QoS on the PIX/ASA – Part ...
    21 September 08

    QoS on the PIX/ASA – Part 4:Traffic Shaping and Traffic Policing

    Posted byINE

    In this final part of our blog series on QoS with the PIX/ASA, we examine the remaining two tools that we find on some devices - traffic shaping and traffic policing.

    Traffic Shaping

    Traffic shaping on the security appliance allows the device to limit the flow of traffic. This mechanism will buffer traffic over the "speed limit" and attempt to send the traffic later. On the 7.x security device, traffic shaping must be applied to all outgoing traffic on a physical interface. Shaping cannot be configured for certain types of traffic. The shaped traffic will include traffic passing though the device, as well as traffic that is sourced from the device.

    In order to configure traffic shaping, use the class-default class and apply the shape command in Policy Map Class Configuration mode. This class-default class is created automatically for you by the system. It is a simple match any class map that allows you to quickly match all traffic. Here is a sample configuration:

    pixfirewall(config-pmap)#policy-map PM-SHAPER
    pixfirewall(config-pmap)# class class-default
    pixfirewall(config-pmap-c)# shape average 2000000 16000
    pixfirewall(config-pmap-c)# service-policy PM-SHAPER interface outside

    Verification is simple. You can run the following to confirm your configuration:

    pixfirewall(config)# show run policy-map
    policy-map PM-SHAPER
     class class-default
    shape average 2000000 16000

    Another excellent command that confirms the effectiveness of the policy is:

    pixfirewall(config)# show service-policy shape
    Interface outside:
     Service-policy: PM-SHAPER
    Class-map: class-default
    shape (average) cir 2000000, bc 16000, be 16000
         queue limit 64 packets
     (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

    Traffic Policing

    With a policing configuration, traffic that exceeds the "speed limit" on the interface is dropped. Unlike traffic shaping configurations on the appliance, with policing you can specify a class of traffic that you want the policing to effect. Let's examine a traffic policing configuration. In this configuration, we will limit the amount of Web traffic that is permitted in an interface.

    pixfirewall(config)# access-list AL-WEB-TRAFFIC permit tcp host eq www any
    pixfirewall(config-if)# class-map CM-POLICE-WEB
    pixfirewall(config-cmap)# match access-list AL-WEB-TRAFFIC
    pixfirewall(config-cmap)# policy-map PM-POLICE-WEB
    pixfirewall(config-pmap)# class CM-POLICE-WEB
    pixfirewall(config-pmap-c)# police input 1000000 conform-action transmit exceed-action drop
    pixfirewall(config-pmap-c)# service-policy PM-POLICE-WEB interface outside

    Notice we can verify with similar commands that we used for shaping!

    pixfirewall(config)# show run policy-map
    policy-map PM-POLICE-WEB
     class CM-POLICE-WEB
      police input 1000000
    pixfirewall(config)# show ser
    pixfirewall(config)# show service-policy police
    Interface outside:
      Service-policy: PM-POLICE-WEB
        Class-map: CM-POLICE-WEB
          Input police Interface outside:
            cir 1000000 bps, bc 31250 bytes
            conformed 0 packets, 0 bytes; actions:  transmit
            exceeded 0 packets, 0 bytes; actions:  drop
            conformed 0 bps, exceed 0 bps

    I hope that you enjoyed this four part series on QoS on the PIX/ASA! Please look for other posts about complex configurations on the security appliances very soon. I have already been flooded with recommendations!

    Happy Studies!

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo