نمایش نتایج: از شماره 1 تا 4 از مجموع 4

موضوع: QoS on the PIX/ASA

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    QoS on the PIX/ASA

    کد:
    http://blog.ine.com/2008/09/12/qos-on-the-pixasa-part-1what-tools-are-available/
    QoS on the PIX/ASA – Part 1:What Tools are Available?

    By Anthony Sequeira,

    This blog is focusing on QoS on the PIX/ASA and is based on 7.2 code to be consistent with the CCIE Security Lab Exam as of the date of this post. I will create a later blog regarding new features to 8.X code for all of you non-exam biased readers
    NOTE: We have already seen thanks to our readers that some of these features are very model/license dependent! For example, we have yet to find an ASA that allows traffic shaping.
    One of the first things that you discover about QoS for PIX/ASA when you check the documentation is that none of the QoS tools that these devices support are available when you are in multiple context mode. This jumped out at me as a bit strange and I just had to see for myself. Here I went to a PIX device, switched to multiple mode, and then searched for the priority-queue global configuration mode command. Notice that, sure enough, the command was not available in the CUSTA context, or the system context.

    کد:
    pixfirewall# configure terminal
    pixfirewall(config)# mode multiple
    WARNING: This command will change the behavior of the device
    WARNING: This command will initiate a Reboot
    Proceed with change mode? [confirm]
    Convert the system configuration? [confirm]
    pixfirewall> enable
    pixfirewall# show mode
    Security context mode: multiple
    pixfirewall# configure terminal        
    pixfirewall(config)# context CUSTA
    Creating context 'CUSTA'... Done. (2)
    pixfirewall(config-ctx)# context CUSTA
    pixfirewall(config-ctx)# config-url flash:/custa.cfg
    pixfirewall(config-ctx)# allocate-interface e2 
    pixfirewall(config-ctx)# changeto context CUSTA
    pixfirewall/CUSTA(config)# pri?     
    configure mode commands/options:
       privilege
    pixfirewall/CUSTA# changeto context system
    pixfirewall# conf t
    pixfirewall(config)# pr?
    configure mode commands/options:
       privilege
    OK, so we have no QoS capabilities when in multiple context mode. What QoS capabilities do we possess on the PIX/ASA when we are behaving in single context mode? Here they are:

    • Policing – you will be able to set a “speed limit” for traffic on the PIX/ASA. The policer will discard any packets trying to exceed this rate. I always like to think of the Soup Guy on Seinfeld with this one – “NO BANDWIDTH FOR YOU!”
    • Shaping – again, this tool allows you to set a speed limit, but it is “kinder and gentler”. This tool will attempt to buffer traffic and send it later should the traffic exceed the shaped rate.
    • Priority Queuing – for traffic (like VoIP that rely hates delays and variable delays (jitter), the PIX/ASA does support priority queuing of that traffic. The documentation refers to this as a Low Latency Queuing (LLQ).

    Now before we get too excited about these options for tools, we must understand that we are going to face some pretty big limitations with their usage compared to shaping, policing, and LLQ on a Cisco router. We will detail these limitations in future blogs on the specific tools, but here is an example. We might get very excited when we see LLQ in relation to the PIX/ASA, but it is certainly not the LLQ that we are accustomed to on a router. On a router, LLQ is really Class-Based Weighted Fair Queuing (CBWFQ) with the addition of strict Priority Queuing (PQ). On the PIX/ASA, we are just not going to have that type of granular control over many traffic forms. In fact, with the standard priority queuing approach on the PIX/ASA, there is a single LLQ for your priority traffic and all other traffic falls into a best effort queue.
    If you have been around QoS for a while, you are going to be very excited about how we set these mechanisms up on the security appliance. We are going to use the Modular Quality of Service Command Line Interface (MQC) approach! The MQC was invented for CBWFQ on the routers, but now we are seeing it everywhere. In fact, on the security appliance it is termed the Modular Policy Framework. This is because it not only handles QoS configurations, but also traffic inspections (including deep packet inspections), and can be used to configure the Intrusion Prevention and Content Management Security Service Modules. Boy, the ole’ MQC sure has come a long way.
    While you might be frustrated with some of the limitations in the individual tools, at least there are a couple of combinations that can feature the tools working together. Specificaly, you can:

    • Use standard priority queueing (for example for voice) and then police for all of the other traffic.
    • You can also use traffic shaping for all traffic in conjunction with hierarchical priority queuing for a subset of traffic. Again, in later blogs we will educate you more fully on each tool.

    Thanks for reading and I hope you are looking forward to future blog entries on QoS with the ASA/PIX




  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blog.ine.com/2008/09/15/qos-on-the-pixasa-%E2%80%93-part-2the-modular-policy-framework/
    QoS on the PIX/ASA – Part 2:The Modular Policy Framework



    How do you apply most of your QoS mechanisms on a Cisco router? You use the Modular Quality of Service Command Line Interface (MQC). The approach is similar on the PIX/ASA, but the tool does feature some important differences. Also, Cisco has renamed the tool to the Modular Policy Framework. One reason for this is the fact that it is used for more than just QoS. For example, the MPF is also used for application inspection and Intrusion Prevention configurations on the ASA.
    The three steps used by MPF are pretty famous at this point. Here they are:
    Step 1: Define the traffic flows that you want to manipulate using what is called a Class Map. Do not confuse this with a Map Class that you might remember from Frame Relay configurations. A nice analogy for the Class Map is a bucket that you are pouring the traffic into that you want to manipulate.
    Step 2: Take those buckets of traffic from Step 1 and define the particular policy that will apply. The structure used for this is called a Policy Map. An example might be to police Web traffic (defined in a Class Map) to a particular rate.
    Step 3: Assign the Policy Map to an interface or all interfaces on the system using what is called a Service Policy.
    Let’s examine the syntax for these various commands.


    کد:
    pixfirewall(config)# class-map ?
    configure mode commands/options:
      WORD < 41 char  class-map name
      type            Specifies the type of class-map
    Notice the Class Map syntax includes a type option on the security appliance, the possible types include inspect, management, and regex and represent the variety of configurations the Modular Policy Framework can carry out.
    Something else interesting about the Class Map on the security appliance is the fact that there is no options for match-any or match-all. This is because on the security appliance you can only have one match statement. There are exceptions to this, and that is after using either the match tunnel-group or match default-inspection-traffic commands.
    Here you can see the match options on the security appliance to fill these buckets of traffic:


    کد:
    pixfirewall(config-cmap)# match ?
    mpf-class-map mode commands/options:
      access-list                 Match an Access List
      any                         Match any packet
      default-inspection-traffic  Match default inspection traffic:
      dscp                        Match IP DSCP (DiffServ CodePoints)
      flow                        Flow based Policy
      port                        Match TCP/UDP port(s)
      precedence                  Match IP precedence
      rtp                         Match RTP port numbers
      tunnel-group                Match a Tunnel Group
    Obviously, a powerful option is the ability to match on an access list, since this allows matching on very specific criteria, such as well Web traffic requests from a source to a specific destination. Here is an example:


    کد:
    pixfirewall(config)# access-list AL-EXAMPLE permit tcp any host 10.10.10.200 eq www
    pixfirewall(config)# class-map CM-EXAMPLE
    pixfirewall(config-cmap)# match access-list AL-EXAMPLE
    For step 2, we use the Policy Map. There are also types of these components that can be created. Notice that you are not in Policy Map configuration mode long, you switch immediately to Policy Map Class configuration mode to get your configuration complete.


    کد:
    pixfirewall(config)# policy-map PM-EXAMPLE
    pixfirewall(config-pmap)# class CM-EXAMPLE
    pixfirewall(config-pmap-c)# police output 56000 10500
    Here you can see the third strep. The Service Policy applies the Policy Map. You can assign the Policy Map to an interface or all interfaces with the following syntax:


    کد:
    pixfirewall(config)# service-policy PM-EXAMPLE global
    Here is a single interface example:


    کد:
    service-policy PM-EXAMPLE interface inside
    Notice that a direction is not specified as you would on a router. Notice the direction of policing was actually specified in the Policy Map.
    What happens if there is a global policy and an interface policy? Well the interface policy wins out and controls the interface.
    The next blog entry on this subject will focus on the priority queuing tool available on the security appliance




  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/
    QoS on the PIX/ASA – Part 3:Priority Queuing

    By Anthony Sequeira
    The security appliance supports two kinds of priority queuing – standard priority queuing and hierarchical priority queuing. Let’s configure each in this third part of our blog.
    Standard Priority Queuing

    This queuing approach allows you to place your priority traffic in a priority queue, while all other traffic is placed in a best effort queue. You can police all other traffic if needed.
    Step 1: Create the priority queue on the interface where you want to configure the standard priority queuing. This is done in global configuration mode with the priority-queue interface_name command. Notice this will place you in priority queue configuration mode where you can optionally manipulate the size of the queue with the queue-limit number_of_packets command. You can also optionally set the depth of the hardware queue with the tx-ring-limit number_of_packets command. Remember that the hardware queue forwards packets until full, and then queuing is handled by the software queue (composed of the priority and best effort queues).


    کد:
    pixfirewall(config)# priority-queue outside
    pixfirewall(config-priority-queue)#
    Step 2: Use the Modular Policy Framework (covered in Part 2 of these blogs) to configure the prioritized traffic.


    کد:
    pixfirewall(config-priority-queue)# exit
    pixfirewall(config)# class-map CM-VOICE
    pixfirewall(config-cmap)# match dscp ef
    pixfirewall(config-cmap)# exit
    pixfirewall(config)# class-map CM-VOICE-SIGNAL
    pixfirewall(config-cmap)# match dscp af31
    pixfirewall(config-cmap)# exit
    pixfirewall(config)# policy-map PM-VOICE-TRAFFIC
    pixfirewall(config-pmap)# class CM-VOICE
    pixfirewall(config-pmap-c)# priority
    pixfirewall(config-pmap-c)# exit
    pixfirewall(config-pmap)# class CM-VOICE-SIGNAL
    pixfirewall(config-pmap-c)# priority
    pixfirewall(config-pmap-c)# exit
    pixfirewall(config-pmap)# exit
    pixfirewall(config)# service-policy PM-VOICE-TRAFFIC interface outside
    pixfirewall(config)# end
    Hierarchical Priority Queuing

    This queuing approach allows you to shape traffic and allow a subset of the shaped traffic to be prioritized. I have cleared the configuration from the security appliance in preparation for this new configuration. Notice with this approach, you do not configure a priority queue on the interface. Also notice with this approach the nesting of the Policy Maps.


    کد:
    pixfirewall(config)# class-map CM-VOICE
    pixfirewall(config-cmap)# match dscp ef
    pixfirewall(config-cmap)# exit
    pixfirewall(config)# class-map CM-VOICE-SIGNAL
    pixfirewall(config-cmap)# match dscp af31
    pixfirewall(config-cmap)# exit
    pixfirewall(config)# policy-map PM-VOICE-TRAFFIC
    pixfirewall(config-pmap)# class CM-VOICE
    pixfirewall(config-pmap-c)# priority
    pixfirewall(config-pmap-c)# exit
    pixfirewall(config-pmap)# class CM-VOICE-SIGNAL
    pixfirewall(config-pmap-c)# priority
    pixfirewall(config-pmap-c)# exit
    pixfirewall(config-pmap)# exit
    pixfirewall(config)# policy-map PM-ALL-TRAFFIC-SHAPE
    pixfirewall(config-pmap)# class class-default
    pixfirewall(config-pmap-c)# shape average 2000000 16000
    pixfirewall(config-pmap-c)# service-policy PM-VOICE-TRAFFIC
    pixfirewall(config-pmap-c)# exit
    pixfirewall(config-pmap)# service-policy PM-ALL-TRAFFIC-SHAPE interface outside
    pixfirewall(config)# end
    Verifications for Priority Queuing

    These verification commands can be used for both forms of priority queuing. Obviously, you can examine portions of the running configuration to confirm your Modular Policy Framework components. For example:


    کد:
    pixfirewall# show run policy-map
    !
    policy-map PM-VOICE-TRAFFIC
     class CM-VOICE
      priority
     class CM-VOICE-SIGNAL
      priority
     class class-default
    policy-map PM-ALL-TRAFFIC-SHAPE
     class class-default
      shape average 2000000 16000
      service-policy PM-VOICE-TRAFFIC
    !
    Another example:


    کد:
    pixfirewall# show run class-map
    !
    class-map CM-VOICE-SIGNAL
     match dscp af31
    class-map CM-VOICE
     match dscp ef
    !
    To verify the statistics of the standard priority queuing configuration, use the following:


    کد:
    pixfirewall# show service-policy priority
    Interface outside:
      Service-policy: PM-VOICE-TRAFFIC
       Class-map: CM-VOICE
          Priority:
            Interface outside: aggregate drop 0, aggregate transmit 0
        Class-map: CM-VOICE-SIGNAL
          Priority:
            Interface outside: aggregate drop 0, aggregate transmit 0
    You can also view the priority queue statistics for an interface using the following:


    کد:
    pixfirewall# show priority-queue statistics outside
    Priority-Queue Statistics interface outside
    Queue Type         = BE
    Tail Drops         = 0
    Reset Drops        = 0
    Packets Transmit   = 0
    Packets Enqueued   = 0
    Current Q Length   = 0
    Max Q Length       = 0
    Queue Type         = LLQ
    |Tail Drops         = 0
    Reset Drops        = 0
    Packets Transmit   = 0
    Packets Enqueued   = 0
    Current Q Length   = 0
    Max Q Length       = 0
    To verify the statistics on the shaping you have done with the hierarchical priority queuing, use the following:


