Tue, 04/15/2014 - 11:21
Jun 10th, 2009
User Badges:
  • Cisco Employee,


The purpose of this article is to educate ASA administrators on the QoS functionality that the ASAs can provide. We will explain briefly the QoS mechanisms that are supported and provide a couple of examples that will show how to use them.

  • Traffic Policing
  • When the total amount of traffic exceeds a certain limit, many times it is essential to be policed. In that way the bandwidth is not consumed by one user or one application and traffic restrictions are applied to preserve it. The firewall can police inbound and outbound traffic to an interface. There are options to either drop or permit the limit exceeding traffic on the firewall.

  • Traffic Shaping
  • Traffic shaping was introduced in ASA 7.2.4 and is also supported in the 8.0 and 8.1 trains. With traffic shaping traffic that exceeds certain limits is actually queued up/buffered and sent when the traffic goes below the threshold. That option will actually not drop packets that exceed the threshold and will work better for applications that are badly affected by packet loss.

  • Priority Queueueing
  • Priority queueing is the ability to prioritize the packets that need prioritization. These could be delay sensitive applications like voice. The firewall can only do Low Latency Queueing (LLQ), unlike the routers that can provide more sophisticated prioritization mechanisms (WFQ,CBWFQ etc).

    NOTE 1: The user has to bear in mind that traffic policed inbound on an interface cannot provide much as the packets have already hit the interface, which means they have already used the available bandwidth. There is an advantage of policing to a value a little less than the available download bandwidth and that is if we start dropping before oversubscribing the link TCP will converge to the optimal throughput value. Though, that  would be practically hard to achieve given that there are multiple flows going through the pipe.

    NOTE 2: Priority queueing needs to be used with policing or traffic shaping. The reason is that unless the link that LLQ is saturated the packets will not be prioritized. Usually the interfaces of the ASA can be 100Mbps or 1Gbps or more, so saturating these links isn't something that will happen often . But implementing policing or traffic shaping along with LLQ actually makes LLQ kick in at the point the policing or shaping limits are met.

    NOTE 3: If priority queueing is applied for applications running between two sites, it is advised to apply prioritization for the application traffic on both sites. The reason is that even prioritizing one side, the return traffic could be delayed and this could have the same effect as not prioritizing at all.

Traffic Policing with Prioritization

Lets assume that we have an ASA that is running voice over a VPN tunnel. And that we want to prioritize the voice traffic through the VPN. Also we want to police the VPN traffic that is not voice and the rest of the TCP traffic.

Lets say that the available upload bandwidth for the outside interface is 1Mbps. We want to dedicate 300kbps for the VPN, 100kbps of which will be guaranteed for voice (thus 200kbps for non-voice VPN traffic), 500kbps for the tcp traffic and 200kbps for everything else. Also, assume that the voice traffic is flagged with dscp field ef (as it is the default for most cases). The tunnel group name is tunnel-grp1.

</code></p><p><code></code></p><pre>ASA(config)# priority-queue outside<br/><br/>ASA(config)# access-list tcp-traffic-acl permit tcp any any<br/>ASA(config)# class-map tcp-traffic-class<br/>ASA(config-cmap)# match access-list tcp-traffic-acl<br/><br/>ASA(config)# class-map TG1-voice-class<br/>ASA(config-cmap)# match tunnel-group tunnel-grp1<br/>ASA(config-cmap)# match dscp ef<br/><br/>ASA(config-cmap)# class-map TG1-rest-class<br/>ASA(config-cmap)# match tunnel-group tunnel-grp1<br/>ASA(config-cmap)# match flow ip destination-address<br/><br/>ASA(config)# policy-map police-priority-policy<br/>ASA(config-pmap)# class tcp-traffic-class<br/>ASA(config-pmap-c)# police output 500000<br/>ASA(config-pmap-c)# class TG1-voice-class<br/>ASA(config-pmap-c)# priority<br/>ASA(config-pmap-c)# class TG1-rest-class<br/>ASA(config-pmap-c)# police output 200000<br/>ASA(config-pmap-c)# class class-default<br/>ASA(config-pmap-c)# police output 200000<br/><br/>ASA(config-pmap-c)# service-policy police-priority-policy interface outside</pre><p></p><p></p><h1><span class="mw-headline">Traffic Shaping with Prioritization</span></h1><p>Now, lets assume that we have the same ASA as in the previous case. And we now want to traffic shape all traffic and prioritize the voice through the VPN. In other words we will traffic shape all traffic for 900kbps, prioritize the voice and guarantee 100kbps for it. Again, we assume that the voice traffic is flagged with dhcp field ef and the tunnel group name is tunnel-grp1.</p><p></p><p><code></code></p><p><code>
ASA(config)# priority-queue outside

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# policy-map priority-policy
ASA(config-pmap)# class TG1-voice-class
ASA(config-pmap-c)# priority

ASA(config-pmap-c)# policy-map shape-priority-policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average 900000
ASA(config-pmap-c)# service-policy priority-policy

ASA(config-pmap-c)# service-policy shape-priority-policy interface outside

Viewing QoS statistics

To view the statistics the user can run "show" commands (the examples below do not relate to the ones above).

For the policing statistics:

</code></p><p><code></code></p><pre>ASA# show service-policy police<br/><br/>Global policy:<br/>     Service-policy: global_fw_policy<br/><br/>Interface outside:<br/>     Service-policy: qos<br/>          Class-map: browse<br/>               police Interface outside:<br/>                    cir 56000 bps, bc 10500 bytes<br/>                    conformed 10065 packets, 12621510 bytes; actions: transmit<br/>                    exceeded 499 packets, 625146 bytes; actions: drop<br/>                    conformed 5600 bps, exceed 5016 bps<br/>          Class-map: cmap2<br/>               police Interface outside:<br/>                    cir 200000 bps, bc 37500 bytes<br/>                    conformed 17179 packets, 20614800 bytes; actions: transmit<br/>                    exceeded 617 packets, 770718 bytes; actions: drop<br/>                    conformed 198785 bps, exceed 2303 bps</pre><p></p><p></p><p>For the prioritization statistics:</p><p><code></code></p><p><code>
ASA# show service-policy priority
Global policy:
     Service-policy: global_fw_policy

Interface outside:
     Service-policy: qos
          Class-map: TG1-voice-class
                    Interface outside: aggregate drop 0, aggregate transmit 9383

For the shaping statistics:


ASA# show service-policy shape

Interface outside:
  Service-policy: shape
    Class-map: class-default

      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

      shape (average) cir 2000000, bc 16000, be 16000
      Service-policy: voip
        Class-map: voip

          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
        Class-map: class-default

          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
ccordes Wed, 02/03/2010 - 12:28
User Badges:

The second last line in the first paragraph of the 'Traffic Policing with Prioritization' section should read DSCP not DHCP.

flyinhorse Tue, 02/23/2010 - 12:23
User Badges:

can you apply the command priority-queue to sub-interfaces. Please check below for the sub interface config

interface GigabitEthernet0/1

no nameif

no security-level

no ip address


interface GigabitEthernet0/1.20

vlan 20

nameif Voice

security-level 50

ip address 10.xx.xx.xx


interface GigabitEthernet0/1.130

vlan 130

nameif User

security-level 50

ip address 192.168.xx.xx

when i do

config t

priority-queue ?

i dont see these sub interfaces listed. is there a way around this issue?

ccordes Tue, 02/23/2010 - 12:50
User Badges:

I am not certian.  Did you try 'priority-queue Voice' where Voice is the nameif value of the sub-interface?

ccordes Tue, 02/23/2010 - 12:56
User Badges:

This link has your answer:

According to that link:

Note: QoS is not supported on a subinterface,  only on the           main interface itself. If you configure QoS on an interface itself,  all the           sub-interfaces are also affected by the QoS.

