Traffic shaping on Cisco ASA X-series firewalls

cfan73
cfan73 used Ask the Experts™
on
Hello - what (if any) are the options for shaping traffic on an X-series firewall?  I have a customer with a Gig handoff Internet circuit, currently provisioning 150-Mbps. This is terminated on an old ISR, which is shaping the traffic via "bandwidth 150000" command to prevent carrier policing. We need to move this connection off of the ISR onto a ASA 5525-X.

From what I've found so, it appears there's no way to handle traffic shaping on the X-series firewalls. (I haven't looked into the new FTD appliances yet, so would be interested in feedback on those as well.) The 5525 is currently running 9.2 code, and the 9.2 configuration guide (https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-qos.html) indicates that traffic shaping is only supported on the 5505 (not the "multi-core models such as 5500-X"). I haven't checked newer release notes.

Is there a way to perform the same shaping function on an ASA 5525, with either the existing or newer code? If not, how are other customers handling sub-rated circuits to prevent policing and the potential resulting connection drops? Again, if the newer FTD appliances (2100's) can provide for this, that'd be helpful to know.

Thank you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
mikecrIT Architect/Technology Delivery Manager

Commented:
Yes, you can create service policy rules that can be configured to do traffic policing based on the criteria of the policy.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Every company that I have supported always had a router on the edge for this purpose as well as other features that ASA's don't support such as DMVPN and Router VPN's. I think you may be out of luck in this scenario unfortunately in regards to the ASA. The FTD, I do believe offer some for of rate limiting, but may be more of a policing feature than shaping. As well as not have that many options.

Author

Commented:
Thanks for the responses. It's sounding like policing is the only option on these, unfortunately. Without the ability to buffer/shape traffic (vs. dropping it based on a policing policy), how much risk do we run of dropped TCP connections or other possible issues?  Would it be a strategy to pump up the carrier service to a level beyond what the ASA could forward, and thus the carrier would never need to policy the data being sent by the firewall?

Again, they're looking to remove an existing router (impending End of Support) and were hoping of leveraging the existing firewall. The old backup Internet circuit was a bonded T1 pipe, so it required the router to terminate this connection. This has since been removed, and both handoffs are Ethernet (the primary this shaped circuit, the 2nd a 10-Mbps handoff).

Thanks again - just considering the options.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

SouljaSr.Net.Eng
Top Expert 2011

Commented:
Yes in this case that would probably be the easiest route is the pump up the carrier service where the firewall doesn't even hit their policy. Otherwise, I would just replace the end of service router with another. If that is not an option, policing on your firewall really wouldn't benefit since the ISP is already policing unless there is some penalty from the carrier when they must police your traffic.
As per Soulja is there a financial requirement to shape to 150Mbs ?, or just a desire to not hit the ISP shaping ?

Shaping on a T1 I can certainly understand, but are you seeing traffic that would require shaping on 150 Mbs ?

You might find the below useful as a starting point to setting a bandwidth limit

https://community.cisco.com/t5/firewalls/bandwidth-limit-on-asa/td-p/2892360

Whether you have dropped TCP connections would depend on your ISP traffic shaping policy, I woudl be very tempted to just try it durign a suitable maintenance window, presuming that you can simulate "normal" traffic.

Author

Commented:
@ArneLovius

That link is again how to configure policing, which would drop packets to prevent exceeding the configured limit. My concern with policing is that the dropped packets may have a worse effect of possibly dropping connections, causing TCP resets, etc. I realize I may be overthinking this.

Secondly, the sub-rated circuit lands on a 1-Gbps port. Without shaping or policy, wouldn't the interface attempt to serialize all data at 1,000-Mbps and thus always result in drops, or is the carrier policing based on windows of time (such as exceeding the 150-Mbps rate over 5 seconds, etc.)?

Thanks again
SouljaSr.Net.Eng
Top Expert 2011

Commented:
No it wouldn't send it out as gigabit. Bandwidth is just the capability, not the actual speed. As long as you don't hit your ISP's limit they won't police. Most ISP allow some burst past their set policed rate. You may want to find out what that is.

Author

Commented:
@Soulja

Maybe I wasn't clear with the above question. Let's assume we took the "bandwidth 40000" statement out completely (since it doesn't directly impact speed/shaping/policing, anyway).  A gigabit port can only serialize a data bit at 1-Gbps, so how would the device buffer traffic to prevent overrun if you DID decide to add shaping commands at sub-rate?

Thanks again
SouljaSr.Net.Eng
Top Expert 2011

Commented:
@cfan73,

I think you are confusing bandwidth vs speed. Yes, the interface will have the speed of 1Gbps, but the bandwidth is available capacity for the data transfer. The ISP is policing your capacity, not your speed. A perfect example of this difference is port-channels.  You can have a port-channel consisting of 4 1-Gbps ports. You would have 4Gbps bandwidth, but still only transmit at 1Gbps speed.

Author

Commented:
@Soulja

I understand the port channel example, but let's focus on the single interface case, whereas there's a single 1-Gbps port which will transmit data at the same rate. If we implemented shaping at a sub-1G rate (to prevent carrier policing and dropped packets), how does the router buffer and transmit data to match this? Does it buffer 9/10 of the bits (if we were shaping at 100-Mbps) to prevent the overrun?

Thanks for your continued patience, and I think we're close. :)
Sr.Net.Eng
Top Expert 2011
Commented:
You are still confusing speed with bandwidth. Look up TX Ring and TX Queing. The speed is the tx ring. The shaping happens in the TX Queue. The TX Queue is where QOS shaping works.

Author

Commented:
@Soulja

I will do the additional research, and thanks again for your patience.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial