- Traffic shaping - configure the ASA to transmit packets at a fixed slower rate
- Policing - limit the maximum bandwidth used per flow
- Priority queuing - for critical traffic that cannot tolerate latency, such as Voice over IP (VoIP), you can identify traffic for Low Latency Queuing (LLQ) so that it is always transmitted ahead of other traffic
A token bucket is a formal definition of a rate of transfer. It has three components: a burst size(Bc), an average rate(CIR), and a time interval. Although the average rate is generally represented as bits per second, any two values may be derived from the third by the relation shown as follows:
average rate = burst size / time interval
1. Traffic shaping
Traffic shaping must be applied to all outgoing traffic on a physical interface.
Traffic shaping is implemented when packets are ready to be transmitted on an interface, so the rate calculation is performed based on the actual size of a packet to be transmitted, including all the possible overhead such as the IPsec header and L2 header.
The shaped traffic includes both through-the-box and from-the-box traffic.
-create the policy-map
policy-map TRAFFIC_SHAPE
class class-default
shape average 512000
-apply the service-policy to one interface
service-policy TRAFFIC_SHAPE interface inside
-verify
ciscoasa(config)# show service-policy shape
Interface inside:
Service-policy: TRAFFIC_SHAPE
Class-map: class-default
shape (average) cir 512000, bc 2048
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
2.Policing
-Define the traffic flows that you want to manipulate
access-list policing_http extended permit tcp any any eq www
class-map policing_traffic
match access-list policing_http
access-list ICMP extended permit icmp any any
class-map policing_ICMP
match access-list ICMP
-create the policy-map
policy-map policing_traffic
class policing_traffic
police output 56000
police input 56000
class policing_ICMP
police input 8000
police output 8000
-apply the service-policy to one interface or globaly
service-policy policing_traffic interface outside
-verify
ciscoasa(config-pmap-c)# show service-policy interface outside
Interface outside:
Service-policy: policing_traffic
Class-map: policing_traffic
Output police Interface outside:
cir 56000 bps, bc 1750 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Input police Interface outside:
cir 56000 bps, bc 1750 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: policing_ICMP
Input police Interface outside:
cir 8000 bps, bc 1500 bytes
conformed 20 packets, 21118 bytes; actions: transmit
exceeded 5 packets, 7570 bytes; actions: drop
conformed 0 bps, exceed 352 bps
Output police Interface outside:
cir 8000 bps, bc 1500 bytes
conformed 58 packets, 30324 bytes; actions: transmit
exceeded 25 packets, 36398 bytes; actions: drop
conformed 0 bps, exceed 1696 bps
3.Priority queuing
The security appliance supports two kinds of priority queuing – standard priority queuing and hierarchical priority queuing
3.A Standard priority queuing
-Create the priority queue on the interface where you want to configure the standard priority queuing.
This is done in global configuration mode with the priority-queue interface_name command. Notice this will place you in priority queue configuration mode where you can optionally manipulate the size of the queue with the queue-limit number_of_packets command. You can also optionally set the depth of the hardware queue with the tx-ring-limit number_of_packets command. Remember that the hardware queue forwards packets until full, and then queuing is handled by the software queue (composed of the priority and best effort queues).
priority-queue outside
-Define the traffic flows that you want to manipulate
class-map priority_voice
match dscp ef
-create the policy-map
policy-map priority_voice
class priority_voice
priority
-apply the service-policy to one interface or globaly
service-policy priority_voice interface outside
Traffic matching priority_voice class-map is serviced using priority queue. All other traffic will use the Best Effort queue.
The priority queuing can be used only for outgoing packets.
-verify
ciscoasa(config)# show service-policy priority
Interface outside:
Service-policy: priority_voice
Class-map: priority_voice
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
3.B Priority queuing and policy queuing
You can also configure standard priority queuing and policing for different class maps within the same policy map.
-create the policy-map
priority-queue inside
policy-map QoS_TRAFFIC
class priority_voice
priority
class policing_ICMP
police input 16000
police output 16000
-apply the policy-map to one interface or globaly
service-policy QoS_TRAFFIC interface inside
-verify
ciscoasa(config)# show service-policy interface inside
Interface inside:
Service-policy: QoS_TRAFFIC
Class-map: priority_voice
Priority:
Interface inside: aggregate drop 0, aggregate transmit 0
Class-map: policing_ICMP
Input police Interface inside:
cir 16000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Output police Interface inside:
cir 16000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: class-default
3.C Hierarchical priority queuing
This queuing approach allows you to shape traffic and allow a subset of the shaped traffic to be prioritized.
With this approach, you do not configure a priority queue on the interface.
-Define the traffic flows that you want to manipulate
access-list ike extended permit udp any any eq isakmp
class-map voice_traffic
match dscp ef
class-map ike
match access-list ike
-create the priority policy-map
policy-map priority_traffic
class ike
priority
class voice_traffic
priority
-create the hierachical policy-map
policy-map hierarchical_priority
class class-default
shape average 512000
service-policy priority_traffic
-apply the service-policy to one interface
service-policy hierarchical_priority interface outside
-verify
ciscoasa(config)# show service-policy interface outside
Interface outside:
Service-policy: hierarchical_priority
Class-map: class-default
shape (average) cir 512000, bc 2048
(pkts output/bytes output) 0/0
(total drops/no-buffer drops) 0/0
Service-policy: priority_traffic
Class-map: ike
priority
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: voice_traffic
priority
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: class-default
Default Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
4.Supported feature combinations per interface
•Standard priority queuing (for specific traffic) + Policing (for the rest of the traffic).
You cannot configure priority queuing and policing for the same set of traffic.
•Traffic shaping (for all traffic on an interface) + Hierarchical priority queuing (for a subset of traffic).
You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. For example, if you configure standard priority queuing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy.
Typically, if you enable traffic shaping, you do not also enable policing for the same traffic, although the ASA does not restrict you from configuring this.
No comments:
Post a Comment