ASA QOS

Let say I have a 5MB wan link, the goal is to give voice traffic with priority treatment & 1MB bandwidth guarantee and police all other traffic to 4MB.  Will below config serves the purpose?  Assuming that we have built the class-map for VOICE and DATA already.

policy-map OUTSIDE
  class VOICE
   priority
  class DATA
   police output 4000000

Since ASA priority queue does not has a policer like IOS does, I know we can configure ASA to use "queue-limit" to restrict the priority traffic.  By policing output DATA traffic to 4MB, it will effectively give 1MB bandwidth to voice traffic.  Am I correct?  Same logic goes to HQF for shaping?

Thanks in advance for your inputs and comments.

Comments

  • Hi jchan,

    Yes, I agree with you the ASA will not let you configure a police with the priority command set under the same class, it will spit out an error message saying that they cannot coexist (something along those lines).

    I think your logic is correct, because, you not even allowed to shape it either, so you could give 4Mbps to your DATA traffic and this will be hard-policed by the ASA, meaning that the ASA will not let DATA traffic go above this limit and the rest would be available to the VOICE class which is configured with priority and be dequeued first by the firewall.

    Just one thing I would add (since I did not see how your classes are configured) is to create another catch-all class or a class to encompass control traffic so it does not interfere with the VOICE class.

    HTH

    Good luck!

  • Many thanks for your inputs and comments qqabdal !!!

    I was thinking, the DATA class = class-default as shown below

    !
    class-map VOICE_EF
    description VOICE PAYLOAD
    match dscp ef
    !
    policy-map QOS
    class VOICE_EF
    priority
    !
    class class-default
    police output 4000000
    !
    service-policy QOS interface outside

    Or, like you pointed it out, create another class for VOICE CONTROL

    class-map VOICE_EF
    description VOICE PAYLOAD
    match dscp ef
    !
    class-map VOICE_AF31
    description VOICE CONTROL
    match dscp af31
    !
    policy-map QOS
    class VOICE_EF
    priority
    !
    class VOICE_AF31
    police output 8000
    !
    class class-default
    police output 3992000
    !
    service-policy QOS interface outside

    Thanks again.

  • Hi jchan,

    Exactly that...Here is just yet another suggestion (not sure how your topology is laid out):

     

    access-list IGP permit x x (whatever IGP you are running, if you have static routes, just skip this)

    !

    class-map VOICE

     match dscp ef

    class-map VOICE_SIG

     match dscp af31

    class-map IGP

     match access-list IGP

     

    policy-map OUTSIDE

     class VOICE

      priority

     class VOICE_SIG

      police 64000

     class IGP

      police 136000

     class DATA

      police 3800000

     

    In this case you no longer have the 4Mbps "dedicated" to DATA, but just trying to account for other traffic types.

     

    HTH

    Good luck!

     

  • Thanks again qqabdal, no IGP, static only.  Same logic applies to HQF shaping, correct?


    On Wed, Sep 25, 2013 at 12:11 PM, qqabdal <[email protected]> wrote:

    Hi jchan,

    Exactly that...Here is just yet another suggestion (not sure how your topology is laid out):

     

    access-list IGP permit x x (whatever IGP you are running, if you have static routes, just skip this)

    !

    class-map VOICE

     match dscp ef

    class-map VOICE_SIG

     match dscp af31

    class-map IGP

     match access-list IGP

     

    policy-map OUTSIDE

     class VOICE

      priority

     class VOICE_SIG

      police 64000

     class IGP

      police 136000

     class DATA

      police 3800000

     

    In this case you no longer have the 4Mbps "dedicated" to DATA, but just trying to account for other traffic types.

     

    HTH

    Good luck!

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx








  • You mean shaping with priority on the same class?



    -----Original Message-----



    From: jchan

    Sent: 25 Sep 2013 17:19:00 GMT

    To: [email protected]

    Subject: Re: [CCIE Sec] ASA QOS






    Thanks again qqabdal, no IGP, static only.  Same logic applies to HQF shaping, correct?





