[old] ASA QoS explanation and configuration

 This is a blog post migrated from my testing blog

ASA supported QoS features:

Theese are my notes from this document: http://tinyurl.com/3dmo5ao

  • Policing – Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you configure, thus ensuring that no one traffic flow or class can take over the entire resource. The excess traffic is dropped.
  • Priority queuing – LLQ priority queuing lets you prioritize certain traffic flows (such as latency-sensitive traffic like voice and video) ahead of other traffic.
  • Traffic shaping – is used to match device and link speeds, thereby controlling packet loss, variable delay, and link saturation, which can cause jitter and delay. (not supported on ASA 5580)

What is a Token Bucket?

A token bucket is a formal definition of a rate of transfer. It has three components: a burst size, an average rate, and a time interval.

average rate = burst size / time interval
  • Average rate — Also called the committed information rate (CIR), it specifies how much data can be sent or forwarded per unit time on average.
  • Burst size — Also called the Committed Burst (Bc) size, it specifies in bits or bytes per burst how much traffic can be sent within a given unit of time to not create scheduling concerns. (For traffic shaping, it specifies bits per burst; for policing, it specifies bytes per burst.)
  • Time interval — Also called the measurement interval, it specifies the time quantum in seconds per burst.

In the token bucket metaphor, tokens are put into the bucket at a certain rate. The bucket itself has a specified capacity. If the bucket fills to capacity, newly arriving tokens are discarded. Each token is permission for the source to send a certain number of bits into the network. To send a packet, the regulator must remove from the bucket a number of tokens equal in representation to the packet size. If not enough tokens are in the bucket to send a packet, the packet either waits until the bucket has enough tokens (in the case of traffic shaping) or the packet is discarded or marked down (in the case of policing). If the bucket is already full of tokens, incoming tokens overflow and are not available to future packets.

ASA Priority Queuing

  • Standard priority queuing – Standard priority queuing uses an LLQ priority queue on an interface, while all other traffic goes into the “best effort” queue. Packets in the LLQ queue are always transmitted before packets in the best effort queue.
  • Hierarchical priority queuing—Hierarchical priority queuing is used on interfaces on which you enable a traffic shaping queue. A subset of the shaped traffic can be prioritized. Priority packets are  always queued at the head of the shape queue so they are always transmitted ahead of other non-priority queued packets. Priority packets are never dropped from the shape queue unless the sustained rate of priority traffic exceeds the shape rate. For IPsec-encrypted packets, you can only match traffic based on the DSCP or  precedence setting. IPsec-over-TCP is not supported for priority traffic classification.

ASA Traffic shaping

  • The shaped traffic includes both through-the-box and from-the-box traffic.
  • When bursty traffic exceeds the specified shape rate, packets are queued and transmitted later.
  • The queue size is calculated based on the shape rate.
  • When the queue limit is reached, packets are tail-dropped.
  • Certain critical keep-alive packets such as OSPF Hello packets are never dropped.
  • The time interval is derived by time_interval = burst_size / average_rate. The larger the time interval is, the burstier the shaped traffic might be, and the longer the link might be idle.

A traffic shaping formula:

maximum flow speed in bps = (token bucket capacity in bits / time interval in seconds) + established rate in bps

ASA supported QoS features interraction

  • Standard priority queuing (for specific traffic) + Policing (for the rest of the traffic). You cannot configure priority queuing and policing for the same set of traffic.
  • Traffic shaping (for all traffic on an interface) + Hierarchical priority queuing (for a subset of traffic). You cannot configure traffic shaping and standard priority queuing for the same interface.

DSCP and ASA

DSCP markings are preserved on all traffic passing through the ASA. The ASA does not locally mark/remark any classified traffic, but it honors the Expedited Forwarding (EF) DSCP bits of every packet to determine  if it requires “priority” handling and will direct those packets to the LLQ.

