Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1197
Views
0
Helpful
5
Replies

QoS in ASA

Go to solution
andre.ortega
Spotlight
Spotlight

‎12-16-2009 09:27 AM - edited ‎03-11-2019 09:49 AM

Hi,  I have a 2 Mb link and wish dedicate 800 Kb for specific host. The another host in network can use only 1.2 Mb.

Look the configuration that I did:

access-list acl_qos extended permit ip host 172.16.1.10 any

access-list acl_qos_default extended permit ip any any

class-map class_qos

match access-list acl_qos

class-map class_qos_default

match access-list acl_qos_default

policy-map qos_policy

class class_qos

  police output 812000 conform transmit exc transmit

class class_qos_default

  police output 1258000 conform transmit exc drop

service-policy qos_policy interface outside

Well, I have this questions:

1°) The configuration is ok?

2°) The service-policy is applied before or after nat process?

3°) Traffic in default class (class_qos_default) never will use more that 1.2 Mb? Or, if host 172.16.1.10 not consume your cote (800 Kb) default class can use more that 1.2 Mb?

The last one: In show service-policy interface outside I see conform-action and exceed-action DROP in default class. Is it right?

fw# sh service-policy interface outside

Interface outside:

  Service-policy: qos_policy

    Class-map: class_qos_ib

      Output police Interface outside:

        cir 812000 bps, bc 25375 bytes

        conformed 1862 packets, 1931904 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  transmit

        conformed 145248 bps, exceed 0 bps

    Class-map: class_qos_default

      Output police Interface outside:

        cir 1258000 bps, bc 39312 bytes

        conformed 3686 packets, 704579 bytes; actions: drop

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 51144 bps, exceed 0 bps

Best Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to andre.ortega

‎12-16-2009 11:05 AM

1) No, but if you have 2 classes they should not match the same traffic. If they match the same traffic there is no point in policing them differently.

3) No, if class 2 is hitting its limit 1200 then it will not use the leftovers of class1, it will just be policed.

4) No, I am not sure why that shows. Please try to reapply the policing and see if it fixes.

PK

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-16-2009 10:28 AM

Hi,

1) No, one minor change

access-list acl_qos_default extended deny ip host 172.16.1.10 any

access-list acl_qos_default extended permit ip any any

2) After

3) If they are mutually exclusive (see 1) each can take its max.

last) You set the action in the police command. Usually it doesn't make sense to police if you are not dropping.

I hope it helps.

PK

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to Panos Kampanakis

‎12-16-2009 10:44 AM

Thanks pkampana, your help is very useful.

1) But I have two acl and two class, for differents policys. Is it wrong?

2) Ok, thanks.

3) Maybe I was not articulate. My question is: If traffic in policy 1 has not reached its limit, so the traffic policy 2 can use the "band" of the policy 1?

4) I set conform-action transmit and only excedeed action drop, but in show service-policy appear both as DROP... is it normal?

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to andre.ortega

‎12-16-2009 11:05 AM

1) No, but if you have 2 classes they should not match the same traffic. If they match the same traffic there is no point in policing them differently.

3) No, if class 2 is hitting its limit 1200 then it will not use the leftovers of class1, it will just be policed.

4) No, I am not sure why that shows. Please try to reapply the policing and see if it fixes.

PK

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to Panos Kampanakis

‎12-16-2009 11:13 AM

One more time, thanks pkampana.

Now I understood.

I try many times remove and apply the configuration (about number 4)... I will open a TAC.

Regards.

0 Helpful

Go to solution
Parminder Sian
Level 1
Level 1
In response to andre.ortega

‎12-17-2009 11:13 PM

Hey,

Have a look at this link before opening a TAC case.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#intro

You might just hit it right and solving it on your own would be priceless.

Regards,

Sian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card