Scribd
Upload
143 views1 page

QoS On The PIX-ASA - Part 3

PIX / ASA security appliance supports two kinds of priority queuing. You can police all other traffic if needed. Hierarchical priority queueing allows you to shape traffic and allow a subset of the shaped traffic to be prioritized.

Uploaded by

rockerptit
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
143 views1 page

QoS On The PIX-ASA - Part 3

PIX / ASA security appliance supports two kinds of priority queuing. You can police all other traffic if needed. Hierarchical priority queueing allows you to shape traffic and allow a subset of the shaped traffic to be prioritized.

Uploaded by

rockerptit
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

BlogHome|INEHome|Members|ContactUs|Subscribe

Free Resources

View Archives

All Access Pass

CCIE Bloggers

16 QoSonthePIX/ASAPart3:PriorityQueuing PostedbyINEInstructorinAdvancedSecurity,CCIESecurity,PIX/ASAFirewall
Sep

Search
10Comments Search Submit

Thesecurityappliancesupportstwokindsofpriorityqueuingstandardpriorityqueuingand hierarchicalpriorityqueuing.Letsconfigureeachinthisthirdpartofourblog.

StandardPriorityQueuing
Thisqueuingapproachallowsyoutoplaceyourprioritytrafficinapriorityqueue,whileallothertrafficisplacedin abesteffortqueue.Youcanpoliceallothertrafficifneeded. Step1:Createthepriorityqueueontheinterfacewhereyouwanttoconfigurethestandardpriorityqueuing.This isdoneinglobalconfigurationmodewiththepriorityqueueinterface_namecommand.Noticethiswillplace youinpriorityqueueconfigurationmodewhereyoucanoptionallymanipulatethesizeofthequeuewiththe queuelimitnumber_of_packetscommand.Youcanalsooptionallysetthedepthofthehardwarequeuewith thetxringlimitnumber_of_packetscommand.Rememberthatthehardwarequeueforwardspacketsuntilfull, andthenqueuingishandledbythesoftwarequeue(composedofthepriorityandbesteffortqueues).

Categories
SelectCategory

pixfirewall(config)# priority-queue outside pixfirewall(config-priority-queue)#

Step2:UsetheModularPolicyFramework(coveredinPart2oftheseblogs)toconfiguretheprioritizedtraffic.

pixfirewall(config-priority-queue)# exit pixfirewall(config)# class-map CM-VOICE pixfirewall(config-cmap)# match dscp ef pixfirewall(config-cmap)# exit pixfirewall(config)# class-map CM-VOICE-SIGNAL pixfirewall(config-cmap)# match dscp af31 pixfirewall(config-cmap)# exit pixfirewall(config)# policy-map PM-VOICE-TRAFFIC pixfirewall(config-pmap)# class CM-VOICE pixfirewall(config-pmap-c)# priority pixfirewall(config-pmap-c)# exit pixfirewall(config-pmap)# class CM-VOICE-SIGNAL pixfirewall(config-pmap-c)# priority pixfirewall(config-pmap-c)# exit pixfirewall(config-pmap)# exit pixfirewall(config)# service-policy PM-VOICE-TRAFFIC interface outside pixfirewall(config)# end

HierarchicalPriorityQueuing
Thisqueuingapproachallowsyoutoshapetrafficandallowasubsetoftheshapedtraffictobeprioritized.Ihave clearedtheconfigurationfromthesecurityapplianceinpreparationforthisnewconfiguration.Noticewiththis approach,youdonotconfigureapriorityqueueontheinterface.Alsonoticewiththisapproachthenestingofthe PolicyMaps.

