Jun 10, 2009 1:23 AM
Jun 10th, 2009


The purpose of this article is to educate ASA administrators on the QoS functionality that the ASAs can provide. We will explain briefly the QoS mechanisms that are supported and provide a couple of examples that will show how to use them.

  • Traffic Policing
  • When the total amount of traffic exceeds a certain limit, many times it is essential to be policed. In that way the bandwidth is not consumed by one user or one application and traffic restrictions are applied to preserve it. The firewall can police inbound and outbound traffic to an interface. There are options to either drop or permit the limit exceeding traffic on the firewall.

  • Traffic Shaping
  • Traffic shaping was introduced in ASA 7.2.4 and is also supported in the 8.0 and 8.1 trains. With traffic shaping traffic that exceeds certain limits is actually queued up/buffered and sent when the traffic goes below the threshold. That option will actually not drop packets that exceed the threshold and will work better for applications that are badly affected by packet loss.

  • Priority Queueueing
  • Priority queueing is the ability to prioritize the packets that need prioritization. These could be delay sensitive applications like voice. The firewall can only do Low Latency Queueing (LLQ), unlike the routers that can provide more sophisticated prioritization mechanisms (WFQ,CBWFQ etc).

    NOTE 1: The user has to bear in mind that traffic policed inbound on an interface cannot provide much as the packets have already hit the interface, which means they have already used the available bandwidth. There is an advantage of policing to a value a little less than the available download bandwidth and that is if we start dropping before oversubscribing the link TCP will converge to the optimal throughput value. Though, that  would be practically hard to achieve given that there are multiple flows going through the pipe.

    NOTE 2: Priority queueing needs to be used with policing or traffic shaping. The reason is that unless the link that LLQ is saturated the packets will not be prioritized. Usually the interfaces of the ASA can be 100Mbps or 1Gbps or more, so saturating these links isn't something that will happen often . But implementing policing or traffic shaping along with LLQ actually makes LLQ kick in at the point the policing or shaping limits are met.

    NOTE 3: If priority queueing is applied for applications running between two sites, it is advised to apply prioritization for the application traffic on both sites. The reason is that even prioritizing one side, the return traffic could be delayed and this could have the same effect as not prioritizing at all.

Traffic Policing with Prioritization

Lets assume that we have an ASA that is running voice over a VPN tunnel. And that we want to prioritize the voice traffic through the VPN. Also we want to police the VPN traffic that is not voice and the rest of the TCP traffic.

Lets say that the available upload bandwidth for the outside interface is 1Mbps. We want to dedicate 300kbps for the VPN, 100kbps of which will be guaranteed for voice (thus 200kbps for non-voice VPN traffic), 500kbps for the tcp traffic and 200kbps for everything else. Also, assume that the voice traffic is flagged with dscp field ef (as it is the default for most cases). The tunnel group name is tunnel-grp1.

ASA(config)# priority-queue outside

ASA(config)# access-list tcp-traffic-acl permit tcp any any
ASA(config)# class-map tcp-traffic-class
ASA(config-cmap)# match access-list tcp-traffic-acl

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# class-map TG1-rest-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match flow ip destination-address

ASA(config)# policy-map police-priority-policy
ASA(config-pmap)# class tcp-traffic-class
ASA(config-pmap-c)# police output 500000
ASA(config-pmap-c)# class TG1-voice-class
ASA(config-pmap-c)# priority
ASA(config-pmap-c)# class TG1-rest-class
ASA(config-pmap-c)# police output 200000
ASA(config-pmap-c)# class class-default
ASA(config-pmap-c)# police output 200000

ASA(config-pmap-c)# service-policy police-priority-policy interface outside

Traffic Shaping with Prioritization

Now, lets assume that we have the same ASA as in the previous case. And we now want to traffic shape all traffic and prioritize the voice through the VPN. In other words we will traffic shape all traffic for 900kbps, prioritize the voice and guarantee 100kbps for it. Again, we assume that the voice traffic is flagged with dhcp field ef and the tunnel group name is tunnel-grp1.

ASA(config)# priority-queue outside

ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef

ASA(config-cmap)# policy-map priority-policy
ASA(config-pmap)# class TG1-voice-class
ASA(config-pmap-c)# priority

ASA(config-pmap-c)# policy-map shape-priority-policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# shape average 900000
ASA(config-pmap-c)# service-policy priority-policy

ASA(config-pmap-c)# service-policy shape-priority-policy interface outside

Viewing QoS statistics

To view the statistics the user can run "show" commands (the examples below do not relate to the ones above).

For the policing statistics:

ASA# show service-policy police

Global policy:
     Service-policy: global_fw_policy

Interface outside:
     Service-policy: qos
          Class-map: browse
               police Interface outside:
                    cir 56000 bps, bc 10500 bytes
                    conformed 10065 packets, 12621510 bytes; actions: transmit
                    exceeded 499 packets, 625146 bytes; actions: drop
                    conformed 5600 bps, exceed 5016 bps
          Class-map: cmap2
               police Interface outside:
                    cir 200000 bps, bc 37500 bytes
                    conformed 17179 packets, 20614800 bytes; actions: transmit
                    exceeded 617 packets, 770718 bytes; actions: drop
                    conformed 198785 bps, exceed 2303 bps

For the prioritization statistics:

ASA# show service-policy priority
Global policy:
     Service-policy: global_fw_policy

Interface outside:
     Service-policy: qos
          Class-map: TG1-voice-class
                    Interface outside: aggregate drop 0, aggregate transmit 9383

For the shaping statistics:

ASA# show service-policy shape

Interface outside:
  Service-policy: shape
    Class-map: class-default

      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

      shape (average) cir 2000000, bc 16000, be 16000
      Service-policy: voip
        Class-map: voip

