54-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter54 Configuring QoS
Information About QoS
For traffic shaping, a token bucket permits burstiness but bounds it. It guarantees that the burstiness is
bounded so that the flow will never send faster than the token bucket capacity, divided by the time
interval, plus the established rate at which tokens are placed in the token bucket. See the following
formula:
(token bucket capacity in bits / time interval in seconds) + established rate in bps = maximum flow speed
in bps
This method of bounding burstiness also guarantees that the long-term transmission rate will not exceed
the established rate at which tokens are placed in the bucket.
Information About Policing
Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you
configure, thus ensuring that no one traffic flow or class can take over the entire resource. When traffic
exceeds the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst
of traffic allowed.
Information About Priority Queuing
LLQ priority queuing lets you prioritize certain traffic flows (such as latency-sensitive traffic like voice
and video) ahead of other traffic.
The ASA supports two types of priority queuing:
Standard priority queuing—Standard priority queuing uses an LLQ priority queue on an interface
(see the “Configuring the Standard Priority Queue for an Interface” section on page54-7), while all
other traffic goes into the “best effort” queue. Because queues are not of infinite size, they can fill
and overflow. When a queue is full, any additional packets cannot get into the queue and are
dropped. This is called tail drop. To avoid having the queue fill up, you can increase the queue buffer
size. You can also fine-tune the maximum number of packets allowed into the transmit queue. These
options let you control the latency and robustness of the priority queuing. Packets in the LLQ queue
are always transmitted before packets in the best effort queue.
Hierarchical priority queuing—Hierarchical priority queuing is used on interfaces on which you
enable a traffic shaping queue. A subset of the shaped traffic can be prioritized. The standard priority
queue is not used. See the following guidelines about hierarchical priority queuing:
Priority packets are always queued at the head of the shape queue so they are always transmitted
ahead of other non-priority queued packets.
Priority packets are never dropped from the shape queue unless the sustained rate of priority
traffic exceeds the shape rate.
For IPsec-encrypted packets, you can only match traffic based on the DSCP or precedence
setting.
IPsec-over-TCP is not supported for priority traffic classification.