It may be desirable to rate-limit traffic to various hosts or subnets on your network. The Cisco ASA has some very limited QOS capabilities built in (better QOS features are available on Cisco IOS routers). To apply a basic rate limit, use the “policing” feature. It is configured by matching a class of traffic with a “class-map“, setting rules with a “policy-map” to “police” your traffic class at a given rate, and then applying the policy to an interface with the “service-policy” command. *NOTE* only one service-policy may be active on an interface at a time. More details and examples are in the Cisco documentation linked below. The priority queue part is optional if you just want rate-limiting (policing). While implementing a priority queue and/or policing policy, you will likely need to determine an appropriate transmit ring limit (tx-ring-limit) as well as a policing token bucket size (bc or burst committed). The default bucket size will be based on 250ms of the policing rate (cir or committed information rate) – this is a reasonable default. There is a useful calculation worksheet for the tx-ring limit in the following documents. For the token bucket (bc) size, calculate the number of bytes that will be sent at your full committed (cir policing rate) in 250ms (1/4 second) or your preferred policing interval.

These QOS features will all work with outgoing traffic on an interface, but only policing will work on incoming traffic. To apply priority or shaping QOS features to incoming traffic, use an outgoing policy for the interface on opposite side of device. The directionality of these QOS capabilities is listed on the following Cisco document: Configuring a Service Policy – Feature Directionality. View QoS configuration with:

  • show priority-queue config INTERFACE-NAME
  • show run priority-queue INTERFACE-NAME
  • show run class-map
  • show run policy-map
  • show run service-policy

Monitor QOS status with:

  • show service-policy interface INTERFACE-NAME
  • show priority-queue statistics

NOTE: New QOS rules or changes DO NOT EFFECT EXISTING CONNECTIONS! The ASA assigns connections to QOS policing groups, policy groups, etc at the time a connection is established. Ongoing connections are not re-evaluated when rules change. To force all connections to be re-established, use the DANGEROUS COMMAND “clear conn” (THIS WILL DROP ALL EXISTING CONNECTIONS).

Here’s a sample priority queue config for VOIP traffic assuming two named interfaces (inside & outside) with an estimated bandwidth of 25Mbps download and matching 25Mbps upload.

! Calculate Transmit Ring Size (in number of packets)
! Note that delay can be changed to match your requirements
! 125 is a conversion factor, 1Mbps = 125 bytes per millisecond
!   25 (Mbps) * 125 / 1538 (bytes) * 20 (ms) = 40 (rounded down)
priority-queue outside
  tx-ring-limit 40
priority-queue inside
  tx-ring-limit 40
! Define class for VOIP traffic
!   Match Differentiated Services (DiffServ Code Point) "Express Forward"
class-map voip
 match dscp ef
! Give priority to VOIP packets
policy-map outside-policy
 description Apply QoS
 class voip
policy-map inside-policy
 description Apply QoS
 class voip
! Apply the QoS policies to interfaces to prioritize voice
service-policy outside-policy interface outside
service-policy inside-policy interface inside

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in Networking and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s