Upload
rockerptit
View
221
Download
0
Embed Size (px)
Citation preview
8/6/2019 QoS on the PIX-ASA - Part 3
1/1
pdfcrowd.com
Sep
16 10 CommentsQoS on the PIX/ASA Part 3:Priority QueuingPosted by INE Instructorin Advanced Security,CCIE Security,PIX/ASA Firewall
About INE Instructor:
Find all posts by INE Instructor | Visit Website
James
September 18, 2008 at 5:11 pm
Helena
November5, 2008 at 7:50 pm
Jason Roysdon
November 10, 2008 at 9:06 am
Alexei Monastyrnyi
February 12, 2009 at 3:16 am
romonoeroetoko
July 8, 2009 at 8:16 am
romonoeroetoko
July 15, 2009 at 9:47 am
amenodimeno
July 31, 2009 at 9:51 am
Dave Long
November 13, 2009 at 8:16 am
adamusxyz
January 6, 2010 at 11:32 am
Jayson
September 4, 2010 at 5:54 pm
The security appliance supports two kinds of priority queuing standard priority queuing and
hierarchical priority queuing. Lets configure each in this third part of our blog.
Standard Priority Queuing
This queuing approach allows you to place your priority traffic in a priority queue, while all other traffic is placed in
a best effort queue. You can police all other traffic if needed.
Step 1: Create the priority queue on the interface where you want to configure the standard priority queuing. This
is done in global configuration mode with the priority queue interface_name command. Notice this will place
you in priority queue configuration mode where you can optionally manipulate the size of the queue with the
queue limit n umber_of_packets command. You can also optionally set the depth of the hardware queue with
the tx ring limit number_of_packets command. Remember that the hardware queue forwards packets until full,
and then queuing is handled by the software queue (composed of the priority and best effort queues).
pixfirewall(config)# priority-queue outside
pixfirewall(config-priority-queue)#
Step 2: Use the Modular Policy Framework (covered in Part 2 of these blogs) to configure the prioritized traffic.
pixfirewall(config-priority-queue)# exit
pixfirewall(config)# class-map CM-VOICE
pixfirewall(config-cmap)# match dscp ef
pixfirewall(config-cmap)# exit
pixfirewall(config)# class-map CM-VOICE-SIGNAL
pixfirewall(config-cmap)# match dscp af31
pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map PM-VOICE-TRAFFIC
pixfirewall(config-pmap)# class CM-VOICE
pixfirewall(config-pmap-c)# priority
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# class CM-VOICE-SIGNAL
pixfirewall(config-pmap-c)# priority
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# service-policy PM-VOICE-TRAFFIC interface outside
pixfirewall(config)# end
Hierarchical Priority Queuing
This queuing approach allows you to shape traffic and allow a subset of the shaped traffic to be prioritized. I have
cleared the configuration from the security appliance in preparation for this new configuration. Notice with this
approach, you do not configure a priority queue on the interface. Also notice with this approach the nesting of the
Policy Maps.
pixfirewall(config)# class-map CM-VOICE
pixfirewall(config-cmap)# match dscp ef
pixfirewall(config-cmap)# exit
pixfirewall(config)# class-map CM-VOICE-SIGNAL
pixfirewall(config-cmap)# match dscp af31pixfirewall(config-cmap)# exit
pixfirewall(config)# policy-map PM-VOICE-TRAFFIC
pixfirewall(config-pmap)# class CM-VOICE
pixfirewall(config-pmap-c)# priority
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# class CM-VOICE-SIGNAL
pixfirewall(config-pmap-c)# priority
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# exit
pixfirewall(config)# policy-map PM-ALL-TRAFFIC-SHAPE
pixfirewall(config-pmap)# class class-default
pixfirewall(config-pmap-c)# shape average 2000000 16000
pixfirewall(config-pmap-c)# service-policy PM-VOICE-TRAFFIC
pixfirewall(config-pmap-c)# exit
pixfirewall(config-pmap)# service-policy PM-ALL-TRAFFIC-SHAPE interface outside
pixfirewall(config)# end
Verifications for Priority Queuing
These verification commands can be used for both forms of priority queuing. Obviously, you can examine portions
of the running configuration to confirm your Modular Policy Framework components. For example:
pixfirewall# show run policy-map
!
policy-map PM-VOICE-TRAFFIC
class CM-VOICE
priority
class CM-VOICE-SIGNAL
priority
class class-default
policy-map PM-ALL-TRAFFIC-SHAPE
class class-default
shape average 2000000 16000
service-policy PM-VOICE-TRAFFIC
!
