Could someone briefly explain how to use QoS on Cisco ASA 5505? I have the basics of policing down, but what about shaping and priorities? Basically what I'm trying to do is carve out some bandwidth for my VPN subnets (in an object-group called priority-traffic
).
I've seen this Cisco QoS document, however configuring shaping and priority-queue don't seem to have any effects in my test. A full download of the linux kernel from kernel.org will boost a ping to a server via VPN sky high. Policing has been successful in passing this test, although it doesn't seem as efficient (I cap non-vpn traffic at 3 of my 4.5 megabits of bandwidth). Am I misunderstanding the results of the test? I think there is some simple concept I'm not grasping here.
EDIT:
Here is my config thus far (I have 4.5 megabits of bandwidth):
access-list priority-traffic extended permit ip object-group priority-traffic any
access-list priority-traffic extended permit ip any object-group priority-traffic
access-list priority-traffic extended permit icmp object-group priority-traffic any
access-list priority-traffic extended permit icmp any object-group priority-traffic
access-list non-priority-traffic extended deny ip object-group priority-traffic any
access-list non-priority-traffic extended deny ip any object-group priority-traffic
access-list non-priority-traffic extended permit ip any any
priority-queue outside
queue-limit 440
class-map non-priority-traffic
match access-list non-priority-traffic
class-map priority-traffic
match access-list priority-traffic
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map outbound-qos-policy
class non-priority-traffic
police input 2500000
police output 2500000
class priority-traffic
priority
service-policy global_policy global
service-policy outbound-qos-policy interface outside
Best Answer
Traffic shaping is basically used to match devices with link speeds. It only affects interfaces and does not depend on type of traffic.
You cannot configure priority and policing for the same types of traffic. In other words, if you want to prioritize your group "priority-traffic", you would have to police all other traffic.
With priority traffic, think of QOS as a cup. You're identifying what traffic to prioritize by putting it in that cup...but what happens after that, you have no control over. You can only determine what traffic to put in your cup.