Introduction

The purpose of this article is to educate ASA administrators on the QoS functionality that the ASAs can provide. We will explain briefly the QoS mechanisms that are supported and provide a couple of examples that will show how to use them.

    • Traffic Policing

When the total amount of traffic exceeds a certain limit, many times it is essential to be policed. In that way the bandwidth is not consumed by one user or one application and traffic restrictions are applied to preserve it. The firewall can police inbound and outbound traffic to an interface. There are options to either drop or permit the limit exceeding traffic on the firewall.

    • Traffic Shaping

Traffic shaping was introduced in ASA 7.2.4 and is also supported in the 8.0 and 8.1 trains. With traffic shaping traffic that exceeds certain limits is actually queued up/buffered and sent when the traffic goes below the threshold. That option will actually not drop packets that exceed the threshold and will work better for applications that are badly affected by packet loss.

    • Priority Queueueing

Priority queueing is the ability to prioritize the packets that need prioritization. These could be delay sensitive applications like voice. The firewall can only do Low Latency Queueing (LLQ), unlike the routers that can provide more sophisticated prioritization mechanisms (WFQ,CBWFQ etc).

 

NOTE 1: The user has to bear in mind that traffic policed inbound on an interface cannot provide much as the packets have already hit the interface, which means they have already used the available bandwidth. There is an advantage of policing to a value a little less than the available download bandwidth and that is if we start dropping before oversubscribing the link TCP will converge to the optimal throughput value. Though, that  would be practically hard to achieve given that there are multiple flows going through the pipe.

NOTE 2: Priority queueing needs to be used with policing or traffic shaping. The reason is that unless the link that LLQ is saturated the packets will not be prioritized. Usually the interfaces of the ASA can be 100Mbps or 1Gbps or more, so saturating these links isn't something that will happen often . But implementing policing or traffic shaping along with LLQ actually makes LLQ kick in at the point the policing or shaping limits are met.

NOTE 3: If priority queueing is applied for applications running between two sites, it is advised to apply prioritization for the application traffic on both sites. The reason is that even prioritizing one side, the return traffic could be delayed and this could have the same effect as not prioritizing at all.

 

Traffic Policing with Prioritization

Lets assume that we have an ASA that is running voice over a VPN tunnel. And that we want to prioritize the voice traffic through the VPN. Also we want to police the VPN traffic that is not voice and the rest of the TCP traffic.

Lets say that the available upload bandwidth for the outside interface is 1Mbps. We want to dedicate 300kbps for the VPN, 100kbps of which will be guaranteed for voice (thus 200kbps for non-voice VPN traffic), 500kbps for the tcp traffic and 200kbps for everything else. Also, assume that the voice traffic is flagged with dscp field ef (as it is the default for most cases). The tunnel group name is tunnel-grp1.

 

 

 

 

ASA(config)# priority-queue outside

ASA(config)# access-list tcp-traffic-acl permit tcp any any
ASA(config)# class-map tcp-traffic-class
ASA(config-cmap)# match access-list tcp-traffic-acl

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# class-map TG1-rest-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match flow ip destination-address

ASA(config)# policy-map police-priority-policy
ASA(config-pmap)# class tcp-traffic-class
ASA(config-pmap-c)# police output 500000
ASA(config-pmap-c)# class TG1-voice-class
ASA(config-pmap-c)# priority
ASA(config-pmap-c)# class TG1-rest-class
ASA(config-pmap-c)# police output 200000
ASA(config-pmap-c)# class class-default
ASA(config-pmap-c)# police output 200000

ASA(config-pmap-c)# service-policy police-priority-policy interface outside

 

 

Traffic Shaping with Prioritization

Now, lets assume that we have the same ASA as in the previous case. And we now want to traffic shape all traffic and prioritize the voice through the VPN. In other words we will traffic shape all traffic for 900kbps, prioritize the voice and guarantee 100kbps for it. Again, we assume that the voice traffic is flagged with dhcp field ef and the tunnel group name is tunnel-grp1.

 

 

 

 

ASA(config)# priority-queue outside

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# policy-map priority-policy
ASA(config-pmap)# class TG1-voice-class
ASA(config-pmap-c)# priority

ASA(config-pmap-c)# policy-map shape-priority-policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average 900000
ASA(config-pmap-c)# service-policy priority-policy

ASA(config-pmap-c)# service-policy shape-priority-policy interface outside

 

 

Viewing QoS statistics

To view the statistics the user can run "show" commands (the examples below do not relate to the ones above).

For the policing statistics:

 

 

 

 

ASA# show service-policy police

Global policy:
     Service-policy: global_fw_policy

Interface outside:
     Service-policy: qos
          Class-map: browse
               police Interface outside:
                    cir 56000 bps, bc 10500 bytes
                    conformed 10065 packets, 12621510 bytes; actions: transmit
                    exceeded 499 packets, 625146 bytes; actions: drop
                    conformed 5600 bps, exceed 5016 bps
          Class-map: cmap2
               police Interface outside:
                    cir 200000 bps, bc 37500 bytes
                    conformed 17179 packets, 20614800 bytes; actions: transmit
                    exceeded 617 packets, 770718 bytes; actions: drop
                    conformed 198785 bps, exceed 2303 bps

 

 

For the prioritization statistics:

 

 

 

ASA# show service-policy priority
Global policy:
     Service-policy: global_fw_policy

Interface outside:
     Service-policy: qos
          Class-map: TG1-voice-class
               Priority:
                    Interface outside: aggregate drop 0, aggregate transmit 9383

 

 

For the shaping statistics:

 

 

 

ASA# show service-policy shape

Interface outside:
  Service-policy: shape
    Class-map: class-default

      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

      shape (average) cir 2000000, bc 16000, be 16000
      Service-policy: voip
        Class-map: voip

          Queueing
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
        Class-map: class-default

          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0