11.4. Security Queue QoS Policy Command Reference

11.4.1. Command Hierarchies

  1. Configuration Commands
  2. Operational Commands
  3. Show Commands

11.4.1.1. Configuration Commands

config
— qos
security-queue policy-id [create]
— no security-queue policy-id
description description-string
— no description
[no] queue queue-id
cbs {size-in-kbytes | default}
— no cbs
high-prio-only {percent | default}
— no high-prio-only
mbs {size {bytes | kbytes} | default}
— no mbs
rate pir [cir cir]
— no rate

11.4.1.2. Operational Commands

config
— qos
copy security-queue src-pol dst-pol [overwrite]

11.4.1.3. Show Commands

show
— qos
security-queue [policy-id] [association | detail]

11.4.2. Command Descriptions

  1. Configuration Commands
  2. Operational Commands
  3. Show Commands

11.4.2.1. Configuration Commands

  1. Security Queue QoS Policy Commands

11.4.2.1.1. Security Queue QoS Policy Commands

security-queue

Syntax 
security-queue policy-id [create]
no security-queue policy-id
Context 
config>qos
Description 

This command configures a security queue policy for traffic being extracted from the datapath to the CSM for firewall processing. When a security queue policy is created, two queues are created automatically for the extracted traffic: queue 1 for best-effort traffic and queue 2 for expedited traffic. The queue number and type for these two queues is not configurable.

The no form of this command removes the security queue policy.

Default 

n/a

Parameters 
policy-id—
the number of the policy being referenced. Policy 1 is reserved for the default security queue policy; it cannot be modified.
Values—
1 to 65535

 

create—
keyword used to create a security queue policy

description

Syntax 
description description-string
no description
Context 
config>qos>security-queue
Description 

This command configures a description for the security queue policy being referenced.

The no form of this command removes the description.

Default 

n/a

Parameters 
description-string—
a text string describing the entity. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.

queue

Syntax 
[no] queue queue-id
Context 
config>qos>security-queue
Description 

This command enables the context to configure parameters related to the queue type for the traffic extracted from the datapath to the CSM. When the security queue policy is created, a set of queues is automatically created: queue 1 for best-effort traffic and queue 2 for expedited traffic. When the best-effort and expedited queues are created, default values are assigned to their information rate parameters.

The no form of this command removes the queue-id from the security queue policy.

Default 

n/a

Parameters 
queue-id—
specifies the ID for the queue type being referenced
Values—
1 for best effort queue

 

Values—
2 for expedited queue

 

cbs

Syntax 
cbs {size-in-kbytes | default}
no cbs
Context 
config>qos>security-queue>queue
Description 

This command overrides the default Committed Buffer Space (CBS) reserved for the specified queue. The value is configured in kilobytes.

The no form of this command returns the CBS to the default value for the queue type.

Parameters 
size-in-kbytes—
specifies the committed buffer space for the queue
Values—
1 to 131072 | default

 

Default—
10 kbytes for best effort
40 kbytes for expedite

high-prio-only

Syntax 
high-prio-only {percent | default}
no high-prio-only
Context 
config>qos>security-queue>queue
Description 

This command configures the percentage of the queue used exclusively by high-priority packets. The specified value overrides the default value for the queue type.

The no form of this command restores the default high-priority reserved size for the queue type.

Parameters 
percent—
the percentage reserved for high priority traffic on the queue
Values—
1 to 100 | default

 

Default—
10 for best effort
10 for expedite

mbs

Syntax 
mbs {size {bytes | kilobytes} | default}
no mbs
Context 
config>qos>security-queue>queue
Description 

This command sets the Maximum Burst Size (MBS) value for buffers of a specified queue. The value is configured either in bytes or in kilobytes and overrides the default MBS value.

The no form of this command returns the MBS to the default value for the queue type.