CCIEBloggers
BrianDennisCCIE#2210 Routing&Sw itching ISPDial Security ServiceProvider Voice BrianMcGahanCCIE#8593 Routing&Sw itching Security ServiceProvider PetrLapukhovCCIE#16379 Routing&Sw itching Security ServiceProvider Voice MarkSnow CCIE#14073 Voice Security

pixfirewall(config)# class-map CM-VOICE pixfirewall(config-cmap)# match dscp ef pixfirewall(config-cmap)# exit pixfirewall(config)# class-map CM-VOICE-SIGNAL pixfirewall(config-cmap)# match dscp af31 pixfirewall(config-cmap)# exit pixfirewall(config)# policy-map PM-VOICE-TRAFFIC pixfirewall(config-pmap)# class CM-VOICE pixfirewall(config-pmap-c)# priority pixfirewall(config-pmap-c)# exit pixfirewall(config-pmap)# class CM-VOICE-SIGNAL pixfirewall(config-pmap-c)# priority pixfirewall(config-pmap-c)# exit pixfirewall(config-pmap)# exit pixfirewall(config)# policy-map PM-ALL-TRAFFIC-SHAPE pixfirewall(config-pmap)# class class-default pixfirewall(config-pmap-c)# shape average 2000000 16000 pixfirewall(config-pmap-c)# service-policy PM-VOICE-TRAFFIC pixfirewall(config-pmap-c)# exit pixfirewall(config-pmap)# service-policy PM-ALL-TRAFFIC-SHAPE interface outside pixfirewall(config)# end

PopularPosts
'CiscoLive!2011'-Futureof CCIEVoice,DataCenterand OverallCCIEProgram CCNAVoiceCourseReleased! FromCCNAVoicetoCCIEVoice inOneYear-ADetailedStudy

VerificationsforPriorityQueuing
Theseverificationcommandscanbeusedforbothformsofpriorityqueuing.Obviously,youcanexamineportions oftherunningconfigurationtoconfirmyourModularPolicyFrameworkcomponents.Forexample:

Plan

pixfirewall# show run policy-map ! policy-map PM-VOICE-TRAFFIC class CM-VOICE priority class CM-VOICE-SIGNAL priority class class-default policy-map PM-ALL-TRAFFIC-SHAPE class class-default shape average 2000000 16000 service-policy PM-VOICE-TRAFFIC !

Anotherexample:

pixfirewall# show run class-map ! class-map CM-VOICE-SIGNAL match dscp af31 class-map CM-VOICE match dscp ef !

Toverifythestatisticsofthestandardpriorityqueuingconfiguration,usethefollowing:

pixfirewall# show service-policy priority Interface outside: Service-policy: PM-VOICE-TRAFFIC Class-map: CM-VOICE Priority: Interface outside: aggregate drop 0, aggregate transmit 0 Class-map: CM-VOICE-SIGNAL Priority: Interface outside: aggregate drop 0, aggregate transmit 0

Youcanalsoviewthepriorityqueuestatisticsforaninterfaceusingthefollowing:

pixfirewall# show priority-queue statistics outside Priority-Queue Statistics interface outside Queue Type Tail Drops Reset Drops Packets Transmit Packets Enqueued Current Q Length Max Q Length Queue Type |Tail Drops Reset Drops Packets Transmit Packets Enqueued Current Q Length Max Q Length = BE = 0 = 0 = 0 = 0 = 0 = 0 = LLQ = 0 = 0 = 0 = 0 = 0 = 0

Toverifythestatisticsontheshapingyouhavedonewiththehierarchicalpriorityqueuing,usethefollowing:

pixfirewall# show service-policy shape Interface outside: Service-policy: PM-ALL-TRAFFIC-SHAPE Class-map: class-default shape (average) cir 2000000, bc 16000, be 16000 (pkts output/bytes output) 0/0 (total drops/no-buffer drops) 0/0 Service-policy: PM-VOICE-TRAFFIC

ThenextblogentryonthissubjectwillfocusontheshapetoolavailableonthePIX/ASA. Thankssomuchforreading! Tags:asa,llq,mpf,pix,priority-queuing DownloadthispageasaPDF


AboutINEInstructor:
FindallpostsbyINEInstructor|VisitWebsite

Youcanleavearesponse,ortrackbackfromyourownsite.

