Sunday, October 27, 2013

Controlling Bandwidth on an ASA: Traffic Policing and Shaping

You can leverage two ASA features to control or limit the amount of bandwidth used by specific traffic flows:

* Traffic policing

* Traffic shaping

With either method, the ASA measures the bandwidth used by traffic that is classified by a service policy and then attempts to hold the traffic within a configured rate limit. However, each method accomplishes the bandwidth control in a different manner.

With traffic policing, the packets are forwarded normally as long as the bandwidth threshold is not exceeded. However, packets that do exceed the bandwidth threshold are simply dropped.

In contrast, traffic shaping takes a more preemptive approach. Traffic is buffered before it is forwarded so that the traffic rate can be shaped or held within the threshold limit. The idea is to pull packets from the buffer at a rate that is less than the threshold so that no packets are dropped.

To use ASDM to configure traffic policing, begin by navigating to Configuration > Firewall > Service Policy Rules and adding a new service policy rule or editing an existing one. Define a matching condition that will classify the traffic that will be policed. Next, click the QoS tab in the Rule Action dialog box. Check the Enable Policing check box, and then choose either Input Policing or Output policing.


Use the police command as the action to send the matched traffic into a traffic policer.

ciscoasa(config)# access-list OUTBOUND_HTTP extended permit tcp any eq http any
ciscoasa(config)# class-map CLASS_HTTP
ciscoasa(config-cmap)# match ?

mpf-class-map mode commands/options:
  access-list                 Match an Access List
  any                         Match any packet
  default-inspection-traffic  Match default inspection traffic:
                              ctiqbe----tcp--2748      dns-------udp--53
                              ftp-------tcp--21        gtp-------udp--2123,3386
                              h323-h225-tcp--1720      h323-ras--udp--1718-1719
                              http------tcp--80        icmp------icmp
                              ils-------tcp--389       ip-options-----rsvp
                              mgcp------udp--2427,2727 netbios---udp--137-138
                              radius-acct----udp--1646 rpc-------udp--111
                              rsh-------tcp--514       rtsp------tcp--554
                              sip-------tcp--5060      sip-------udp--5060
                              skinny----tcp--2000      smtp------tcp--25
                              sqlnet----tcp--1521      tftp------udp--69
                              waas------tcp--1-65535   xdmcp-----udp--177
  dscp                        Match IP DSCP (DiffServ CodePoints)
  flow                        Flow based Policy
  port                        Match TCP/UDP port(s)
  precedence                  Match IP precedence
  rtp                         Match RTP port numbers
  tunnel-group                Match a Tunnel Group
ciscoasa(config-cmap)# match access-list ?

mpf-class-map mode commands/options:
  WORD  Access List name
ciscoasa(config-cmap)# match access-list OUTBOUND_HTTP
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map MY_POLICY
ciscoasa(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  rename       Rename this policy-map
  <cr>
ciscoasa(config-pmap)# class CLASS_HTTP
ciscoasa(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services
ciscoasa(config-pmap-c)# police ?

mpf-policy-map-class mode commands/options:
  input   Police traffic in input direction
  output  Police traffic in output direction
ciscoasa(config-pmap-c)# police output ?

mpf-policy-map-class mode commands/options:
  <8000-2000000000>  Bits per second
ciscoasa(config-pmap-c)# police output 1000000 ?

mpf-policy-map-class mode commands/options:
  <1000-512000000>  Burst bytes
  conform-action    action when rate is less than conform burst
  <cr>
ciscoasa(config-pmap-c)# police output 1000000 conform-action ?

mpf-policy-map-class mode commands/options:
  drop           drop packet
  exceed-action  action when rate is within conform and conform + exceed burst
  transmit       transmit packet
  <cr>
ciscoasa(config-pmap-c)# police output 1000000 conform-action transmit ?

mpf-policy-map-class mode commands/options:
  exceed-action  action when rate is within conform and conform + exceed burst
  <cr>
ciscoasa(config-pmap-c)# police output 1000000 conform-action transmit exceed-action ?

mpf-policy-map-class mode commands/options:
  drop      drop packet
  transmit  transmit packet
  <cr>
ciscoasa(config-pmap-c)# police output 1000000 conform-action transmit exceed-action drop
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# service-policy MY_POLICY ?

configure mode commands/options:
  global     Enter this keyword to specify a global policy
  interface  Enter this keyword to specify an interface policy
ciscoasa(config)# service-policy MY_POLICY interface ?

configure mode commands/options:
Current available interface(s):
  dmz      Name of interface GigabitEthernet1
  inside   Name of interface GigabitEthernet0
  outside  Name of interface GigabitEthernet2
ciscoasa(config)# service-policy MY_POLICY interface outside


To configure traffic shaping in ASDM, begin by adding a new service policy rule or edit an existing one. Traffic shaping doesn't shape specific matched traffic; it shapes the default traffic that isn't matched or classified by any other traffic class. Therefore, you have to use the class-default class map to match the traffic. This is done by selecting the Use Class-Default As the Traffic Class option in the Traffic Classification Criteria dialog box.


Next, click the QoS tab in the Rule Actions dialog box and check Enable Traffic Shaping as the policy action. If you choose any matching criteria other than class-default, the Enable Traffic Shaping option will not be shown.


You can use the shape command as the action to send the matched traffic into a traffic shaper. Traffic shaping can be applied only to the bulk amount of traffic passing through an interface. Therefore, the matching condition you enter into the policy map configuration is important. The only permissible command is class class-default, followed by the shape command action.

ciscoasa(config)# policy-map outside-policy
ciscoasa(config-pmap)# class ?

mpf-policy-map mode commands/options:
  WORD            class-map name
  class-default   System default class matching otherwise unclassified packets

configure mode commands/options:
  WORD < 41 char  class-map name
  type            Specifies the type of class-map
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services
ciscoasa(config-pmap-c)# shape ?

mpf-policy-map-class mode commands/options:
  average  configure token bucket: CIR (bps) [Bc (bits)], send out Bc only per
           interval
ciscoasa(config-pmap-c)# shape average ?

mpf-policy-map-class mode commands/options:
  <64000-154400000>  Target Bit Rate (bits per second), the value needs to be
                     multiple of 8000
ciscoasa(config-pmap-c)# shape average 100000000
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# service-policy ?

configure mode commands/options:
Available policy-maps:
  outside-policy
ciscoasa(config)# service-policy outside-policy interface ?

configure mode commands/options:
Current available interface(s):
  dmz      Name of interface GigabitEthernet1
  inside   Name of interface GigabitEthernet0
  outside  Name of interface GigabitEthernet2
ciscoasa(config)# service-policy outside-policy interface outside
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)