    کد:
    pixfirewall# show service-policy shape
    Interface outside:
      Service-policy: PM-ALL-TRAFFIC-SHAPE
        Class-map: class-default
          shape (average) cir 2000000, bc 16000, be 16000
          (pkts output/bytes output) 0/0
          (total drops/no-buffer drops) 0/0
          Service-policy: PM-VOICE-TRAFFIC
    The next blog entry on this subject will focus on the shape tool available on the PIX/ASA.
    Thanks so much for reading




  4. #4
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blog.ine.com/2008/09/20/qos-on-the-pixasa-%E2%80%93-part-4traffic-shaping-and-traffic-policing/
    QoS on the PIX/ASA – Part 4:Traffic Shaping and Traffic Policing

    By Anthony Sequeira
    In this final part of our blog series on QoS with the PIX/ASA, we examine the remaining two tools that we find on some devices – traffic shaping and traffic policing.
    Traffic Shaping

    Traffic shaping on the security appliance allows the device to limit the flow of traffic. This mechanism will buffer traffic over the “speed limit” and attempt to send the traffic later. On the 7.x security device, traffic shaping must be applied to all outgoing traffic on a physical interface. Shaping cannot be configured for certain types of traffic. The shaped traffic will include traffic passing though the device, as well as traffic that is sourced from the device.
    In order to configure traffic shaping, use the class-default class and apply the shape command in Policy Map Class Configuration mode. This class-default class is created automatically for you by the system. It is a simple match any class map that allows you to quickly match all traffic. Here is a sample configuration:


    کد:
    pixfirewall(config-pmap)#policy-map PM-SHAPER
    pixfirewall(config-pmap)# class class-default
    pixfirewall(config-pmap-c)# shape average 2000000 16000
    pixfirewall(config-pmap-c)# service-policy PM-SHAPER interface outside
    Verification is simple. You can run the following to confirm your configuration:


    کد:
    pixfirewall(config)# show run policy-map
    !
    policy-map PM-SHAPER
     class class-default
    shape average 2000000 16000
    !
    Another excellent command that confirms the effectiveness of the policy is:


    کد:
    pixfirewall(config)# show service-policy shape
    Interface outside:
     Service-policy: PM-SHAPER
    Class-map: class-default
    shape (average) cir 2000000, bc 16000, be 16000
    Queueing
         queue limit 64 packets
     (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
    Traffic Policing

    With a policing configuration, traffic that exceeds the “speed limit” on the interface is dropped. Unlike traffic shaping configurations on the appliance, with policing you can specify a class of traffic that you want the policing to effect. Let’s examine a traffic policing configuration. In this configuration, we will limit the amount of Web traffic that is permitted in an interface.


    کد:
    pixfirewall(config)# access-list AL-WEB-TRAFFIC permit tcp host 192.168.1.110 eq www any
    pixfirewall(config-if)# class-map CM-POLICE-WEB
    pixfirewall(config-cmap)# match access-list AL-WEB-TRAFFIC
    pixfirewall(config-cmap)# policy-map PM-POLICE-WEB
    pixfirewall(config-pmap)# class CM-POLICE-WEB
    pixfirewall(config-pmap-c)# police input 1000000 conform-action transmit exceed-action drop
    pixfirewall(config-pmap-c)# service-policy PM-POLICE-WEB interface outside
    Notice we can verify with similar commands that we used for shaping!


    کد:
    pixfirewall(config)# show run policy-map
    !
    policy-map PM-POLICE-WEB
     class CM-POLICE-WEB
      police input 1000000
    !
    pixfirewall(config)# show ser
    pixfirewall(config)# show service-policy police
    Interface outside:
      Service-policy: PM-POLICE-WEB
        Class-map: CM-POLICE-WEB
          Input police Interface outside:
            cir 1000000 bps, bc 31250 bytes
            conformed 0 packets, 0 bytes; actions:  transmit
            exceeded 0 packets, 0 bytes; actions:  drop
            conformed 0 bps, exceed 0 bps
    I hope that you enjoyed this four part series on QoS on the PIX/ASA! Please look for other posts about complex configurations on the security appliances very soon. I have already been flooded with recommendations




کلمات کلیدی در جستجوها:

&lt;http://blog.ine.com/2008/09/20/qos-on-the-pixasa-–-part-4traffic-shaping-and-traffic-policing/&gt;

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •