QoS on the PIX-ASA - Part 3

8/6/2019 QoS on the PIX-ASA - Part 3

1/1

pdfcrowd.com

Sep

16 10 CommentsQoS on the PIX/ASA Part 3:Priority QueuingPosted by INE Instructorin Advanced Security,CCIE Security,PIX/ASA Firewall

About INE Instructor:

Find all posts by INE Instructor | Visit Website

James

September 18, 2008 at 5:11 pm

Helena

November5, 2008 at 7:50 pm

Jason Roysdon

November 10, 2008 at 9:06 am

Alexei Monastyrnyi

February 12, 2009 at 3:16 am

romonoeroetoko

July 8, 2009 at 8:16 am

romonoeroetoko

July 15, 2009 at 9:47 am

amenodimeno

July 31, 2009 at 9:51 am

Dave Long

November 13, 2009 at 8:16 am

adamusxyz

January 6, 2010 at 11:32 am

Jayson

September 4, 2010 at 5:54 pm

The security appliance supports two kinds of priority queuing standard priority queuing and

hierarchical priority queuing. Lets configure each in this third part of our blog.

Standard Priority Queuing

This queuing approach allows you to place your priority traffic in a priority queue, while all other traffic is placed in

a best effort queue. You can police all other traffic if needed.

Step 1: Create the priority queue on the interface where you want to configure the standard priority queuing. This

is done in global configuration mode with the priority queue interface_name command. Notice this will place

you in priority queue configuration mode where you can optionally manipulate the size of the queue with the

queue limit n umber_of_packets command. You can also optionally set the depth of the hardware queue with

the tx ring limit number_of_packets command. Remember that the hardware queue forwards packets until full,

and then queuing is handled by the software queue (composed of the priority and best effort queues).

pixfirewall(config)# priority-queue outside

pixfirewall(config-priority-queue)#

Step 2: Use the Modular Policy Framework (covered in Part 2 of these blogs) to configure the prioritized traffic.

pixfirewall(config-priority-queue)# exit

pixfirewall(config)# class-map CM-VOICE

pixfirewall(config-cmap)# match dscp ef

pixfirewall(config-cmap)# exit

pixfirewall(config)# class-map CM-VOICE-SIGNAL

pixfirewall(config-cmap)# match dscp af31


pixfirewall(config)# policy-map PM-VOICE-TRAFFIC

pixfirewall(config-pmap)# class CM-VOICE

pixfirewall(config-pmap-c)# priority

pixfirewall(config-pmap-c)# exit

pixfirewall(config-pmap)# class CM-VOICE-SIGNAL



pixfirewall(config-pmap)# exit

pixfirewall(config)# service-policy PM-VOICE-TRAFFIC interface outside

pixfirewall(config)# end

Hierarchical Priority Queuing

This queuing approach allows you to shape traffic and allow a subset of the shaped traffic to be prioritized. I have

cleared the configuration from the security appliance in preparation for this new configuration. Notice with this

approach, you do not configure a priority queue on the interface. Also notice with this approach the nesting of the

Policy Maps.

pixfirewall(config)# class-map CM-VOICE

pixfirewall(config-cmap)# match dscp ef


pixfirewall(config)# class-map CM-VOICE-SIGNAL

pixfirewall(config-cmap)# match dscp af31pixfirewall(config-cmap)# exit

pixfirewall(config)# policy-map PM-VOICE-TRAFFIC

pixfirewall(config-pmap)# class CM-VOICE



pixfirewall(config-pmap)# class CM-VOICE-SIGNAL



pixfirewall(config-pmap)# exit

pixfirewall(config)# policy-map PM-ALL-TRAFFIC-SHAPE

pixfirewall(config-pmap)# class class-default

pixfirewall(config-pmap-c)# shape average 2000000 16000

pixfirewall(config-pmap-c)# service-policy PM-VOICE-TRAFFIC


pixfirewall(config-pmap)# service-policy PM-ALL-TRAFFIC-SHAPE interface outside

pixfirewall(config)# end

Verifications for Priority Queuing

These verification commands can be used for both forms of priority queuing. Obviously, you can examine portions

of the running configuration to confirm your Modular Policy Framework components. For example:

pixfirewall# show run policy-map

!

policy-map PM-VOICE-TRAFFIC

class CM-VOICE

priority

class CM-VOICE-SIGNAL

priority

class class-default

policy-map PM-ALL-TRAFFIC-SHAPE

class class-default

shape average 2000000 16000

service-policy PM-VOICE-TRAFFIC

!

