The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Have you ever participated in a long-distance phone call that involved a satellite connection? The conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the time, called the latency, between the arrival of packets being transmitted over the network. Some network traffic, such as voice and video, cannot tolerate long latency times. Quality of service (QoS) is a feature that lets you give priority to critical traffic, prevent bandwidth hogging, and manage network bottlenecks to prevent packet drops.
Note For the ASASM, we suggest performing QoS on the switch instead of the ASASM. Switches have more capability in this area.
This chapter describes how to apply QoS policies and includes the following sections:
You should consider that in an ever-changing network environment, QoS is not a one-time deployment, but an ongoing, essential part of network design.
This section describes the QoS features supported by the ASA and includes the following topics:
The ASA supports the following QoS features:
A token bucket is used to manage a device that regulates the data in a flow. For example, the regulator might be a traffic policer or a traffic shaper. A token bucket itself has no discard or priority policy. Rather, a token bucket discards tokens and leaves to the flow the problem of managing its transmission queue if the flow overdrives the regulator.
A token bucket is a formal definition of a rate of transfer. It has three components: a burst size, an average rate, and a time interval. Although the average rate is generally represented as bits per second, any two values may be derived from the third by the relation shown as follows:
average rate = burst size / time interval
Here are some definitions of these terms:
In the token bucket metaphor, tokens are put into the bucket at a certain rate. The bucket itself has a specified capacity. If the bucket fills to capacity, newly arriving tokens are discarded. Each token is permission for the source to send a certain number of bits into the network. To send a packet, the regulator must remove from the bucket a number of tokens equal in representation to the packet size.
If not enough tokens are in the bucket to send a packet, the packet either waits until the bucket has enough tokens (in the case of traffic shaping) or the packet is discarded or marked down (in the case of policing). If the bucket is already full of tokens, incoming tokens overflow and are not available to future packets. Thus, at any time, the largest burst a source can send into the network is roughly proportional to the size of the bucket.
Note that the token bucket mechanism used for traffic shaping has both a token bucket and a data buffer, or queue; if it did not have a data buffer, it would be a policer. For traffic shaping, packets that arrive that cannot be sent immediately are delayed in the data buffer.
For traffic shaping, a token bucket permits burstiness but bounds it. It guarantees that the burstiness is bounded so that the flow will never send faster than the token bucket capacity, divided by the time interval, plus the established rate at which tokens are placed in the token bucket. See the following formula:
(token bucket capacity in bits / time interval in seconds) + established rate in bps = maximum flow speed in bps
This method of bounding burstiness also guarantees that the long-term transmission rate will not exceed the established rate at which tokens are placed in the bucket.
Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you configure, thus ensuring that no one traffic flow or class can take over the entire resource. When traffic exceeds the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst of traffic allowed.
LLQ priority queuing lets you prioritize certain traffic flows (such as latency-sensitive traffic like voice and video) ahead of other traffic.
The ASA supports two types of priority queuing:
– Priority packets are always queued at the head of the shape queue so they are always transmitted ahead of other non-priority queued packets.
– Priority packets are never dropped from the shape queue unless the sustained rate of priority traffic exceeds the shape rate.
– For IPsec-encrypted packets, you can only match traffic based on the DSCP or precedence setting.
– IPsec-over-TCP is not supported for priority traffic classification.
Traffic shaping is used to match device and link speeds, thereby controlling packet loss, variable delay, and link saturation, which can cause jitter and delay.
Note Traffic shaping is only supported on the ASA 5505.
– The queue size is calculated based on the shape rate. The queue can hold the equivalent of 200-milliseconds worth of shape rate traffic, assuming a 1500-byte packet. The minimum queue size is 64.
– When the queue limit is reached, packets are tail-dropped.
– Certain critical keep-alive packets such as OSPF Hello packets are never dropped.