Another example:
pixfirewall# show run class-map
!
class-map CM-VOICE-SIGNAL
match dscp af31
class-map CM-VOICE
match dscp ef
!
To verify the statistics of the standard priority queuing configuration, use the following:
pixfirewall# show service-policy priority
Interface outside:
Service-policy: PM-VOICE-TRAFFIC
Class-map: CM-VOICE
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
Class-map: CM-VOICE-SIGNAL
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
You can also view the priority queue statistics for an interface using the following:
pixfirewall# show priority-queue statistics outside
Priority-Queue Statistics interface outside
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 0
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Queue Type = LLQ
|Tail Drops = 0
Reset Drops = 0
Packets Transmit = 0
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
To verify the statistics on the shaping you have done with the hierarchical priority queuing, use the following:
pixfirewall# show service-policy shape
Interface outside:
Service-policy: PM-ALL-TRAFFIC-SHAPE
Class-map: class-default
shape (average) cir 2000000, bc 16000, be 16000
(pkts output/bytes output) 0/0
(total drops/no-buffer drops) 0/0
Service-policy: PM-VOICE-TRAFFIC
The next blog entry on this subject will focus on the shape tool available on the PIX/ ASA.
Thanks so much for reading!
Tags: asa, llq, mpf, pix, priority-queuing
Download this page as a PDF
You can leave a response, ortrackback from your own site.
10 Responses to QoS on the PIX/ASA Part 3:Priority Queuing
Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your
blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog l ooks good. Have a nice day. James.
Reply
I would like to see the inscription to be continied:-D
Reply
Note that this requires ASA code 8.0(4) or higher. A few weeks ago I went to add this to an 8.0(3) ASA and it rejected most of the
commands until I upgraded it.
Reply
Signaling should be extended with DSCP CS3. A comment to show service-policy priority would be that the output counters dont
really differentiate among classes, here is how it looks in production environment, it is 7.2.4 BTW and all works fine:
asa-chicago(config)# sh ver | in Ver
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
asa-chicago(config)# sh run class-map
!
class-map Voice-Signal-cs3
description CUCM voice and control traffic
match dscp cs3
class-map Voice
description CUCM voice and control traffic
match dscp ef
class-map Voice-Signal-af31
description CUCM voice and control traffic
match dscp af31
asa-chicago(config)# sh run policy-map VoicePolicy
!
policy-map VoicePolicy
class Voice
priority
class Voice-Signal-cs3
priority
class Voice-Signal-af31
priority
class class-default
!
asa-chicago(config)# show service-policy priority
Interface outside :
Service-policy: VoicePolicy
Class-map: Voice
Priority:
Interface outside: aggregate drop 0, aggregate transmit 3472296
Class-map: Voice-Signal-cs3
Priority:
Interface outside: aggregate drop 0, aggregate transmit 3472296
Class-map: Voice-Signal-af31Priority:
Interface outside: aggregate drop 0, aggregate transmit 3472296
Reply
Hm that sounds good but I would like to know more details.
Reply
Your news is a cool stuff man, keep it going.
Reply
Thats good man, keep it going.
Reply
Can I set up priority queueing on a physical interface that has sub-interfaces and, if so, will it prioritize traffic on all sub-interfaces or
just that on the physical interface?
Thanks.
Reply
This is a very good stuff man. But you can be more specific next time. See ya !
Reply
It is my understanding that your Standard Priority Queing section wont actually do anything. LLQ only kicks in when the interface is100% saturated, which isnt likely to happen often on a 100Mb interface. You need to use policing or shapping in tandem with priority
queing for this to actually do anything.
Please correct me if Im wrong.
