cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1607
Views
6
Helpful
13
Replies

Can we use traffic Shaping for specific traffic using access list?

John Peterson
Level 1
Level 1

I am not sure if this is only a feature in the ASA but you are only able to shape taffic that is in the default class called 'class-default' but I am not able to fine what the default class includes?

Is it possible to apply a policy where I can shape traffic based on a access list?

Also when applying a policy for prioritization should this not be applied on the inside and outside interface there when packet are entered inside the buffer of the inside interface they are processed first based on the prioritization class-map?

Thanks

13 Replies 13

Sundeep Dsouza
Level 1
Level 1

There is a way in Cisco ASA to accomplish traffic shaping by using "Policing" which can be done using MQC.

John Peterson
Level 1
Level 1

Thanks, but when using policing it will drop packet where traffic shaping buffer them.

The asa only allows shaping on class default, but I am not able to find what traffic class default includes.

Sent from Cisco Technical Support iPhone App

Check this link, it may help.

https://supportforums.cisco.com/docs/DOC-1230

Regards

Hi Sundeep,

Thanks I've already looked and this article but I am still only able to shape 'A' certain type of traffic once and not via access-list. Also there is no statement which explain what the default class includes?

Hello John,

What they were trying to tell you is that it is not possible as Cisco says on their release notes traffic shaping on the ASA its only supported via the default class.

Hope this helps!

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

In which case how does the ASA determine the default class? And I am able to amend what the default class includes?

Hello John,

The ASA will match any packet from a protocol included on that default-class.

Now regarding your second query:

am  I able to amend what the default class includes?

No, in fact if you try it to get into the class to configure it you will get the following error:

ERROR: % class-default is a well-known class and is not configurable under class-map

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

The ASA will match any packet from a protocol included on that default-class.

Which protocols are included in the default-class?

Hello John,

All of them lol.

If you do a :

sh run all | begi class-default

class-map class-default

match any

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

WOW,

Thats a lot of default classes. Julio, the issue I have is apparently traffic shaping can only configured with the default class, therefore if I have a 1000Kbps link and want to allocate http traffic 200Kbps, would I have to allocate 800Kbps to the default class and then in my class-map match the http traffic which would then guarantee the remaining 200Kbps?

ASA(config)# priority-queue outside

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# policy-map priority-policy
ASA(config-pmap)# class TG1-voice-class
ASA(config-pmap-c)# priority

ASA(config-pmap-c)# policy-map shape-priority-policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average 900000
ASA(config-pmap-c)# service-policy priority-policy

ASA(config-pmap-c)# service-policy shape-priority-policy interface outside

The above example 'seems' to be that the default class is given 900000 and the remaining is allocated to the class TG1-voice-class?

Hello John,

That is correct. That should do it!

Regards.

DO rate all the helfpul posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

John Peterson
Level 1
Level 1

Hi is this something which you have used before?

Sent from Cisco Technical Support iPhone App

Hello John,

No..... but this is something that cisco uses in its documents so you can give it a try.

I mean the example they use on their documentation is almost the same than you.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: