In this final part of our blog series on QoS with the PIX/ASA, we examine the remaining two tools that we find on some devices – traffic shaping and traffic policing.
Traffic Shaping
Traffic shaping on the security appliance allows the device to limit the flow of traffic. This mechanism will buffer traffic over the “speed limit” and attempt to send the traffic later. On the 7.x security device, traffic shaping must be applied to all outgoing traffic on a physical interface. Shaping cannot be configured for certain types of traffic. The shaped traffic will include traffic passing though the device, as well as traffic that is sourced from the device.
In order to configure traffic shaping, use the class-default class and apply the shape command in Policy Map Class Configuration mode. This class-default class is created automatically for you by the system. It is a simple match any class map that allows you to quickly match all traffic. Here is a sample configuration:
pixfirewall(config-pmap)#policy-map PM-SHAPER pixfirewall(config-pmap)# class class-default pixfirewall(config-pmap-c)# shape average 2000000 16000 pixfirewall(config-pmap-c)# service-policy PM-SHAPER interface outside
Verification is simple. You can run the following to confirm your configuration:
pixfirewall(config)# show run policy-map ! policy-map PM-SHAPER class class-default shape average 2000000 16000 !
Another excellent command that confirms the effectiveness of the policy is:
pixfirewall(config)# show service-policy shape Interface outside: Service-policy: PM-SHAPER Class-map: class-default shape (average) cir 2000000, bc 16000, be 16000 Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0
Traffic Policing
With a policing configuration, traffic that exceeds the “speed limit” on the interface is dropped. Unlike traffic shaping configurations on the appliance, with policing you can specify a class of traffic that you want the policing to effect. Let’s examine a traffic policing configuration. In this configuration, we will limit the amount of Web traffic that is permitted in an interface.
pixfirewall(config)# access-list AL-WEB-TRAFFIC permit tcp host 192.168.1.110 eq www any pixfirewall(config-if)# class-map CM-POLICE-WEB pixfirewall(config-cmap)# match access-list AL-WEB-TRAFFIC pixfirewall(config-cmap)# policy-map PM-POLICE-WEB pixfirewall(config-pmap)# class CM-POLICE-WEB pixfirewall(config-pmap-c)# police input 1000000 conform-action transmit exceed-action drop pixfirewall(config-pmap-c)# service-policy PM-POLICE-WEB interface outside
Notice we can verify with similar commands that we used for shaping!
pixfirewall(config)# show run policy-map ! policy-map PM-POLICE-WEB class CM-POLICE-WEB police input 1000000 ! pixfirewall(config)# show ser pixfirewall(config)# show service-policy police Interface outside: Service-policy: PM-POLICE-WEB Class-map: CM-POLICE-WEB Input police Interface outside: cir 1000000 bps, bc 31250 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps
I hope that you enjoyed this four part series on QoS on the PIX/ASA! Please look for other posts about complex configurations on the security appliances very soon. I have already been flooded with recommendations!
Happy Studies!
About Anthony Sequeira, #15626:
Anthony Sequeira brings decades of teaching, technical writing, and consulting experience to INE. Anthony began his career as an author and lecturer within the IT community, featuring best-selling titles for Microsoft and Cisco Press. Best known as one of the training voices for the revolutionary e-learning company called KnowledgeNet, Anthony now teaches online and in-classroom exclusively for INE. When not helping his students master Cisco networking, Anthony can be found at the poker tables, or flying the Florida skies in a Cessna.
You can leave a response, or trackback from your own site.
2 Responses to “QoS on the PIX/ASA – Part 4:Traffic Shaping and Traffic Policing”
Leave a Reply
Loading ...
Hi,
Thanks for this great post. But I think in in the example above, it is just for outbound traffic, can we do it for incoming traffic as well?
I have Exchange server behind ASA 5510, internet bandwidth is 2/2 Mbps.
I noticed that all incoming SMTP traffic is choking all the bandwidth.
Can I limit incoming traffic to 1 Mbps (50%)?
I think rate-limit option is just for outbound traffic!
Thanks,
Zia
Thank you for this blog entry. I’m sure it will help us out. Thanks again!