Cisco ASA Services Module CLI Configuration Guide, 8.5
Configuring QoS
Downloads: This chapterpdf (PDF - 133.0KB) The complete bookPDF (PDF - 12.85MB) | Feedback

Configuring QoS

Table Of Contents

Configuring QoS

Information About QoS

Supported QoS Features

What is a Token Bucket?

Information About Policing

DSCP and DiffServ Preservation

Licensing Requirements for QoS

Guidelines and Limitations

Configuring QoS

Configuring a Service Rule for Policing

Monitoring QoS

Viewing QoS Police Statistics

Feature History for QoS


Configuring QoS


Have you ever participated in a long-distance phone call that involved a satellite connection? The conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the time, called the latency, between the arrival of packets being transmitted over the network. Some network traffic, such as voice and video, cannot tolerate long latency times. Quality of service (QoS) is a feature that lets you give priority to critical traffic, prevent bandwidth hogging, and manage network bottlenecks to prevent packet drops.


Note For the ASASM, we suggest performing QoS on the switch instead of the ASASM. Switches have more capability in this area.


This chapter describes how to apply QoS policies and includes the following sections:

Information About QoS

Licensing Requirements for QoS

Guidelines and Limitations

Configuring QoS

Monitoring QoS

Feature History for QoS

Information About QoS

You should consider that in an ever-changing network environment, QoS is not a one-time deployment, but an ongoing, essential part of network design.

This section describes the QoS features supported by the ASASM and includes the following topics:

Supported QoS Features

What is a Token Bucket?

Information About Policing

DSCP and DiffServ Preservation

Supported QoS Features

The ASASM supports the following QoS features:

Policing—To prevent individual flows from hogging the network bandwidth, you can limit the maximum bandwidth used per flow. See the "Information About Policing" section for more information.

What is a Token Bucket?

A token bucket is used to manage a device that regulates the data in a flow. For example, the regulator might be a traffic policer or a traffic shaper. A token bucket itself has no discard or priority policy. Rather, a token bucket discards tokens and leaves to the flow the problem of managing its transmission queue if the flow overdrives the regulator.

A token bucket is a formal definition of a rate of transfer. It has three components: a burst size, an average rate, and a time interval. Although the average rate is generally represented as bits per second, any two values may be derived from the third by the relation shown as follows:

average rate = burst size / time interval

Here are some definitions of these terms:

Average rate—Also called the committed information rate (CIR), it specifies how much data can be sent or forwarded per unit time on average.

Burst size—Also called the Committed Burst (Bc) size, it specifies in bits or bytes per burst how much traffic can be sent within a given unit of time to not create scheduling concerns. (For traffic shaping, it specifies bits per burst; for policing, it specifies bytes per burst.)

Time interval—Also called the measurement interval, it specifies the time quantum in seconds per burst.

In the token bucket metaphor, tokens are put into the bucket at a certain rate. The bucket itself has a specified capacity. If the bucket fills to capacity, newly arriving tokens are discarded. Each token is permission for the source to send a certain number of bits into the network. To send a packet, the regulator must remove from the bucket a number of tokens equal in representation to the packet size.

If not enough tokens are in the bucket to send a packet, the packet either waits until the bucket has enough tokens (in the case of traffic shaping) or the packet is discarded or marked down (in the case of policing). If the bucket is already full of tokens, incoming tokens overflow and are not available to future packets. Thus, at any time, the largest burst a source can send into the network is roughly proportional to the size of the bucket.

Information About Policing

Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you configure, thus ensuring that no one traffic flow or class can take over the entire resource. When traffic exceeds the maximum rate, the ASASM drops the excess traffic. Policing also sets the largest single burst of traffic allowed.

DSCP and DiffServ Preservation

DSCP markings are preserved on all traffic passing through the ASASM.

The ASASM does not locally mark/remark any classified traffic, but it honors the Expedited Forwarding (EF) DSCP bits of every packet to determine if it requires "priority" handling and will direct those packets to the LLQ.

DiffServ marking is preserved on packets when they traverse the service provider backbone so that QoS can be applied in transit (QoS tunnel pre-classification).

Licensing Requirements for QoS

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single context mode only. Does not support multiple context mode.

Firewall Mode Guidelines

Supported in routed firewall mode only. Does not support transparent firewall mode.

IPv6 Guidelines

Does not support IPv6.

Model Guidelines

(ASASM) Only policing is supported.

Additional Guidelines and Limitations

QoS is applied unidirectionally; only traffic that enters (or exits) the interface to which you apply the policy map is affected. See the "Feature Directionality" section for more information.

