Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco QOS on ASA confusion

Hi All,

I am applying qos on my traffic on few different virtual interfaces that I have .

I have applies the shape and police on the internal interfaces as opposed to external on internet .

For example

I have


Internal 1

Internal 2

I know shape is for output or upload only  and police is for download/upload or input, am I correct ?

Now lets imagine we have my asa called asa1 and another website called yahoo

When someone behind network internal 1 tries to download from yahoo below is the process as I understand it

internal 1 send the traffic out to input of internet on asa then asa internet will forward this from output asa to yahoo . Yahoo then sends the data back which goes to internet in and then out to internal in and then out to internal out which is the host , is that right ?

so here is where I get confused,

I apply police output 3mbps to internal 1 which means all upload should be limited to 3 mb but that restricts the download as opposed to upload which is confusing me

unless my explanation above is incorrect then there is something wrong with my asa

manu thanks

New Member

Cisco QOS on ASA confusion

Hi there,

What you look to have done is applied a restriction in the wrong direction. Output from the internal interface is the download of the HTTP connection. The traffic out of the internal interface is heading towards your requesting host so that is why you have limited the download speed rather than upload.

If you were to place the output restriction to the interface to your ISP, the upload of the http connection would be restricted and the download left alone.

Hope that helps.