QoS on the Cisco ASA Configuration Examples

by ·0评论

This example uses the hierarchical QoS Policy in order to shape all outbound traffic on the outside interface to 50 Mbps like the shaping example but it also specifies that Voice packets with the Differentiated Services Code Point (DSCP) value “ef”, as well as Secure Shell (SSH) traffic, shall receive priority.

  • Create the priority queue on the interface on which you want to enable the feature:
ciscoasa(config)#priority-queue outside1
ciscoasa(config-priority-queue)#queue-limit 2048 // max
ciscoasa(config-priority-queue)#tx-ring-limit 511 // max
ciscoasa(config)#priority-queue outside2
ciscoasa(config-priority-queue)#queue-limit 2048 // max
ciscoasa(config-priority-queue)#tx-ring-limit 511 // max

  • Access-list
access-list hiprio_acl extended permit ip any host 10.123.16.38
access-list hiprio_acl extended permit ip host 10.123.16.38 any
access-list hiprio_acl extended permit ip any host 10.123.16.39
access-list hiprio_acl extended permit ip host 10.123.16.39 any
  • A class to match DSCP ef:
ciscoasa(config)# class-map hiprio_class
ciscoasa(config-cmap)# match access-list hiprio_acl
ciscoasa(config-cmap)# exit
  • A class to match port TCP/22 SSH traffic:
ciscoasa(config)# class-map SSH
ciscoasa(config-cmap)# match port tcp eq 22
ciscoasa(config-cmap)# exit
  • A policy map to apply prioritization of Voice and SSH traffic:
ciscoasa(config)# policy-map outside_qos_policy
ciscoasa(config-pmap)# class hiprio_class
ciscoasa(config-pmap-c)# priority
# ciscoasa(config-pmap-c)# class SSH
# ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
  • A policy map to apply shaping to all traffic and attach prioritized Voice and SSH traffic:
ciscoasa(config)# policy-map outside_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# shape average 50000000 //50Mbps
ciscoasa(config-pmap-c)# service-policy outside_qos_policy
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
  • Finally attach the shaping policy to the interface on which to shape and prioritize outbound traffic:
ciscoasa(config)# service-policy outside_policy interface outside1
ciscoasa(config)# service-policy outside_policy interface outside2

QoS on the Cisco ASA Configuration Examples:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html
CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.13 :
https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/firewall/asa-913-firewall-config/conns-qos.html
ASA 5500部分实用技术一:
https://blog.csdn.net/weixin_33863087/article/details/93093925
ASA防火墙上实现QoS:
https://blog.51cto.com/u_511430/353065

object-group network RATELIMIT_15M
 network-object host 172.18.255.83
 network-object host 172.19.4.95
 network-object host 172.20.34.221
!
access-list ratelimit_15m extended permit ip any object-group RATELIMIT_15M
access-list ratelimit_15m extended permit ip object-group RATELIMIT_15M any 
!
class-map ratelimit_15m_class
 match access-list ratelimit_15m
!
policy-map ratelimit_policy
 class ratelimit_15m_class
  police output 15000000
  police input 15000000
!
service-policy ratelimit_policy interface vpnoutside

发表回复