How to Enable QoS Priority Queue on the Cisco ASA Firewall

Hello Networkers,

 

Today I am going to show you what’s needed in order to successfully configure and enable a Priority Queue on the Cisco ASA platforms.

 

Note: I will be using the Hierarchical model  as this is the only option regarding QoS in the ASA Firewall that I have actually seen it work(This means this configuration is not available on the Multi-Processor Firewalls).

 

When talking about QoS priority queues we refer to the option of enabling a Software queue where packets that we classify will be placed so they get a preference at the time the interface scheduler decides which packet to send next.

 

So basically a packet in the priority queue = the packet will be delivered first that any other packet.

 

Basics about Queuing Behavior with this tool

By default each of the interfaces of the firewall have a Transmit Ring (TX) queue or the physical queue, inside this queue packets will be scheduled or delivered on a  FIFO (First In First Out) way which means the first packet in the line will be delivered first.

By creating a priority queue we immediately enable a Software Queue where the packets that need to be delivered first that any other packet will be placed.

 

***Must Know***

 

What must people forget to analyze or tell you maybe because of the lack of real life scenarios is that the priority queue will be trigger only when the Transmit-ring or hardware queue gets fulfilled.

 

Basically after the firewall experiences an overload.

 

Now think about this.

 

You have a FastEthernet port going to your ISP or even a Gigabit Interface but you are only paying for 2 MBs from the ISP.

 

Do you think the interface will ever feel like being overloaded? Unless you experience burst traffic in your network you will not do it.

 

We basically need to force the congestion feeling on the ASA so the software queue takes place and that will be done by limiting the output bandwidth by either using Policing or Shaping.

 

Shaping being the best option available.

 

So back to our scenario, let’s say we have a FastEthernet outside interface going to the ISP with an actual  2 MBs of bandwidth available.

 

Here is the configuration:

 

1) Configure the Policy for the Priority Queue

  • First classify the packets that will go into the priority queue (In this case VoIP traffic)
  • Then place them into the priority queue with the priority command inside a policy-map

 

Class-Map VoIP

match dscp ef (Phones mark VoIP Packets with this value in the DSCP section)

 

Policy-Map Priority

Class VoIP

Priority

 

2) Create the policy that will be applied directly to the Outside interface (Where the shaping will take place) and take a look at the last step where we inherit the previous policy-map.

 

Policy-Map Shape

Class class-default

shape average 2000000

service-policy Priority

 

With this configuration we will basically shape all traffic going to the Internet to 2 MBs and whenever the queue fills (Which definitely happen and at a lower time we will be able to start prioritizing the traffic inside the service-policy Priority)

 

Last but not least let’s just apply the policy to the outside interface

service-policy Shape interface outside

 

And that’s it, with this configuration I ensure you QoS Priority will take place in your network.

 

Regards,

 

iNetworks