It looks like you would have to apply a name the gig0/1 interface and apply QoS policies there.

flyinhorse Tue, 02/23/2010 - 13:18
User Badges:

so i did try it and it worked. the only question i have now is that since i tried it on a test asa i really dont know the impact bcoz a soon as i gave the physical int a name it put it in security level 0. So the question is can the physical and sub interfaces be on different security-levels or they have to be the same? i can test it out on a maintenance window but just thought might ask any how?

ccordes Tue, 02/23/2010 - 13:24
User Badges:

The physical and subinterfaces should be able to be in different security levels.  I haven't messed with this particular config much so you will have to try it.  Here is a link about configuring subinterfaces.  They have examples with the physical and sub-interfaces in different security levels:

Note that if you need traffic to pass between the subinterfaces, you may need 'same-security-traffic permit inter-interface' as described in that link at the end.

c.pangkerego Thu, 06/07/2012 - 19:05
User Badges:

Hi guys,

I'm curious.

I'm seeing the following line for voice:

match tunnel-group tunnel-grp1

But what's the example of "tunnel-grp1"?

On my ASA I have multiple tunnel-group.

I have tunnel-group site 1, tunnel-group site 2, tunnel-group site 3, tunnel-group site 4, tunnel-group site 5, tunnel-group for VPN client, tunnel-group defaultL2Lgroup, tunnel-group DefaultRAgroup.

Which one of those is the "tunnel-grp1" that I need to use?

Any direction will be appreciated.


ccordes Fri, 06/08/2012 - 10:05
User Badges:

The class-map matches specific traffic to be priortized.  This class-map is then used in the policy-map which specifies the action to take (here it is priortization of the traffic that matches the traffic defined in the class-map). 

In the original example which I copied below, the class-map called "TG1-voice-class" matches vpn traffic associated with the tunnel-group called "tunnel-grp1" which would normally define a peer for a specific site to site vpn tunnel.  There is an additional conditon to match EF tagged packets in this example.  So the tunnel group you use depends on what vpn traffic you are trying to priortize.   

There are other ways to match the "interesting" traffic for priortization in the class-map.  You can do it with ACLs, etc.  You use a class-map to define the traffic to be acted on.  The policy-map defines the action to take and the service-policy applies the policy-map to a specific interface or globally.


ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef
Roberto Kippins Tue, 07/23/2013 - 17:59
User Badges:

Man does this shyt always have to be so technical. There are alot cheap plastic routers out there you can get and just plug all the configs in through the web browser and its done, i love cisco equipment its great but i just thi k we spend alot of money on the equipment already it should be easier to configure. Not all that class map shyt you have to put in

ccordes Tue, 04/15/2014 - 11:21
User Badges:

Looks like you need to use the ASDM (ASA Device Manager) not the command line.

Martin Konov Wed, 07/24/2013 - 02:55
User Badges:

Hi guys,

I meet the following problem on Cisco ASA 5525X : the "shape average" command is not supported. All looks well policing, QoS is working but when you try to use shaping the command is not accepted it is not there. Any ideas ? Version : 9.1(2)

ccordes Tue, 04/15/2014 - 11:17
User Badges:

I haven't tried shaping on the 5525X but my ASA 5505 running 9.1(3) took the shaping config. You have to use nested policies to do shaping like this:


create the ACL "qos_priority_acl" to match prioritized traffic.

Then this is from my ASA, I added TEST so I would not mess with my existing policy-maps.


class-map qos_Priority_class
 match access-list qos_Priority_acl

policy-map qos_TEST-Priority_policy
 class qos_Priority_class


policy-map qos_TEST-Shape-Priority-outside_policy
 class class-default
  shape average 1600000
  service-policy qos_TEST-Priority_policy


You would then apply the "qos_TEST-Shape-Priority-outside_policy" policy to an interface using the service-policy command.

Martin Konov Thu, 07/25/2013 - 00:46
User Badges:


I found the answer to my question. The ASA 5500 X serias do not support Shaping. That is it.

doug.sullivan Tue, 04/15/2014 - 10:57
User Badges:

I'm assuming it's one or the other? Traffic Shaping w/ Prioritization OR Traffic Policing w/Prioritization?

You would not implement both at the same time?



This Document

Related Content