Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing

23-10

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter23 Configuring QoS

Configuring QoS

Step4 Click Finish. The service policy rule is added to the rule table.

Step5 To configure policing, configure a service policy rule for the same interface in the Configuration >

Firewall > Service Policy Rules pane according to Chapter1, “Configuring a Service Policy.”

For policing traffic, you can choose to police all traffic that you are not prioritizing, or you can limit the

traffic to certain types.

Step6 In the Rule Actions dialog box, click the QoS tab.

Step7 Click Enable policing, then check the Input policing or Output policing (or both) check boxes to

enable the specified type of traffic policing. For each type of traffic policing, configure the following

fields:

•Committed Rate—The rate limit for this traffic flow; this is a value in the range 8000-2000000000,

specifying the maximum speed (bits per second) allowed.

•Conform Action—The action to take when the rate is less than the conform-burst value. Values are

transmit or drop.

•Exceed Action—Take this action when the rate is between the conform-rate value and the

conform-burst value. Values are transmit or drop.

•Burst Rate—A value in the range 1000-512000000, specifying the maximum number of

instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value.

Step8 Click Finish. The service policy rule is added to the rule table.

Step9 Click Apply to send the configuration to the device.

Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing

You can configure traffic shaping for all traffic on an interface, and optionally hierarchical priority

queuing for a subset of latency-sensitive traffic.

Guidelines

•One side-effect of priority queuing is packet re-ordering. For IPsec packets, out-of-order packets

that are not within the anti-replay window generate warning syslog messages. These warnings are

false alarms in the case of priority queuing. You can configure the IPsec anti-replay window size to

avoid possible false alarms. See the Configuration > VPN > IPsec > IPsec Rules > Enable

Anti-replay window size option in the “Adding Crypto Maps” section on page3-10 in the VPN

configuration guide.

•For hierarchical priority queuing, you do not need to create a priority queue on an interface.

Restrictions

•For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the

DSCP or precedence setting; you cannot match a tunnel group.

•For hierarchical priority queuing, IPsec-over-TCP traffic is not supported.

•Traffic shaping is only supported on the ASA 5505, 5510, 5520, 5540, and 5550. Multi-core models

(such as the ASA 5500-X) do not support shaping.

Cisco Systems Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing