QoS Router and ASA differences

Answered Question
Jun 27th, 2008

Hi, I recently tested QoS over an IPSEC tunnel using and 876 and was able to limit effective input and output rates using QoS on the router between two hosts.

This got me thinking about trying it on an ASA. I have tried this on an ASA with no success, but it also says in the help it can only be applied to the "Output". Is there a difference in the QoS implementation between a router and ASA?

Update - I had got this to work but only when I use Any Any Traffic. If I select say 192.168.55.20 -> Any it doesn't rate limit.

access-list outside_mpc extended permit ip host 192.168.55.20 any

class-map ROB_QOS (Doesn't work)

match access-list outside_mpc

Class-map ROB_QOS (Does work)

match any

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

policy-map Rob_Policy

class ROB_QOS

police output 100000 2000 conform-action drop

service-policy global_policy global

service-policy Rob_Policy interface inside

service-policy Rob_Policy interface outside

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 6 months ago

Maybe its working now because you have NAT on this IP range 192.168.55.0 ? Are you employing any NAT for this subnet?

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Sun, 06/29/2008 - 00:38

Yes, there are a lot of differences between ASA and ROUTER QOS.

As per CCO, on the ASA QoS policies when applied to the interface have specific direction, they apply only to the outbound traffic (with respect to the interface) where the service-policy has been applied. Have a look at this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html#wp1116522

However, one can apply 'police' in both output and input directions. This means that it can match the class-map in both directions (based on source/destination ports).

This is also a useful link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Please rate helpful posts.

Regards

Farrukh

rasoftware Sun, 06/29/2008 - 05:02

Hi thats most helpful, I have followed the second article when I setup the test.

Policing works when I do "match any" but not when I use the ACL list. Is there something i'm missing here?

Partial confirm from above

access-list outside_mpc extended permit ip host 192.168.55.20 any

class-map ROB_QOS (Doesn't work)

match access-list outside_mpc

If i "match any" it works.

Farrukh Haroon Sun, 06/29/2008 - 05:48

Try adding the following line:

access-list outside_mpc extended permit ip any host 192.168.55.20.

Regards

Farrukh

rasoftware Mon, 06/30/2008 - 01:18

Hi Farrukh,

I added the second line to the ACL but it still doesn't appear to rate limit.

I have attached the current config from the test ASA.

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.55.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.150.60 255.255.255.0

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list outside_mpc extended permit ip host 192.168.55.21 any

access-list outside_mpc extended permit ip any host 192.168.55.21

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.150.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.55.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 192.168.150.4

dhcpd lease 6000

!

dhcpd address 192.168.55.20-192.168.55.22 inside

dhcpd enable inside

!

!

class-map ROB_QOS

match access-list outside_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

policy-map Rob_Policy

class ROB_QOS

police output 8000 2000 conform-action drop

!

service-policy global_policy global

service-policy Rob_Policy interface outside

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Farrukh Haroon Mon, 06/30/2008 - 03:33

You have to add the "police input 8000 2000 conform-action drop " statement

Regards

Farrukh

rasoftware Mon, 06/30/2008 - 03:43

I have added this now but it still doesn't seem to control the rate. I have check my host IP also and this is correct.

policy-map Rob_Policy

class ROB_QOS

police input 8000 2000 conform-action drop

police output 8000 2000 conform-action drop

I also tried removing "output" but that had no affect.

rasoftware Mon, 06/30/2008 - 06:01

I have changed the service policy to the inside interface and it appears to work. I also applied police to input and output. It didn't seem to work without this.

This is a working 100Kb up/down throttle - does this look ok?

class-map ROB_QOS

match access-list outside_mpc

policy-map Rob_Policy

class ROB_QOS

police input 100000 conform-action drop

police output 100000

service-policy Rob_Policy interface inside

access-list outside_mpc extended permit ip 192.168.55.0 255.255.255.0 any

access-list outside_mpc extended permit ip any 192.168.55.0 255.255.255.0

Correct Answer
Farrukh Haroon Mon, 06/30/2008 - 12:12

Maybe its working now because you have NAT on this IP range 192.168.55.0 ? Are you employing any NAT for this subnet?

Regards

Farrukh

rasoftware Mon, 06/30/2008 - 12:43

Yes the connection is natted, i used a private on the outside as I have been testing it on our LAN.

It works a treat, able to rate limit multiple subnets from our 3550 switch and also timed based ACL lists on the limiting. Many thanks for your help.

Actions

This Discussion