    On Wed, Sep 25, 2013 at 12:11 PM, qqabdal <[email protected]> wrote:

    Hi jchan,

    Exactly that...Here is just yet another suggestion (not sure how your topology is laid out):

     

    access-list IGP permit x x (whatever IGP you are running, if you have static routes, just skip this)

    !

    class-map VOICE

     match dscp ef

    class-map VOICE_SIG

     match dscp af31

    class-map IGP

     match access-list IGP

     

    policy-map OUTSIDE

     class VOICE

      priority

     class VOICE_SIG

      police 64000

     class IGP

      police 136000

     class DATA

      police 3800000

     

    In this case you no longer have the 4Mbps "dedicated" to DATA, but just trying to account for other traffic types.

     

    HTH

    Good luck!

     








    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx













    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx



  • Sorry, I didn't make myself clear, I meant Hierarchical Queuing Framework (HQF) as follow:

    WAN BW = 5MB

    policy-map UC_QOS
    class EVOIP_EF
    priority
    !
    policy-map HQF_QOS
      class class-default
       shape average 4000000
       service-policy UC_QOS

    Above config will shape class-default traffic to 4MB and give voice 1MB with priority treatment. or everything will be shaped to 4MB including voice traffic?  I would think it follows the same logic of policing as we discussed on above but I am not sure.  Searched the web & Cisco doc, some articles said yes, but some said no, it is still not cleared to me, hope you can help. 

  • I see, this is the same as regular IOS, when we do nested policy-maps. In this case all the traffic going out of the OUTSIDE interface will be shaped to 4Mbps, including voice. This is useful if your CIR is lower than the AR of the circuit. 

    Suppose, you bought a 100Mbps connection, and your ISP is handing that off on your ASA with has a GigabitEthernet interface, so you will probably want to shape the traffic down to 100M, in order to smooth the traffic into an average of 100Mbps, otherwise the excess traffic will be policed in the inbound direction at the SP's side. 

     

  • Hi Jchan,

    Your questions are taken care of these two links:

    hxxps://supportforums.cisco.com/docs/DOC-1230
    hxxp://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html

    I highly recommend going through the documents. It will give you concepts/ideas on ASA's QoS config guidelines, interactions and limitations.

    HTH

     

     

     

  • Thanks for the links rejohn, I have seen and read the articles before I posted the questions.  If you look at 1st link under "traffic shaping with prioritization", it indicates that you will need to exclude voice bandwidth from shape average when using HQF, it is the same logic for "traffic policing with prioritization".  So, per this article and if i read this correctly, we will need to exclude voice traffic from Shaping or Policing on ASA box no matter which approach we choose to use.

    Thanks qqabdal, if this is regular IOS, I agreed with you 100% since we are nesting the policy-map under the shape average command, but this is ASA, i am not so sure.  I guess there is only one way to find it out.  I will try to test it on real gears, previously, I tested on GNS3 but the results were not accurate.

    Thanks everyone for your help.  Have a good one.

  • Sorry to hijack thread, but this is exactly the same situation at one of our clients at present.  Just an ASA 5505 and a 3560 marking voice. Captured at inside of firewall, all dscp markings OK.

    For example if you have a symmetric 10Mb Up and Down, on a 100 Mb ethernet link to the SP's router that is policed upstream by the service proveder, you decide to shape.

    I first set the shape amount to 10,000,000, and in time of heavy utilisation, the call quality was demonised.   

    IF you had voice over a VPN, using Hierachical Priority queing, you would match on the dscp, for data and control traffic, but you would shape the class_default traffic to LESS that 10Mb, allowing for the remainder to be used by the priority queue?

    e.g.

    class-map VOICE

     match dscp ef 

    policy-map VOICE-POLICY

     class VOICE

      priority

    policy-map SHAPER-10Mb

     class class-default

      shape average 9000000

      service-policy VOICE-POLICY

    service-policy SHAPER-10Mb interface outside

     

    Two more questions -

    (1) How many people are actively prioritising the control traffic (24)as well as the data traffic(46)?

    (2) People talk about the differences between the "normal priority queue" on the ASA and the one used by the Hierachical Priority queue.  It is said that you do not need to have the "priority-queue outside" applied if you are using the shaping style of LLQ.  Does it do any harm if entered?  Also apparently you cannot match on tunnel groups when using Hierachical Priority queuing. Both of these concepts are directly contradicted by the cisco document here !!

    https://supportforums.cisco.com/docs/DOC-1230

Sign In or Register to comment.