– The time interval is derived by time_interval = burst_size / average_rate. The larger the time interval is, the burstier the shaped traffic might be, and the longer the link might be idle. The effect can be best understood using the following exaggerated example:
In the above example, the time interval is 1 second, which means, 1 Mbps of traffic can be bursted out within the first 10 milliseconds of the 1-second interval on a 100 Mbps FE link and leave the remaining 990 milliseconds idle without being able to send any packets until the next time interval. So if there is delay-sensitive traffic such as voice traffic, the Burst Size should be reduced compared to the average rate so the time interval is reduced.
You can configure each of the QoS features alone if desired for the ASA. Often, though, you configure multiple QoS features on the ASA so you can prioritize some traffic, for example, and prevent other traffic from causing bandwidth problems.
See the following supported feature combinations per interface:
You cannot configure priority queuing and policing for the same set of traffic.
You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. For example, if you configure standard priority queuing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy.
Typically, if you enable traffic shaping, you do not also enable policing for the same traffic, although the ASA does not restrict you from configuring this.
The following table shows the licensing requirements for this feature:
|
|
---|---|
This section includes the guidelines and limitations for this feature.
Supported in single context mode only. Does not support multiple context mode.
Supported in routed firewall mode only. Does not support transparent firewall mode.
Additional Guidelines and Limitations
This section includes the following topics:
To determine the priority queue and TX ring limits, use the worksheets below.
Table 19-1 shows how to calculate the priority queue size. Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped (called tail drop). To avoid having the queue fill up, you can adjust the queue buffer size according to the Configuring the Standard Priority Queue for an Interface.
Outbound bandwidth (Mbps or Kbps)1 |
|
|
||||||
|
|
|||||||
|
Average packet size (bytes)2 |
|
Delay (ms)3 |
|
Table 19-2 shows how to calculate the TX ring limit. This limit determines the maximum number of packets allowed into the Ethernet transmit driver before the driver pushes back to the queues on the interface to let them buffer packets until the congestion clears. This setting guarantees that the hardware-based transmit ring imposes a limited amount of extra latency for a high-priority packet.
Outbound bandwidth (Mbps or Kbps)4 |
|
|
||||||
|
|
|||||||
|
Maximum packet size (bytes)5 |
|
Delay (ms)6 |
|
If you enable standard priority queuing for traffic on a physical interface, then you need to also create the priority queue on each interface. Each physical interface uses two queues: one for priority traffic, and the other for all other traffic. For the other traffic, you can optionally configure policing.
Note The standard priority queue is not required for hierarchical priority queuing with traffic shaping; see Information About Priority Queuing for more information.
The following example establishes a priority queue on interface “outside” (the GigabitEthernet0/1 interface), with the default queue-limit and tx-ring-limit:
The following example establishes a priority queue on the interface “outside” (the GigabitEthernet0/1 interface), sets the queue-limit to 260 packets, and sets the tx-ring-limit to 3:
You can configure standard priority queuing and policing for different class maps within the same policy map. See How QoS Features Interact for information about valid QoS configurations.
|
|
|
---|---|---|
|
For priority traffic, creates a class map to identify the traffic for which you want to perform priority queuing. |
|
|
Specifies the traffic in the class map. See Identifying Traffic (Layer 3/4 Class Maps) for more information. |
|
|
For policing traffic, creates a class map to identify the traffic for which you want to perform policing. |
|
|
Specifies the traffic in the class map. See Identifying Traffic (Layer 3/4 Class Maps) for more information. |
|
|
||
|
Identifies the class map you created for prioritized traffic in Step 1. |
|
|
||
|
Identifies the class map you created for policed traffic in Step 3. |
|
police { output | input } conform-rate [ conform-burst ] [ conform-action [ drop | transmit ]] [ exceed-action [ drop | transmit ]] |
Configures policing for the class. See the followingoptions:
|
|
service-policy policymap_name { global | interface interface_name } hostname(config)# service-policy QoS_policy interface inside |
Activates the policy map on one or more interfaces. global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. |
Example 19-1 Class Map Examples for VPN Traffic
In the following example, the class-map command classifies all non-tunneled TCP traffic, using an ACL named tcp_traffic:
hostname(config)#
access-list tcp_traffic permit tcp any any
hostname(config)#
class-map tcp_traffic
hostname(config-cmap)#
match access-list tcp_traffic
In the following example, other, more specific match criteria are used for classifying traffic for specific, security-related tunnel groups. These specific match criteria stipulate that a match on tunnel-group (in this case, the previously-defined Tunnel-Group-1) is required as the first match characteristic to classify traffic for a specific tunnel, and it allows for an additional match line to classify the traffic (IP differential services code point, expedited forwarding).
