fw will either reset the connection or drop your request
did you configured it globally or just on your inside Interface ?
The other commands that would help are
(config)# sh service-policy global
(config)# sh service-policy police
ASA5510-Single(config)# sh service-policy
Global policy:
Service-policy: global
Class-map: myclass
Inspect: pptp, packet 0, drop 0, reset-drop 0
Class-map: global-class
Inspect: icmp error, packet 0, drop 0, reset-drop 0
Inspect: pptp, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: http, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: dns, packet 0, drop 0, reset-drop 0
Class-map: telnet
Set connection policy:
Set connection timeout policy:
tcp 24:00:00
Class-map: IPS-CLASS
IPS: card status Up, mode inline fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
ASA5510-Single(config)#
03-22-2007 07:51 AM
qos starts working as soon as you define the traffic which needs to be prioritized.
Here's the link which gives extensive detail as to how to configure QOS on the firewall:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_g
d/qos.htm
Here' a sample configuration :
ASA-5520-CSC-Standalone(config)# access-list test1 line 1 extended permit ip host
12.32.236.47 host 38.99.138.243
ASA-5520-CSC-Standalone(config)#access-list test2 line 1 extended permit ip host
38.99.138.243 host 10.21.190.33
ASA-5520-CSC-Standalone(config-cmap)# exit
ASA-5520-CSC-Standalone(config)# class-map source_desti
ASA-5520-CSC-Standalone(config-cmap)# match access-list test1
ASA-5520-CSC-Standalone(config-cmap)# exit
ASA-5520-CSC-Standalone(config)# class-map source_desti1
ASA-5520-CSC-Standalone(config-cmap)# match access-list test2
ASA-5520-CSC-Standalone(config-cmap)# exit
ASA-5520-CSC-Standalone(config)# policy-map AllExternalTraffic
ASA-5520-CSC-Standalone(config-pmap)# description Give AllExternalTraffic packets
priority
ASA-5520-CSC-Standalone(config-pmap)# class source_dest1
ASA-5520-CSC-Standalone(config-pmap-c)# priority
ASA-5520-CSC-Standalone(config-pmap-c)# exit
ASA-5520-CSC-Standalone(config-pmap)# exit
ASA-5520-CSC-Standalone(config)# service-policy AllExternalTraffic interface outside
03-22-2007 08:13 AM
Yes, I have the config set up. Here's what I'm doing, IP addresses changed to protect the guilty (me!):
access-list any-host-acl extended permit ip host 192.168.0.1 any
class-map host-traffic
match access-list any-host-acl
!
!
policy-map host-policy
class wynn-traffic
police 384000 72000
!
service-policy host-policy interface outside
priority-queue outside
queue-limit 200
tx-ring-limit 100
I'm just basically trying to limit all bandwidth to this particular host. I try to test it by doing a copy of data from that host , and the monitor on the ASA ASDM goes right past my 384K limit. Doing show service-policy interface outsie shows that exceeded 0 packets, 0 bytes, so it appears it's not applying the policing.
Hopefully my example is more clear as to why I don't understand why it's not enforcing. :)
03-22-2007 08:49 AM
access-list any-host-acl extended permit ip host 192.168.0.1 any
(config)#class-map host-traffic
match access-list any-host-acl
exit
policy-map host-policy
class host-traffic
priority
exit
exit
this will work for ya!!
03-22-2007 09:01 AM
Two, things.
First off, in my efforts to not reveal internal hostnames I did that in the class host-traffic line. Rest assured the typo isn't there in my config. :-)
I'm not interested in just priority, I want to police. My understanding is that if I cannot do "priority" and "police" against the same class ? Is that right?
03-22-2007 09:12 AM
hi,
if you have defined the traffic in a class map " blah ",then under the policy map,you need to use the same class map name .
class-map blah
match access-list abc
policy-map global_policy
class blah
___________
in your config. i belive you are using different names...class-map's name is different and under the policy map,the class's name is something else.....
yes,policing and prioritizing cannot be done on same interface/for the same traffic.
-----
ASA-5520-CSC-Standalone(config)# access-list abc permit ip any any
ASA-5520-CSC-Standalone(config)# class-map myqos
ASA-5520-CSC-Standalone(config-cmap)# match access-list abc
ASA-5520-CSC-Standalone(config-cmap)# exit
ASA-5520-CSC-Standalone(config)# policy-map myqoss
ASA-5520-CSC-Standalone(config-pmap)# class myqos
ASA-5520-CSC-Standalone(config-pmap-c)# ?