Reply
Leave a Reply
Name (required)
Mail (will not be published) (required)
Website
Submit Comment
Search
Search
Submit
Categories
Select Category
CCIE Bloggers
Brian Dennis CCIE #2210
Routing & Sw itching
ISP Dial
Security
Service Provider
Voice
Brian McGahan CCIE #8593
Routing & Sw itching
Security
Service Provider
Petr Lapukhov CCIE #16379
Routing & Sw itching
Security
Service Provider
Voice
Mark Snow CCIE #14073
Voice
Security
Popular Posts
'Cisco Live! 2011' - Future of
CCIE Voice, Data Center and
Overall CCIE Program
CCNA Voice Course Released!
From CCNA Voice to CCIE Voice
in One Year - A Detailed Study
Plan
twitter.com/inetraining
Congratulations to Julys IEOC
Winners! http://bit.ly/mY08gA
Cisco technology pow ers new
Samsung monitors
http://dlvr.it/dRG6z
Understanding static multicast routes
http://bit.ly/oeEUoy
Blog Home | INE Home | Members | Contact Us | Subscribe
2010 Internetwork Expert, Inc., All Rights Reserved
Free Resources View Archives All Access Pass CCIE Bloggers
http://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://wydzialprawa.edu.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=58438#respondhttp://jpartsystem.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=56905#respondhttp://expresslokalny.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=56071#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=11758#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/trackback/http://blog.ine.com/2011/07/29/from-ccna-voice-to-ccie-voice-in-a-year-2/http://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://www.ine.com/ccie-security-lab-preparation.htmhttp://blog.ine.com/http://blog.ine.com/category/ccie-security/advanced-security/http://blog.ine.com/category/ccie-security/http://blog.ine.com/category/ccie-security/pixasa-firewall/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/http://blog.ine.com/http://blog.ine.com/http://blog.ine.com/http://twitter.com/inetraininghttp://pdfcrowd.com/http://blog.ine.com/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/#commentshttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/http://blog.ine.com/http://blog.ine.com/category/ccie-security/advanced-security/http://blog.ine.com/category/ccie-security/http://blog.ine.com/category/ccie-security/pixasa-firewall/http://blog.ine.com/?author=9http://blog.ine.com/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-8615http://filmnew.ru/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-11758http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-12155http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-22582http://tkcsklep.co.cc/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-56071http://expresslokalny.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-56905http://jpartsystem.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-58438http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-78685http://wydzialprawa.edu.pl/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-88142http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/comment-page-1/#comment-134275http://www.ine.com/ccie-security-lab-preparation.htmhttp://blog.ine.com/tag/asa/http://blog.ine.com/tag/llq/http://blog.ine.com/tag/mpf/http://blog.ine.com/tag/pix/http://blog.ine.com/tag/priority-queuing/http://pdfcrowd.com/url_to_pdf/?height=-1http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%e2%80%93-part-3priority-queuing/trackback/http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=8615#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=11758#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=12155#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=22582#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=56071#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=56905#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=58438#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=78685#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=88142#respondhttp://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/?replytocom=134275#respondhttp://blog.ine.com/2011/08/01/congratulations-to-julys-ieoc-winners/?utm_source=blog&utm_medium=banner&utm_campaign=blog_aaphttp://www.ine.com/about-brian-dennis.htmhttp://www.ine.com/about-brian-mcgahan.htmhttp://www.ine.com/about-petr.htmhttp://www.ine.com/about-mark-snow.htmhttp://blog.ine.com/2011/07/14/cisco-live-2011-future-of-ccie-voice-data-center-and-overall-ccie-program/http://blog.ine.com/2011/07/22/ccna-voice-course-released/http://blog.ine.com/2011/07/29/from-ccna-voice-to-ccie-voice-in-a-year-2/http://twitter.com/inetraininghttp://twitter.com/inetraininghttp://bit.ly/mY08gAhttp://dlvr.it/dRG6zhttp://bit.ly/oeEUoyhttp://twitter.com/inetraininghttp://www.facebook.com/inetraininghttp://www.youtube.com/INEtraininghttp://feeds.feedburner.com/ine/http://www.linkedin.com/companies/144650http://blog.ine.com/http://www.ine.com/http://members.ine.com/http://www.ine.com/contact.htmhttp://feeds.feedburner.com/ine/http://feeds.feedburner.com/ine/http://www.ine.com/resources/http://blog.ine.com/archiveshttp://www.ine.com/all-access-pass-monthly.htmhttp://www.ine.com/about-instructors.htm