hostname(config)#
class-map TG1-voice
hostname(config-cmap)#
match tunnel-group tunnel-grp1
hostname(config-cmap)#
match dscp ef
In the following example, the class-map command classifies both tunneled and non-tunneled traffic according to the traffic type:
hostname(config)#
access-list tunneled extended permit ip 10.10.34.0 255.255.255.0 192.168.10.0 255.255.255.0
hostname(config)#
access-list non-tunneled extended permit tcp any any
hostname(config)#
tunnel-group tunnel-grp1 type IPsec_L2L
hostname(config)#
class-map browse
hostname(config-cmap)#
description "This class-map matches all non-tunneled tcp traffic."
hostname(config-cmap)#
match access-list non-tunneled
hostname(config-cmap)#
class-map TG1-voice
hostname(config-cmap)#
description "This class-map matches all dscp ef traffic for tunnel-grp 1."
hostname(config-cmap)#
match dscp ef
hostname(config-cmap)#
match tunnel-group tunnel-grp1
hostname(config-cmap)#
class-map TG1-BestEffort
hostname(config-cmap)#
description
"This class-map matches all best-effort traffic for tunnel-grp1."
hostname(config-cmap)#
match tunnel-group tunnel-grp1
hostname(config-cmap)#
match flow ip destination-address
The following example shows a way of policing a flow within a tunnel, provided the classed traffic is not specified as a tunnel, but does go through the tunnel. In this example, 192.168.10.10 is the address of the host machine on the private side of the remote tunnel, and the ACL is named “host-over-l2l”. By creating a class-map (named “host-specific”), you can then police the “host-specific” class before the LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited before the tunnel, then the tunnel is rate-limited:
The following example builds on the configuration developed in the previous section. As in the previous example, there are two named class-maps: tcp_traffic and TG1-voice.
hostname(config)#
class-map TG1-best-effort
hostname(config-cmap)#
match tunnel-group Tunnel-Group-1
hostname(config-cmap)#
match flow ip destination-address
Adding a third class map provides a basis for defining a tunneled and non-tunneled QoS policy, as follows, which creates a simple QoS policy for tunneled and non-tunneled traffic, assigning packets of the class TG1-voice to the low latency queue and setting rate limits on the tcp_traffic and TG1-best-effort traffic flows.
Example 19-2 Priority and Policing Example
In this example, the maximum rate for traffic of the tcp_traffic class is 56,000 bits/second and a maximum burst size of 10,500 bytes per second. For the TC1-BestEffort class, the maximum rate is 200,000 bits/second, with a maximum burst of 37,500 bytes/second. Traffic in the TC1-voice class has no policed maximum speed or burst rate because it belongs to a priority class.
hostname(config)#
access-list tcp_traffic permit tcp any any
hostname(config)#
class-map tcp_traffic
hostname(config-cmap)#
match access-list tcp_traffic
hostname(config)#
class-map TG1-voice
hostname(config-cmap)#
match tunnel-group tunnel-grp1
hostname(config-cmap)#
match dscp ef
hostname(config-cmap)#
class-map TG1-BestEffort
hostname(config-cmap)#
match tunnel-group tunnel-grp1
hostname(config-cmap)#
match flow ip destination-address
hostname(config)#
policy-map qos
hostname(config-pmap)#
class tcp_traffic
hostname(config-pmap-c)#
police output 56000 10500
hostname(config-pmap-c)#
class TG1-voice
hostname(config-pmap-c)#
priority
hostname(config-pmap-c)#
class TG1-best-effort
hostname(config-pmap-c)#
police output 200000 37500
hostname(config-pmap-c)#
class class-default
hostname(config-pmap-c)#
police output 1000000 37500
hostname(config-pmap-c)#
service-policy qos global
You can configure traffic shaping for all traffic on an interface, and optionally hierarchical priority queuing for a subset of latency-sensitive traffic.
