ASA CHAPTER 12 (Shaping/Hierarchical Queuing)
Questions:
22.Traffic Shaping
• The outside interface of the firewall connects to the ISP that provides only
512Kbps of guaranteed traffic rate (CIR).
• Configure the firewall to conform to this requirement, provided that the ISP
sets measurement interval to 100ms.
• Permit ICMP echo-responses from the outside and test your configuration
using the ping flood from the inside.
23.Hierarchical Queuing
• Allow priority queuing for shaped VoIP bearer and VPN signaling traffic.
• VPN signaling is defined as IKE/ISAKMP exchange on the default port.
• VoIP bearer traffic is marked with the DSCP value of EF.
• All other traffic should receive best-effort service.
• Adjust traffic-shaping interval to provide minimum delay for VoIP traffic.
---
22.Traffic Shaping
• The outside interface of the firewall connects to the ISP that provides only
512Kbps of guaranteed traffic rate (CIR).
• Configure the firewall to conform to this requirement, provided that the ISP
sets measurement interval to 100ms.
• Permit ICMP echo-responses from the outside and test your configuration
using the ping flood from the inside.
-->
Traffic shaping is QoS procedure that “formats” traffic flow according to the traffic
contract specified. This commonly happens when the physical line rate (Access
Information Rate, AIR– e.g. 100Mbps) is higher than the contracted average
transmission rate (e.g. 1Mbps). The shaper meters the traffic flow rate and delay
packets that exceed the contracted speed (CIR– Committed Information Rate).
The delayed packets are buffered and processed every timer interval Tc
(committed measurement interval in milliseconds). Every interval Tcthe shaper
will emit no more than CIR*Tcbits at physical line rate AIR.
Since AIRis commonly higher than CIR, the firewall will only emit traffic for the
duration of CIR/AIR*Tcms and than remain idle till the end of the current
interval. The traffic that is still in queue will have to wait for the beginning of the
next interval to be serviced. The CIR/AIR*Tcvalue might be viewed as the
coefficient that defines the shaper effectiveness. Thus, by lowering the Tcyou
may increase the overall interval utilization but at same time increase the load on
the firewalls CPU, as the queue scheduler is required to fire more often.
So what is the optimal value of Tc? Commonly, this value is specified in traffic
contract, as the measurement interval. You should set your shaper Tcvalue no
bigger than the contracted Tcto avoid excessive drops on the provider’s edge.
However, some types of traffic, such as VoIP bearer, might required the Tcvalue
to be set as low as possible to minimize delays introduced by the shaper. This is
acceptable, as long as the firewall CPU is not highly over-utilized.
Now think of the following situation. What if during the current Tcthere is no
traffic to send, but in the next Tcthe queue accumulates more that Bcbits of
traffic? Using just the regular rules, the shaper will underutilize current interval,
and send only Bc bits in the next interval. The average rate per two intervals will
be Bc/(2*Tc) = CIR/2. In order to reduce this “unfairness” the shaper
implements special “credit counter” that is incremented every time the current
interval is underutilized. For example, if the current interval did not send any
traffic, the credit counter is incremented by Bc. However, there is a limit to this
counter called Be– Burst Excessive, the maximum amount of the extra credit
allowed to the flow. Now, every Tcthe shaper is allowed to send up to
Bc+Creditbits, that is up to Bc+Beif the credit allows. This procedure allows
the underutilization during any interval to allow sending extra traffic during the
next interval. The ASA firewall automatically sets Be=Bc to allow for more “fair”
shaping.
When configuring traffic shaping in the ASA firewall keep the following in mind:
1) You may only apply shaping at the interface level (not globally) and only under
class-default. No other classes could be defined in the policy that performs
traffic-shaping.
2) Shaping applies to both transit and firewall-originated traffic at the same time.
3) Interface-level priority queue does not work along with shaping. However, you
may enable hierarchical queue inside the shaper, as demonstrated in a separate
task.
4) Shaping takes in account full packet size, including IPsec encapsulation and
layer 2 overheads.
5) The shaping queue size is 64 packets and the service discipline is FIFO by
default (could be changed with hierarchical queueing).
The syntax for the shape command is:
policy-map SHAPER
class class-default
shape average <Rate> <Burst>
Here Tcis not set explicitly, but rather calculated by the shaper using the formula
Tc=Burst/Rate. Note that Burst is set in bits, not bytes like you do with the
policing.
-->
ASA1:
policy-map SHAPER
class class-default
shape average 512000 51200
!
service-policy SHAPER interface outside
!
clear configure access-list
!
access-list OUTSIDE_IN permit icmp any any
access-group OUTSIDE_IN in interface outside
!
ASA1(config)# show service-policy shape
Global policy:
Service-policy: global_policy
Class-map: class-default
Interface Outside:
Service-policy: SHAPER
Class-map: class-default
shape (average) cir 512000, bc 51200, be 51200
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
23.Hierarchical Queuing
• Allow priority queuing for shaped VoIP bearer and VPN signaling traffic.
• VPN signaling is defined as IKE/ISAKMP exchange on the default port.
• VoIP bearer traffic is marked with the DSCP value of EF.
• All other traffic should receive best-effort service.
• Adjust traffic-shaping interval to provide minimum delay for VoIP traffic.
-->
When you apply shaping per-interface, you create another software queue – the
one that shaper uses for the delayed traffic. Essentially, this queue represents
the new “virtual” link with the speed equal to the contracted rate (the CIR). It
would be beneficial to segregate traffic flows within this virtual link and provide
differential services.
As you remember, enabling shaping on the interface will disallow the use of any
“interface” level priority queue. However, it is allowed to create the priority queue
within the shaper’s delayed traffic buffer. To accomplish this, you need to nest
another service policy (child policy) under the shaped class-defaultof the
parent policy-map.
Under the child policy you may assign L3/L4 classes and enable priorityqueuewhere needed. The result is that shaper’s queue is split in two queues –
LLQ (priority) and BE (best effort). Notice that you cannot apply anything (e.g.
policing) with except to prioritycommand under the child policy. For-example:
class-map VOICE
match dscp ef
policy-map CHILD_POLICY
class VOICE
priority
policy-map PARENT_POLICY
class class-default
shape average 256000 2560
service-policy CHILD_POLICY
When implementing priority queuing for VoIP traffic, you may want to set
Bc=CIR*10ms to minimize traffic delays.
-->
ASA1:
class-map IKE
match port udp eq 500
!
class-map VOICE
match dscp ef
!
policy-map CHILD_POLICY
class IKE
priority
class VOICE
priority
!
policy-map SHAPER
class class-default
shape average 512000 5120
service-policy CHILD_POLICY
!
service-policy SHAPER interface outside
!
-->
output:
!
ASA1(config)# show service-policy interface outside
Interface outside:
Service-policy: SHAPER
Class-map: class-default
shape (average) cir 512000, bc 5120, be 5120
(pkts output/bytes output) 0/0
(total drops/no-buffer drops) 0/0
Service-policy: CHILD_POLICY
Class-map: IKE
priority
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: VOICE
priority
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: class-default
Default Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
!
No comments:
Post a Comment