10ResponsestoQoSonthePIX/ASAPart3:PriorityQueuing

September18,2008at5:11pm

James
Hi,IfoundyourblogonthisnewdirectoryofWordPressBlogsatblackhatbootcamp.com/listofwordpressblogs.Idontknowhowyour blogcameup,musthavebeenatypo,iduno.Anyways,IjustclickeditandhereIam.Yourbloglooksgood.Haveaniceday.James.

Reply
November5,2008at7:50pm

Helena
Iwouldliketoseetheinscriptiontobecontinied:-D

Reply
November10,2008at9:06am

Jason Roysdon
NotethatthisrequiresASAcode8.0(4)orhigher.AfewweeksagoIwenttoaddthistoan8.0(3)ASAanditrejectedmostofthe commandsuntilIupgradedit.

Reply
February12,2009at3:16am

Alexei Monastyrnyi
SignalingshouldbeextendedwithDSCPCS3.Acommenttoshowservice-policyprioritywouldbethattheoutputcountersdont reallydifferentiateamongclasses,hereishowitlooksinproductionenvironment,itis7.2.4BTWandallworksfine: asa-chicago(config)#shver|inVer CiscoAdaptiveSecurityApplianceSoftwareVersion7.2(4) DeviceManagerVersion5.2(4) asa-chicago(config)#shrunclass-map ! class-mapVoice-Signal-cs3 descriptionCUCMvoiceandcontroltraffic matchdscpcs3 class-mapVoice descriptionCUCMvoiceandcontroltraffic matchdscpef class-mapVoice-Signal-af31 descriptionCUCMvoiceandcontroltraffic matchdscpaf31 asa-chicago(config)#shrunpolicy-mapVoicePolicy ! policy-mapVoicePolicy classVoice priority classVoice-Signal-cs3 priority classVoice-Signal-af31 priority classclass-default ! asa-chicago(config)#showservice-policypriority Interfaceoutside: Service-policy:VoicePolicy Class-map:Voice Priority: Interfaceoutside:aggregatedrop0,aggregatetransmit3472296 Class-map:Voice-Signal-cs3 Priority: Interfaceoutside:aggregatedrop0,aggregatetransmit3472296 Class-map:Voice-Signal-af31 Priority: Interfaceoutside:aggregatedrop0,aggregatetransmit3472296

Reply
July8,2009at8:16am

romonoeroetoko
HmthatsoundsgoodbutIwouldliketoknowmoredetails.

Reply
July15,2009at9:47am

romonoeroetoko
Yournewsisacoolstuffman,keepitgoing.

Reply
July31,2009at9:51am

amenodimeno
Thatsgoodman,keepitgoing.

Reply
November13,2009at8:16am

Dave Long
CanIsetuppriorityqueueingonaphysicalinterfacethathassub-interfacesand,ifso,willitprioritizetrafficonallsub-interfacesor justthatonthephysicalinterface? Thanks.

Reply
January6,2010at11:32am

adamusxyz
Thisisaverygoodstuffman.Butyoucanbemorespecificnexttime.Seeya!

Reply
September4,2010at5:54pm

Jayson
ItismyunderstandingthatyourStandardPriorityQueingsectionwontactuallydoanything.LLQonlykicksinwhentheinterfaceis 100%saturated,whichisntlikelytohappenoftenona100Mbinterface.Youneedtousepolicingorshappingintandemwithpriority queingforthistoactuallydoanything. PleasecorrectmeifImwrong.

Reply

LeaveaReply
Name(required)

Mail(willnotbepublished)(required)

Website

SubmitComment

CongratulationstoJulysIEOC Winners!http://bit.ly/mY08gA

Ciscotechnologypow ersnew Samsungmonitors http://dlvr.it/dRG6z

Understandingstaticmulticastroutes http://bit.ly/oeEUoy

twitter.com/inetraining

2010InternetworkExpert,Inc.,AllRightsReserved

pdfcrowd.com

You might also like