You can optionally configure priority queuing for a subset of latency-sensitive traffic.
|
|
|
---|---|---|
|
For hierarchical priority queuing, creates a class map to identify the traffic for which you want to perform priority queuing. |
|
|
Specifies the traffic in the class map. See Identifying Traffic (Layer 3/4 Class Maps) for more information. For encrypted VPN traffic, you can only match traffic based on the DSCP or precedence setting; you cannot match a tunnel group. |
|
|
||
|
Specifies the class map you created in Step 1. |
|
|
Applies the priority queuing action to a class map. Note This policy has not yet been activated. You must activate it as part of the shaping policy. See Configuring the Service Rule. |
To configure traffic shaping and optional hiearchical priority queuing, perform the following steps.
|
|
|
---|---|---|
|
Adds or edits a policy map. This policy map must be different from the hierarchical priority-queuing map. |
|
|
Identifies all traffic for traffic shaping; you can only use the class-default class map, which is defined as match any, because the ASA requires all traffic to be matched for traffic shaping. |
|
shape average rate [ burst_size ] |
Enables traffic shaping, where the average rate argument sets the average rate of traffic in bits per second over a given fixed time period, between 64000 and 154400000. Specify a value that is a multiple of 8000. See Information About Traffic Shaping for more information about how the time period is calculated. The burst_size argument sets the average burst size in bits that can be transmitted over a given fixed time period, between 2048 and 154400000. Specify a value that is a multiple of 128. If you do not specify the burst_size, the default value is equivalent to 4-milliseconds of traffic at the specified average rate. For example, if the average rate is 1000000 bits per second, 4 ms worth = 1000000 * 4/1000 = 4000. |
|
service-policy priority_policy_map_name |
Configures hierarchical priority queuing, where the priority_policy_map_name is the policy map you created for prioritized traffic in the (Optional) Configuring the Hierarchical Priority Queuing Policy. |
|
service-policy policymap_name interface interface_name hostname(config)# service-policy shape-policy interface inside |
The following example enables traffic shaping on the outside interface, and limits traffic to 2 Mbps; priority queuing is enabled for VoIP traffic that is tagged with DSCP EF and AF13 and for IKE traffic:
hostname(config)#
access-list ike permit udp any any eq 500
hostname(config)#
class-map ike
hostname(config-cmap)#
match access-list ike
hostname(config-cmap)#
class-map voice_traffic
hostname(config-cmap)#
match dscp EF AF13
hostname(config-cmap)#
policy-map qos_class_policy
hostname(config-pmap)#
class voice_traffic
This section includes the following topics:
To view the QoS statistics for traffic policing, use the show service-policy command with the police keyword:
The following is sample output for the show service-policy police command:
To view statistics for service policies implementing the priority command, use the show service-policy command with the priority keyword:
The following is sample output for the show service-policy priority command:
Note “Aggregate drop” denotes the aggregated drop in this interface; “aggregate transmit” denotes the aggregated number of transmitted packets in this interface.
To view statistics for service policies implementing the shape command, use the show service-policy command with the shape keyword:
The following is sample output for the show service-policy shape command:
The following is sample output of the show service policy shape command, which includes service policies that include the shape command and the service-policy command that calls the hierarchical priority policy and the related statistics:
To display the priority-queue statistics for an interface, use the show priority-queue statistics command in privileged EXEC mode. The results show the statistics for both the best-effort (BE) queue and the low-latency queue (LLQ). The following example shows the use of the show priority-queue statistics command for the interface named test, and the command output.
In this statistical report, the meaning of the line items is as follows:
Table 19-3 lists each feature change and the platform release in which it was implemented.