Parameters 
size—
specifies the maximum burst size for the queue, either in bytes or kilobytes
Values—
1 to 134217728 | default

 

Default—
5000 kbytes for best effort
5000 kbytes for expedite
bytes—
configures the maximum burst size for the queue in bytes
kilobytes—
configures the maximum burst size for the queue in kilobytes

rate

Syntax 
rate pir [cir cir]
no rate
Context 
config>qos>security-queue>queue
Description 

This command sets the Peak Information Rate (PIR) value and optional Committed Information Rate (CIR) for a specified queue. The values are configured in kilobytes and override the default PIR and CIR values.

The no form of this command returns the PIR and CIR to their default values for the queue type, assigned when the security queue policy for firewall traffic was created.

Parameters 
pir—
specifies the peak information rate for the queue, in kilobytes per second
Values—
1 to 100000000 | max

 

Default—
400000 for best effort
400000 for expedite
cir—
specifies the committed information rate for the queue, in kilobytes per second
Values—
0 to 100000000 | max

 

Default—
15000 for best effort
35000 for expedite

11.4.2.2. Operational Commands

copy

Syntax 
copy security-queue src-pol dst-pol [overwrite]
Context 
config>qos
Description 

This command copies existing policy entries for a security queue QoS policy to another security queue policy. This command is a configuration-level maintenance tool used to create new policies using existing policies. It also allows bulk modifications to an existing policy with the use of the overwrite keyword.

Default 

n/a

Parameters 
src-pol
the source policy ID that the copy command will attempt to copy from
dst-pol—
the destination policy ID to which the command will copy the policy
overwrite—
specifies that the existing destination policy is to be replaced. Everything in the existing destination policy will be overwritten with the contents of the source policy. If overwrite is not specified for an existing policy ID, an error will occur.

11.4.2.3. Show Commands

Note:

The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration.

security-queue

Syntax 
security-queue [policy-id] [association | detail]
Context 
show>qos
Description 

This command displays security queue information.

Parameters 
policy-id—
specifies the ID of the security queue policy
Values—
1 to 65535

 

association —
displays information about the security queue policy associations
detail—
displays detailed information about the security queue policy
Output 

The following output is an example of security policy information, and Table 69 describes the fields.

Output Example
*A:7705custDoc:Sar18>show>qos# security-queue detail
===============================================================================
QoS Security Queue Policy
===============================================================================
Security Queue Policy Id (1)                        
-------------------------------------------------------------------------------
Policy-id     :1 
Description   :Default Security Queue policy
 
 
-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/1 (Network Ingress)
MDA              :1/1 (Access Ingress)
MDA              :1/3 (Network Ingress)
MDA              :1/3 (Access Ingress)
MDA              :1/4 (Network Ingress)
MDA              :1/4 (Access Ingress)
MDA              :1/5 (Network Ingress)
MDA              :1/5 (Access Ingress)
MDA              :1/6 (Network Ingress)
MDA              :1/6 (Access Ingress)
-------------------------------------------------------------------------------
Security Queue Policy Id(2)
-------------------------------------------------------------------------------
Policy-id     :2 
Description   :Description for Security Queue Policy id #2
 
-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/2 (Access Ingress)
 
-------------------------------------------------------------------------------
Security Queue Policy Id(3)
-------------------------------------------------------------------------------
Policy-id     :3 
Description   :Description for Security Queue Policy id #3
 
-------------------------------------------------------------------------------
Q     CIR      PIR      CBS      MBS      HiPrio
-------------------------------------------------------------------------------
1     1500     400000   10       5000000   10
2     3500     400000   40       5000000   10
-------------------------------------------------------------------------------
Associations
-------------------------------------------------------------------------------
MDA              :1/2 (Network Ingress)
===============================================================================
*A:7705custDoc:Sar18>show>qos#
Table 69:  Security Policy Command Output Fields 

Label

Description

QoS Security Queue Policy

Policy-id

The ID that uniquely identifies the security queue policy

Description

A text string that helps identify the security queue policy’s context in the configuration file

Q

The security queue identifier, either 1 or 2

CIR

The committed information rate for the security queue

PIR

The peak information rate for the security queue

CBS

The committed buffer space for the security queue

MBS

The maximum burst size for the security queue

HiPrio

The percentage of the queue used exclusively by high-priority packets

Associations

MDA

The adapter card slot number indicating the direction of traffic to which the security queue applies