QoS basics on a Cisco ASA

Question

Could someone briefly explain how to use QoS on Cisco ASA 5505? I have the basics of policing down, but what about shaping and priorities? Basically what I'm trying to do is carve out some bandwidth for my VPN subnets (in an object-group called priority-traffic).

I've seen this Cisco QoS document, however configuring shaping and priority-queue don't seem to have any effects in my test. A full download of the linux kernel from kernel.org will boost a ping to a server via VPN sky high. Policing has been successful in passing this test, although it doesn't seem as efficient (I cap non-vpn traffic at 3 of my 4.5 megabits of bandwidth). Am I misunderstanding the results of the test? I think there is some simple concept I'm not grasping here.

EDIT:

Here is my config thus far (I have 4.5 megabits of bandwidth):

access-list priority-traffic extended permit ip object-group priority-traffic any 
access-list priority-traffic extended permit ip any object-group priority-traffic 
access-list priority-traffic extended permit icmp object-group priority-traffic any 
access-list priority-traffic extended permit icmp any object-group priority-traffic 
access-list non-priority-traffic extended deny ip object-group priority-traffic any 
access-list non-priority-traffic extended deny ip any object-group priority-traffic 
access-list non-priority-traffic extended permit ip any any 

priority-queue outside
  queue-limit   440

class-map non-priority-traffic
 match access-list non-priority-traffic
class-map priority-traffic
 match access-list priority-traffic
class-map inspection_default
 match default-inspection-traffic

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
policy-map outbound-qos-policy
 class non-priority-traffic
  police input 2500000
  police output 2500000
 class priority-traffic
  priority

service-policy global_policy global
service-policy outbound-qos-policy interface outside

score 1 · Answer 1 · answered Dec 03 '10 at 12:20

The policy-map as written is not assigning a bandwidth to your priority traffic and you are (most probably) using the wrong QoS mechanism for it. The priority designation is for traffic that should be expedited, typically RTP carrying audio (most commonly used for VoIP, but I've seen it used to shuffle broadcast audio from a mixing table across a WAN for further broadcasting as radio).

Any traffic that matches the priority class will be sent (up to the limit set, I don't know what it defaults to, there are two subtly different ways of doing it, depending on the IOS version, one takes a bandwidth and the other relies on a policer in the same class), before any other traffic in the time slot. It's rather heavily suggested by Cisco that you NEVER use priority on traffic that could be TCP, so "UDP only". Any traffic exceeding the (hard) limit for the priority traffic WILL be discarded.

Further, while not necessary, I've found that starting my QoS policies with the "most important" classes first makes them easier to read.

I'd probably re-write that policy as per Bruce Grobler's suggestion.

score 1 · Accepted Answer · answered Jun 30 '09 at 04:14

1

Traffic shaping is basically used to match devices with link speeds. It only affects interfaces and does not depend on type of traffic.

You cannot configure priority and policing for the same types of traffic. In other words, if you want to prioritize your group "priority-traffic", you would have to police all other traffic.

With priority traffic, think of QOS as a cup. You're identifying what traffic to prioritize by putting it in that cup...but what happens after that, you have no control over. You can only determine what traffic to put in your cup.

answered Jun 30 '09 at 04:14

GregD

8,713
1
23
35

So if I want to prioritize my group "priority-traffic" the right way to do it is to police everything else? That means I was doing it the right way after all! – danieljimenez Jun 30 '09 at 04:40
Also would the priority-queue be the cup you refer to? – danieljimenez Jun 30 '09 at 04:55

Bruce Grobler · Answer 3 · 2009-08-06T13:41:28.700

Not to sure if this is available on the AS's but try and use CBWFQ, you can configure it by declering your class-default with an embedded service-policy (works with subinterfaces aswell), e.g.

policy-map pmap_parent class class-default shape 4500000 service-policy pmap_childpolicy-map pmap_child class cmap_priority bandwidth percent {X percent of total} class cmap_non-priority bandwidht percent {X percent of total}

etc,etc,

then your scavanger traffic can prob be put in the default class under pmap_child,

Cisco recommends that the percent you guarantee doesn't exceed 70%, torrents still need bandwidth :D

QoS basics on a Cisco ASA

3 Answers3