Another example:

pixfirewall# show run class-map

!

class-map CM-VOICE-SIGNAL

match dscp af31

class-map CM-VOICE

match dscp ef

!

To verify the statistics of the standard priority queuing configuration, use the following:

pixfirewall# show service-policy priority

Interface outside:

Service-policy: PM-VOICE-TRAFFIC

Class-map: CM-VOICE

Priority:

Interface outside: aggregate drop 0, aggregate transmit 0

Class-map: CM-VOICE-SIGNAL

Priority:


You can also view the priority queue statistics for an interface using the following:

pixfirewall# show priority-queue statistics outside

Priority-Queue Statistics interface outside

Queue Type = BE

Tail Drops = 0

Reset Drops = 0

Packets Transmit = 0

Packets Enqueued = 0

Current Q Length = 0

Max Q Length = 0

Queue Type = LLQ

|Tail Drops = 0

Reset Drops = 0

Packets Transmit = 0

Packets Enqueued = 0

Current Q Length = 0

Max Q Length = 0

To verify the statistics on the shaping you have done with the hierarchical priority queuing, use the following:

pixfirewall# show service-policy shape

Interface outside:

Service-policy: PM-ALL-TRAFFIC-SHAPE

Class-map: class-default

shape (average) cir 2000000, bc 16000, be 16000

(pkts output/bytes output) 0/0

(total drops/no-buffer drops) 0/0

Service-policy: PM-VOICE-TRAFFIC

The next blog entry on this subject will focus on the shape tool available on the PIX/ ASA.

Thanks so much for reading!

Tags: asa, llq, mpf, pix, priority-queuing

Download this page as a PDF

You can leave a response, ortrackback from your own site.

10 Responses to QoS on the PIX/ASA Part 3:Priority Queuing

Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your

blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog l ooks good. Have a nice day. James.

Reply

I would like to see the inscription to be continied:-D

Reply

Note that this requires ASA code 8.0(4) or higher. A few weeks ago I went to add this to an 8.0(3) ASA and it rejected most of the

commands until I upgraded it.

Reply

Signaling should be extended with DSCP CS3. A comment to show service-policy priority would be that the output counters dont

really differentiate among classes, here is how it looks in production environment, it is 7.2.4 BTW and all works fine:

asa-chicago(config)# sh ver | in Ver

Cisco Adaptive Security Appliance Software Version 7.2(4)

Device Manager Version 5.2(4)

asa-chicago(config)# sh run class-map

!

class-map Voice-Signal-cs3

description CUCM voice and control traffic

match dscp cs3

class-map Voice


match dscp ef

class-map Voice-Signal-af31


match dscp af31

asa-chicago(config)# sh run policy-map VoicePolicy

!

policy-map VoicePolicy

class Voice

priority

class Voice-Signal-cs3

priority

class Voice-Signal-af31

priority

class class-default

!

asa-chicago(config)# show service-policy priority

Interface outside :

Service-policy: VoicePolicy

Class-map: Voice

Priority:


Class-map: Voice-Signal-cs3

Priority:


Class-map: Voice-Signal-af31Priority:


Reply

Hm that sounds good but I would like to know more details.

Reply

Your news is a cool stuff man, keep it going.

Reply

Thats good man, keep it going.

Reply

Can I set up priority queueing on a physical interface that has sub-interfaces and, if so, will it prioritize traffic on all sub-interfaces or

just that on the physical interface?

Thanks.

Reply

This is a very good stuff man. But you can be more specific next time. See ya !

Reply

It is my understanding that your Standard Priority Queing section wont actually do anything. LLQ only kicks in when the interface is100% saturated, which isnt likely to happen often on a 100Mb interface. You need to use policing or shapping in tandem with priority

queing for this to actually do anything.

Please correct me if Im wrong.