          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
        Class-map: class-default

          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
Average Rating: 5 (1 ratings)


ccordes Wed, 02/03/2010 - 12:28

The second last line in the first paragraph of the 'Traffic Policing with Prioritization' section should read DSCP not DHCP.

flyinhorse Tue, 02/23/2010 - 12:23

can you apply the command priority-queue to sub-interfaces. Please check below for the sub interface config

interface GigabitEthernet0/1

no nameif

no security-level

no ip address


interface GigabitEthernet0/1.20

vlan 20

nameif Voice

security-level 50

ip address 10.xx.xx.xx


interface GigabitEthernet0/1.130

vlan 130

nameif User

security-level 50

ip address 192.168.xx.xx

when i do

config t

priority-queue ?

i dont see these sub interfaces listed. is there a way around this issue?

ccordes Tue, 02/23/2010 - 12:50 (reply to flyinhorse)

I am not certian.  Did you try 'priority-queue Voice' where Voice is the nameif value of the sub-interface?

ccordes Tue, 02/23/2010 - 12:56 (reply to flyinhorse)

This link has your answer:

According to that link:

Note: QoS is not supported on a subinterface,  only on the           main interface itself. If you configure QoS on an interface itself,  all the           sub-interfaces are also affected by the QoS.

It looks like you would have to apply a name the gig0/1 interface and apply QoS policies there.

flyinhorse Tue, 02/23/2010 - 13:18 (reply to flyinhorse)

so i did try it and it worked. the only question i have now is that since i tried it on a test asa i really dont know the impact bcoz a soon as i gave the physical int a name it put it in security level 0. So the question is can the physical and sub interfaces be on different security-levels or they have to be the same? i can test it out on a maintenance window but just thought might ask any how?

ccordes Tue, 02/23/2010 - 13:24 (reply to flyinhorse)

The physical and subinterfaces should be able to be in different security levels.  I haven't messed with this particular config much so you will have to try it.  Here is a link about configuring subinterfaces.  They have examples with the physical and sub-interfaces in different security levels:

Note that if you need traffic to pass between the subinterfaces, you may need 'same-security-traffic permit inter-interface' as described in that link at the end.

c.pangkerego Thu, 06/07/2012 - 19:05

Hi guys,

I'm curious.

I'm seeing the following line for voice:

match tunnel-group tunnel-grp1

But what's the example of "tunnel-grp1"?

On my ASA I have multiple tunnel-group.

I have tunnel-group site 1, tunnel-group site 2, tunnel-group site 3, tunnel-group site 4, tunnel-group site 5, tunnel-group for VPN client, tunnel-group defaultL2Lgroup, tunnel-group DefaultRAgroup.

Which one of those is the "tunnel-grp1" that I need to use?

Any direction will be appreciated.


ccordes Fri, 06/08/2012 - 10:05

The class-map matches specific traffic to be priortized.  This class-map is then used in the policy-map which specifies the action to take (here it is priortization of the traffic that matches the traffic defined in the class-map). 

In the original example which I copied below, the class-map called "TG1-voice-class" matches vpn traffic associated with the tunnel-group called "tunnel-grp1" which would normally define a peer for a specific site to site vpn tunnel.  There is an additional conditon to match EF tagged packets in this example.  So the tunnel group you use depends on what vpn traffic you are trying to priortize.   

There are other ways to match the "interesting" traffic for priortization in the class-map.  You can do it with ACLs, etc.  You use a class-map to define the traffic to be acted on.  The policy-map defines the action to take and the service-policy applies the policy-map to a specific interface or globally.


ASA(config)# class-map TG1-voice-class
ASA(config-cmap)# match tunnel-group tunnel-grp1
ASA(config-cmap)# match dscp ef
robertokippins Tue, 07/23/2013 - 17:59

Man does this shyt always have to be so technical. There are alot cheap plastic routers out there you can get and just plug all the configs in through the web browser and its done, i love cisco equipment its great but i just thi k we spend alot of money on the equipment already it should be easier to configure. Not all that class map shyt you have to put in

Martin_Konov Wed, 07/24/2013 - 02:55

Hi guys,

I meet the following problem on Cisco ASA 5525X : the "shape average" command is not supported. All looks well policing, QoS is working but when you try to use shaping the command is not accepted it is not there. Any ideas ? Version : 9.1(2)

ccordes Tue, 04/15/2014 - 11:17 (reply to Martin_Konov)

I haven't tried shaping on the 5525X but my ASA 5505 running 9.1(3) took the shaping config. You have to use nested policies to do shaping like this:


create the ACL "qos_priority_acl" to match prioritized traffic.

Then this is from my ASA, I added TEST so I would not mess with my existing policy-maps.


class-map qos_Priority_class
 match access-list qos_Priority_acl

policy-map qos_TEST-Priority_policy
 class qos_Priority_class


policy-map qos_TEST-Shape-Priority-outside_policy
 class class-default
  shape average 1600000
  service-policy qos_TEST-Priority_policy


You would then apply the "qos_TEST-Shape-Priority-outside_policy" policy to an interface using the service-policy command.

Martin_Konov Thu, 07/25/2013 - 00:46


I found the answer to my question. The ASA 5500 X serias do not support Shaping. That is it.

doug.sullivan Tue, 04/15/2014 - 10:57

I'm assuming it's one or the other? Traffic Shaping w/ Prioritization OR Traffic Policing w/Prioritization?

You would not implement both at the same time?



Login or Register to take actions

This Document

Posted June 10, 2009 at 1:23 AM
Comments:18 Avg. Rating:5
Views:88503 Contributors:7
Tags: asa_5500, qos, tac

Related Content

Documents Leaderboard