MPF policy-map class configuration commands:
csc Content Security and Control service module
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
inspect Protocol inspection services
ips Intrusion prevention services
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
set Set connection values
ASA-5520-CSC-Standalone(config-pmap-c)# police ?
mpf-policy-map-class mode commands/options:
input Police traffic in input direction
output Police traffic in output direction
ASA-5520-CSC-Standalone(config-pmap-c)# police input
ERROR: % Incomplete command
ASA-5520-CSC-Standalone(config-pmap-c)# police input ?
mpf-policy-map-class mode commands/options:
<8000-2000000000> Bits per second
ASA-5520-CSC-Standalone(config-pmap-c)# police input 760000
ASA-5520-CSC-Standalone(config-pmap-c)# priority
ERROR: Must deconfigure police in this class before issuing this command
ASA-5520-CSC-Standalone(config-pmap-c)#
ASA-5520-CSC-Standalone(config-pmap-c)# exit
ASA-5520-CSC-Standalone(config-pmap)# exit
ASA-5520-CSC-Standalone(config)# service-policy myqoss ?
configure mode commands/options:
global Enter this keyword to specify a global policy
interface Enter this keyword to specify an interface policy
ASA-5520-CSC-Standalone(config)# service-policy myqoss interface outside
ASA-5520-CSC-Standalone(config)#
________________
what say ??
03-22-2007 10:57 AM
yes, this is my config with the typo correction. Note that I made the typo error only in this question, not on my actual config.
access-list any-host-acl extended permit ip host 192.168.0.1 any
class-map host-traffic
match access-list any-host-acl
!
!
policy-map host-policy
class host-traffic
police 384000 72000
!
service-policy host-policy interface outside
priority-queue outside
queue-limit 200
tx-ring-limit 100
I assume there's nothing wrong with this?
03-22-2007 01:42 PM
why dont you tie the class host-traffic in the global policy
FYI..policing and priority doesnt work simultaneously for the same" match traffic"
03-22-2007 01:55 PM
In this case I guess it wouldn't matter to me if it's in the global policy or not. I can try that, it's just when I use show service-policy interface outside it doesn't seem to show any counters increasing on the police traffic.
Yep, I think I asked about policing and priority. I have some other traffic that's simple telnet that I'm doing priority (different ACL) on, and that seems to be working.
03-22-2007 01:58 PM
Putting it in the global policy and applying it is like putting it on all interfaces at once, right?
03-22-2007 02:17 PM
yes you are right,
also QoS-related policies under policy-map-name apply only to the outbound traffic, not to the inbound traffic of the named interface.
When you apply it globally , does it help you ?
read this :-
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/qos.htm
03-22-2007 02:47 PM
I think that's what I read to get to here. :-)
Here's what I see now on my inside interface:
police Interface inside:
cir 384000 bps, bc 72000 bytes
conformed 4179 packets, 1334622 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 3912 bps, exceed 0 bps
Does this mean it's working? If I request a boatload of data to that host from inside, should I not see exceeded increase in terms of packets and bytes when I start getting data in excess of 384K + the burst?
Did I mention I'm a newbie at this? :)
03-22-2007 04:48 PM
cool..so try running the DSL speed test now on any of your internal host and see the fun...:-)
yes you are right...if you exceed 384kbps ..fw will either reset the connection or drop your request
did you configured it globally or just on your inside Interface ?
The other commands that would help are
(config)# sh service-policy global
(config)# sh service-policy police
ASA5510-Single(config)# sh service-policy
Global policy:
Service-policy: global
Class-map: myclass
Inspect: pptp, packet 0, drop 0, reset-drop 0
Class-map: global-class
Inspect: icmp error, packet 0, drop 0, reset-drop 0
Inspect: pptp, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: http, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: dns, packet 0, drop 0, reset-drop 0
Class-map: telnet
Set connection policy:
Set connection timeout policy:
tcp 24:00:00
Class-map: IPS-CLASS
IPS: card status Up, mode inline fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
ASA5510-Single(config)#
03-26-2007 07:04 AM
Sorry for the delay, I actually got a day off here.
Yep, we're working great, I set it to the global interface and now I see it cutting things off nicely. We've got ourselves a DSL line right there in the middle of the T-1. :-)
Thank a ton.
09-27-2007 06:53 PM
Does PIX support low LLQ with upper limit? How do you define it? On routers you typically define it like below.
R2#show access-list
Extended IP access list 155
permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 17000 18000
permit udp 210.1.1.0 0.0.0.255 220.1.1.0 0.0.0.255 range 20000 21000
Next, create the class map that will call the access list.
R2(config)#class-map VOICE_QUEUE
R2(config-cmap)#match access-group 155
Now, create the policy map itself. Use IOS Help to verify the unit of measurement of any Cisco routing command - it can be kilobits per second, megabits per second, or bits per second!
R2(config-cmap)#policy-map VOICE
R2(config-pmap)#class VOICE_QUEUE
R2(config-pmap-c)#priority ?
<8-2000000> Kilo Bits per second
R2(config-pmap-c)#priority 100
R2(config-pmap-c)#class class-default
R2(config-pmap-c)#fair-queue
Finally, apply the policy map with the service-policy command on the appropriate interface - and in the appropriate direction with the input or output option!
R2(config-pmap-c)#interface serial0
R2(config-if)#service-policy output VOICE
What I see on PIX is it has command "priority" but you can't set a limit on priority queue. How do you say that "priority 300". That means priority the traffic up to 300K after that its ok to drop it.
The PIX commands for priority queue size are in number of packets not the bandwidth.
Thanks,
Sam
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: