Cisco ASA Services Module ASDM Configuration Guide, 6.5
Configuring QoS
Download this chapter
Configuring QoSConfiguring QoS
Download the complete book
Cisco ASA Services Module ASDM Configuration Guide, 6.5Cisco ASA Services Module ASDM Configuration Guide, 6.5 (PDF - 14 MB)
 Feedback

Table Of Contents

Configuring QoS

Information About QoS

Supported QoS Features

What is a Token Bucket?

Information About Policing

DSCP and DiffServ Preservation

Licensing Requirements for QoS

Guidelines and Limitations

Configuring QoS

Configuring a Service Rule for Policing

Monitoring QoS

Viewing QoS Police Statistics

Feature History for QoS


Configuring QoS

Have you ever participated in a long-distance phone call that involved a satellite connection? The conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the time, called the latency, between the arrival of packets being transmitted over the network. Some network traffic, such as voice and video, cannot tolerate long latency times. Quality of service (QoS) is a feature that lets you give priority to critical traffic, prevent bandwidth hogging, and manage network bottlenecks to prevent packet drops.

Note For the ASASM, we suggest performing QoS on the switch instead of the ASASM. Switches have more capability in this area.

This chapter describes how to apply QoS policies and includes the following sections:

Information About QoS

Licensing Requirements for QoS

Guidelines and Limitations

Configuring QoS

Monitoring QoS

Feature History for QoS

Information About QoS

You should consider that in an ever-changing network environment, QoS is not a one-time deployment, but an ongoing, essential part of network design.

This section describes the QoS features supported by the ASASM and includes the following topics:

Supported QoS Features

What is a Token Bucket?

Information About Policing

DSCP and DiffServ Preservation

Supported QoS Features

The ASASM supports the following QoS features:

Policing—To prevent individual flows from hogging the network bandwidth, you can limit the maximum bandwidth used per flow. See the "Information About Policing" section for more information.

What is a Token Bucket?

A token bucket is used to manage a device that regulates the data in a flow. For example, the regulator might be a traffic policer or a traffic shaper. A token bucket itself has no discard or priority policy. Rather, a token bucket discards tokens and leaves to the flow the problem of managing its transmission queue if the flow overdrives the regulator.

A token bucket is a formal definition of a rate of transfer. It has three components: a burst size, an average rate, and a time interval. Although the average rate is generally represented as bits per second, any two values may be derived from the third by the relation shown as follows:

average rate = burst size / time interval

Here are some definitions of these terms:

Average rate—Also called the committed information rate (CIR), it specifies how much data can be sent or forwarded per unit time on average.

Burst size—Also called the Committed Burst (Bc) size, it specifies in bits or bytes per burst how much traffic can be sent within a given unit of time to not create scheduling concerns. (For traffic shaping, it specifies bits per burst; for policing, it specifies bytes per burst.)

Time interval—Also called the measurement interval, it specifies the time quantum in seconds per burst.

In the token bucket metaphor, tokens are put into the bucket at a certain rate. The bucket itself has a specified capacity. If the bucket fills to capacity, newly arriving tokens are discarded. Each token is permission for the source to send a certain number of bits into the network. To send a packet, the regulator must remove from the bucket a number of tokens equal in representation to the packet size.

If not enough tokens are in the bucket to send a packet, the packet either waits until the bucket has enough tokens (in the case of traffic shaping) or the packet is discarded or marked down (in the case of policing). If the bucket is already full of tokens, incoming tokens overflow and are not available to future packets. Thus, at any time, the largest burst a source can send into the network is roughly proportional to the size of the bucket.

Information About Policing

Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you configure, thus ensuring that no one traffic flow or class can take over the entire resource. When traffic exceeds the maximum rate, the ASASM drops the excess traffic. Policing also sets the largest single burst of traffic allowed.

DSCP and DiffServ Preservation

DSCP markings are preserved on all traffic passing through the ASASM.

The ASASM does not locally mark/remark any classified traffic, but it honors the Expedited Forwarding (EF) DSCP bits of every packet to determine if it requires "priority" handling and will direct those packets to the LLQ.

DiffServ marking is preserved on packets when they traverse the service provider backbone so that QoS can be applied in transit (QoS tunnel pre-classification).

Licensing Requirements for QoS

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single context mode only. Does not support multiple context mode.

Firewall Mode Guidelines

Supported in routed firewall mode only. Does not support transparent firewall mode.

IPv6 Guidelines

Does not support IPv6.

Model Guidelines

(ASASM) Only policing is supported.

Additional Guidelines and Limitations

QoS is applied unidirectionally; only traffic that enters (or exits) the interface to which you apply the policy map is affected. See the "Feature Directionality" section for more information.

For policing, to-the-box traffic is not supported.

Configuring QoS

This section includes the following topics:

Configuring a Service Rule for Policing

Configuring a Service Rule for Policing

To create a policy map, perform the following steps.

Restrictions

You cannot use the class-default class map for priority traffic.

For policing, to-the-box traffic is not supported.

Guidelines

For policing traffic, you can choose to police all other traffic, or you can limit the traffic to certain types.

Detailed Steps

Step 1 To configure policing, configure a service policy rule in the Configuration > Firewall > Service Policy Rules pane according to Chapter 29 "Configuring a Service Policy."

You can configure QoS as part of a new service policy rule, or you can edit an existing service policy.

Step 2 In the Rule Actions dialog box, click the QoS tab.

Step 3 Click Enable policing, then check the Input policing or Output policing (or both) check boxes to enable the specified type of traffic policing. For each type of traffic policing, configure the following fields:

Committed Rate—The rate limit for this traffic flow; this is a value in the range 8000-2000000000, specifying the maximum speed (bits per second) allowed.

Conform Action—The action to take when the rate is less than the conform-burst value. Values are transmit or drop.

Exceed Action—Take this action when the rate is between the conform-rate value and the conform-burst value. Values are transmit or drop.

Burst Rate—A value in the range 1000-512000000, specifying the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value.

Step 4 Click Finish. The service policy rule is added to the rule table.

Step 5 Click Apply to send the configuration to the device.

Monitoring QoS

To monitor QoS in ASDM, you can enter commands at the Command Line Interface tool. This section includes the following topics:

Viewing QoS Police Statistics

Viewing QoS Police Statistics

To view the QoS statistics for traffic policing, use the show service-policy command with the police keyword: 

hostname# show service-policy police

The following is sample output for the show service-policy police command: 

hostname# show service-policy police

Global policy:

	Service-policy: global_fw_policy

Interface outside:

	Service-policy: qos

		Class-map: browse

			police Interface outside:

				cir 56000 bps, bc 10500 bytes

				conformed 10065 packets, 12621510 bytes; actions: transmit

				exceeded 499 packets, 625146 bytes; actions: drop

				conformed 5600 bps, exceed 5016 bps

		Class-map: cmap2

			police Interface outside:

				cir 200000 bps, bc 37500 bytes

				conformed 17179 packets, 20614800 bytes; actions: transmit

				exceeded 617 packets, 770718 bytes; actions: drop

				conformed 198785 bps, exceed 2303 bps

Feature History for QoS

Table 45-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 45-1 Feature History for QoS 

Feature Name
Platform Releases
Feature Information

Priority queuing and policing

7.0(1)

We introduced QoS priority queuing and policing.

We introduced the following screens:

Configuration > Device Management > Advanced > Priority Queue
Configuration > Firewall > Service Policy Rules

   

We modified the following screen: Configuration > Firewall > Service Policy Rules.