ASA Service Policies with Priority and Policing

As is sometimes the case, the idea for this article originated with a student question I received during one of the Securing Networks with ASA Fundamentals classes I have taught this summer. The course material mentions a simple scenario whereby IP Telephony traffic is given priority out of an interface to satisfy the Quality of Service (QoS) requirement for acceptable performance. The student asked something along the lines of

“…suppose I wanted to prioritize two different traffic types…could I set limits as to the maximum bandwidth used by at least one of the flows?”

Well, the answer to that question is a resounding “YES”.

As the screenshot below indicates, the QoS tab of the Service Policy Rule Wizard uses check boxes instead of radio buttons.  Radio buttons are “either-or” options vs. check boxes which are multi-option.

When the check box for Enable priority for this flow is marked, the pop-up warning that appears above is seen. Two interface configuration commands can be used to enable priority queuing: queue-limit <num-packets> and tx-ring-limit <num-packets> where “num-packets” is the number of packets.

Beneath the priority checkbox, both input and output policing and default values are shown. Although priority queuing is only applicable to egress packets, policing can be done for both ingress and egress traffic. While the Committed Rate is left blank, we would expect the default behaviors of transmit when this configured value is obeyed and drop when this value is exceeded – and they are.

There is some interesting history behind the Burst Size parameter. For a number of years the VPN Concentrator had (past tense here since the product is EoS) been configurable for bandwidth management. The training associated with this product recommended that the instantaneous burst size be set to 1.5 times the committed rate in bytes/sec. As an example, if the committed rate was 56Kbps, the recommended burst size was (56000/8)*1.5 = 10,500 bytes.

Newer QoS literature (especially the Cisco Press book on this topic) has changed these recommendations. Cisco IOS® chooses a default value for the burst size, if omitted, to the value of CIR/32 (where CIR would be our Committed Rate) or 1500, whichever is larger. As we can see here, the ASA chooses 1500 which must be manually overridden regardless of the value entered above for the Committed Rate.

References:

Cisco IP Telephony — Weighted Random Early Detection

Configuring Service Policy Rules using ASDM6.2

Related Courses:

ASAE – ASA Essentials

In this article

Join the Conversation