Limitations

  • Supported in single context mode only.
  • Supported in routed firewall mode only.
  • Does not support IPv6
  • Traffic shaping is not supported on the ASA 5580.
  • For traffic shaping, you can only use the class-default class map, which is automatically created by the ASA, and which matches all traffic.
  • For priority traffic, you cannot use the class-default class map.
  • For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the DSCP or precedence setting.
  • For hierarchical priority queuing, IPsec-over-TCP traffic is not supported.
  • You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed.
  • For standard priority queuing, the queue must be configured for a physical interface or for a VLAN on the ASA 5505.
  • You cannot create a standard priority queue for a Ten Gigabit Ethernet interface.

Configuring Standard Priority Queue for an Interface

Creating a priority queue (for ASA 5505 the VLAN interface name)

(config)#priority-queue <interface_name>

Changing the size of the priority queues (default 1024). The queue-limit that you specify affects both the higher priority low-latency queue and the best effort queue.

(config-priority-queue)#queue-limit <number_of_packets>

Specifing the depth of the priority queues. This command sets the maximum number of low-latency or normal priority packets allowed into the Ethernet transmit driver before the driver pushes back to the queues on the interface to let them buffer packets until the congestion clears. The tx-ring-limit that you specify affects both the higher priority low-latency queue and the best-effort queue.

(config-priority-queue)#tx-ring-limit <number_of_packets>

Configuring a Service Rule for Standard Priority Queuing and Policing

Restrictions:

  • You cannot use the class-default class map for priority traffic.
  • You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed.

Creating a class map

(config)#class-map <priority_map_name>

Specifing the traffic in the class map

(config-cmap)#match <parameter>

For policing traffic, creating a class map to identify the traffic for which you want to perform policing.

(config)#class-map <policing_map_name>

Specifing the traffic in the class map

(config-cmap)#match <parameter>

Adding or editing a policy map

(config)#policy-map <name>

Identifing the class map you created for prioritized traffic

(config-pmap)#class <priority_map_name>

Configuring priority queuing for the class

(config-pmap-c)# priority

Identifing the class map you created for policed traffic

(config-pmap)#class <policing_map_name>

Configuring policing for the class

(config-pmap-c)#police {output | input} <conform-rate> <[conform-burst]> [conform-action [drop | transmit]] [exceed-action [drop | transmit]]

Activates the policy map on one or more interfaces

(config)#service-policy <policymap_name> {global | interface <interface_name>}

Explanation of some terms:

conform-burst argument — Specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value, between 1000 and 512000000 bytes.
conform-rate — Sets the rate limit for this traffic flow; between 8000 and 2000000000 bits per second.

Configure a Service Rule for Traffic Shaping and Hierarchical Priority Queuing

 Configuring the Hierarchical Priority Queuing Policy:

Restrictions:

  • For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the DSCP or precedence setting; you cannot match a tunnel group.
  • For hierarchical priority queuing, IPsec-over-TCP traffic is not supported.

For hierarchical priority queuing, create a class map to identify the traffic for which you want to perform priority queuing

(config)#class-map <priority_map_name>

Specifing the traffic in the class map

(config-cmap)#match <parameter>

Creating a policy map

(config)#policy-map <priority_map_name>

Specifing the class map you created

(config-pmap)#class <priority_map_name>

Applying the priority queuing action to a class map

(config-pmap-c)# priority

Configuring the Service Rule:

Restrictions:

  • Traffic shaping is not supported on the ASA 5580.
  • For traffic shaping, you can only use the class-default class map, which is automatically created by the ASA, and which matches all traffic.
  • You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed.
  • You cannot configure traffic shaping in the global policy.

Adding or edits a policy map. This policy map must be different from the hierarchical priority-queuing map

(config)#policy-map <name>

Identifing all traffic for traffic shaping

(config-pmap)#class class-default

Enabling traffic shaping, where the average rate argument sets the average rate of traffic in bits per second over a given fixed time period

(config-pmap-c)#shape average <rate [burst_size]>

Configuring hierarchical priority queuing, where the <priority_policy_map_name> is the policy map you created for prioritized traffic

(config-pmap-c)#service-policy <priority_policy_map_name>

Activating the shaping policy map on an interface

(config)#service-policy <policymap_name> interface <interface_name>

Monitoring QoS

Viewing the QoS statistics

#show service-policy

Displaying the priority-queue statistics for an interface

#show priority-queue statistics <interface_name>

-M-