For policing, to-the-box traffic is not supported.

Configuring QoS

This section includes the following topics:

Configuring a Service Rule for Policing

Configuring a Service Rule for Policing

To create a policy map, perform the following steps.

Restrictions

You cannot use the class-default class map for priority traffic.

For policing, to-the-box traffic is not supported.

Guidelines

For policing traffic, you can choose to police all other traffic, or you can limit the traffic to certain types.

Detailed Steps

 
Command
Purpose

Step 1 

class-map policing_map_name

Example:

hostname(config)# class-map policing_traffic

For policing traffic, creates a class map to identify the traffic for which you want to perform policing.

Step 2 

match parameter

Example:

hostname(config-cmap)# match access-list policing

Specifies the traffic in the class map. See the "Identifying Traffic (Layer 3/4 Class Maps)" section for more information.

Step 3 

policy-map name

Example:
hostname(config)# policy-map QoS_policy

Adds or edits a policy map.

Step 4 

class policing_map_name

Example:
hostname(config-pmap)# class 
policing_class

Identifies the class map you created for policed traffic in Step 1.

Step 5 

police {output | input} conform-rate [conform-burst] [conform-action [drop | transmit]] [exceed-action [drop | transmit]]

Example:
hostname(config-pmap-c)# police output 
56000 10500

Configures policing for the class. See the followingoptions:

conform-burst argument—Specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value, between 1000 and 512000000 bytes.

conform-action—Sets the action to take when the rate is less than the conform_burst value.

conform-rate—Sets the rate limit for this traffic flow; between 8000 and 2000000000 bits per second.]

drop—Drops the packet.

exceed-action—Sets the action to take when the rate is between the conform-rate value and the conform-burst value.

input—Enables policing of traffic flowing in the input direction.

output—Enables policing of traffic flowing in the output direction.

transmit—Transmits the packet.

Step 6 

service-policy policymap_name {global | interface interface_name}

Example:

hostname(config)# service-policy QoS_policy interface inside

Activates the policy map on one or more interfaces. global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.

Examples

Example 45-1 Policing Example

In this example, the maximum rate for traffic of the tcp_traffic class is 56,000 bits/second and a maximum burst size of 10,500 bytes per second. For the TG1-BestEffort class, the maximum rate is 200,000 bits/second, with a maximum burst of 37,500 bytes/second.

hostname(config)# access-list tcp_traffic permit tcp any any
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match access-list tcp_traffic
 
   
hostname(config-cmap)# class-map TG1-BestEffort
hostname(config-cmap)# match tunnel-group tunnel-grp1
hostname(config-cmap)# match flow ip destination-address
 
   
hostname(config)# policy-map qos
hostname(config-pmap)# class tcp_traffic
hostname(config-pmap-c)# police output 56000 10500
 
   
hostname(config-pmap-c)# class TG1-best-effort
hostname(config-pmap-c)# police output 200000 37500
 
   
hostname(config-pmap-c)# class class-default
hostname(config-pmap-c)# police output 1000000 37500
 
   
hostname(config-pmap-c)# service-policy qos global

Monitoring QoS

This section includes the following topics:

Viewing QoS Police Statistics

Viewing QoS Police Statistics

To view the QoS statistics for traffic policing, use the show service-policy command with the police keyword:

hostname# show service-policy police
 
   

The following is sample output for the show service-policy police command:

hostname# show service-policy police
 
   
Global policy:
	Service-policy: global_fw_policy
 
   
Interface outside:
	Service-policy: qos
		Class-map: browse
			police Interface outside:
				cir 56000 bps, bc 10500 bytes
				conformed 10065 packets, 12621510 bytes; actions: transmit
				exceeded 499 packets, 625146 bytes; actions: drop
				conformed 5600 bps, exceed 5016 bps
		Class-map: cmap2
			police Interface outside:
				cir 200000 bps, bc 37500 bytes
				conformed 17179 packets, 20614800 bytes; actions: transmit
				exceeded 617 packets, 770718 bytes; actions: drop
				conformed 198785 bps, exceed 2303 bps
 
   

Feature History for QoS

Table 45-1 lists each feature change and the platform release in which it was implemented.

Table 45-1 Feature History for QoS 

Feature Name
Platform Releases
Feature Information

Priority queuing and policing

7.0(1)

We introduced QoS priority queuing and policing.

We introduced the following commands: priority-queue, queue-limit, tx-ring-limit, priority, police, show priority-queue statistics, show service-policy police, show service-policy priority, show running-config priority-queue, clear configure priority-queue .

 

   

We introduced the following commands: shape, show service-policy shape.