Reply

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Submit Comment

Search

Search

Submit

Categories

Select Category

CCIE Bloggers

Brian Dennis CCIE #2210

Routing & Sw itching

ISP Dial

Security

Service Provider

Voice

Brian McGahan CCIE #8593


Security

Service Provider

Petr Lapukhov CCIE #16379


Security

Service Provider

Voice

Mark Snow CCIE #14073

Voice

Security

Popular Posts

'Cisco Live! 2011' - Future of

CCIE Voice, Data Center and

Overall CCIE Program

CCNA Voice Course Released!

From CCNA Voice to CCIE Voice

in One Year - A Detailed Study

Plan

twitter.com/inetraining

Congratulations to Julys IEOC

Winners! http://bit.ly/mY08gA

Cisco technology pow ers new

Samsung monitors

http://dlvr.it/dRG6z

Understanding static multicast routes

http://bit.ly/oeEUoy

Blog Home | INE Home | Members | Contact Us | Subscribe

2010 Internetwork Expert, Inc., All Rights Reserved

Free Resources View Archives All Access Pass CCIE Bloggers
http://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://wydzialprawa.edu.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=58438#respondhttp://jpartsystem.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=56905#respondhttp://expresslokalny.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=56071#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=11758#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/trackback/http://blog.ine.com/2011/07/29/from-ccna-voice-to-ccie-voice-in-a-year-2/http://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://www.ine.com/ccie-security-lab-preparation.htmhttp://blog.ine.com/http://blog.ine.com/category/ccie-security/advanced-security/http://blog.ine.com/category/ccie-security/http://blog.ine.com/category/ccie-security/pixasa-firewall/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/http://blog.ine.com/http://blog.ine.com/http://blog.ine.com/http://twitter.com/inetraininghttp://pdfcrowd.com/http://blog.ine.com/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/#commentshttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/http://blog.ine.com/http://blog.ine.com/category/ccie-security/advanced-security/http://blog.ine.com/category/ccie-security/http://blog.ine.com/category/ccie-security/pixasa-firewall/http://blog.ine.com/?author=9http://blog.ine.com/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-8615http://filmnew.ru/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-11758http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-12155http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-22582http://tkcsklep.co.cc/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-56071http://expresslokalny.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-56905http://jpartsystem.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-58438http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-78685http://wydzialprawa.edu.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-88142http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-134275http://www.ine.com/ccie-security-lab-preparation.htmhttp://blog.ine.com/tag/asa/http://blog.ine.com/tag/llq/http://blog.ine.com/tag/mpf/http://blog.ine.com/tag/pix/http://blog.ine.com/tag/priority-queuing/http://pdfcrowd.com/url_to_pdf/?height=-1http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/trackback/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=8615#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=11758#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=12155#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=22582#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=56071#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=56905#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=58438#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=78685#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=88142#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=134275#respondhttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://www.ine.com/about-brian-dennis.htmhttp://www.ine.com/about-brian-mcgahan.htmhttp://www.ine.com/about-petr.htmhttp://www.ine.com/about-mark-snow.htmhttp://blog.ine.com/2011/07/14/cisco-live-2011-future-of-ccie-voice-data-center-and-overall-ccie-program/http://blog.ine.com/2011/07/22/ccna-voice-course-released/http://blog.ine.com/2011/07/29/from-ccna-voice-to-ccie-voice-in-a-year-2/http://twitter.com/inetraininghttp://twitter.com/inetraininghttp://bit.ly/mY08gAhttp://dlvr.it/dRG6zhttp://bit.ly/oeEUoyhttp://twitter.com/inetraininghttp://www.facebook.com/inetraininghttp://www.youtube.com/INEtraininghttp://feeds.feedburner.com/ine/http://www.linkedin.com/companies/144650http://blog.ine.com/http://www.ine.com/http://members.ine.com/http://www.ine.com/contact.htmhttp://feeds.feedburner.com/ine/http://feeds.feedburner.com/ine/http://www.ine.com/resources/http://blog.ine.com/archiveshttp://www.ine.com/all-access-pass-monthly.htmhttp://www.ine.com/about-instructors.htm

Documents

QoS on the PIX-ASA - Part 3