It may be desirable to rate-limit traffic to various hosts or subnets on your network. The Cisco ASA has some very limited QOS capabilities built in (better QOS features are available on Cisco IOS routers). To apply a basic rate limit, use the “policing” feature. It is configured by matching a class of traffic with a “class-map“, setting rules with a “policy-map” to “police” your traffic class at a given rate, and then applying the policy to an interface with the “service-policy” command. *NOTE* only one service-policy may be active on an interface at a time. More details and examples are in the Cisco documentation linked below. The priority queue part is optional if you just want rate-limiting (policing). While implementing a priority queue and/or policing policy, you will likely need to determine an appropriate transmit ring limit (tx-ring-limit) as well as a policing token bucket size (bc or burst committed). The default bucket size will be based on 250ms of the policing rate (cir or committed information rate) – this is a reasonable default. There is a useful calculation worksheet for the tx-ring limit in the following documents. For the token bucket (bc) size, calculate the number of bytes that will be sent at your full committed (cir policing rate) in 250ms (1/4 second) or your preferred policing interval.
These QOS features will all work with outgoing traffic on an interface, but only policing will work on incoming traffic. To apply priority or shaping QOS features to incoming traffic, use an outgoing policy for the interface on opposite side of device. The directionality of these QOS capabilities is listed on the following Cisco document: Configuring a Service Policy – Feature Directionality. View QoS configuration with:
- show priority-queue config INTERFACE-NAME
- show run priority-queue INTERFACE-NAME
- show run class-map
- show run policy-map
- show run service-policy
Monitor QOS status with:
- show service-policy interface INTERFACE-NAME
- show priority-queue statistics
NOTE: New QOS rules or changes DO NOT EFFECT EXISTING CONNECTIONS! The ASA assigns connections to QOS policing groups, policy groups, etc at the time a connection is established. Ongoing connections are not re-evaluated when rules change. To force all connections to be re-established, use the DANGEROUS COMMAND “clear conn” (THIS WILL DROP ALL EXISTING CONNECTIONS).
Here’s a sample priority queue config for VOIP traffic assuming two named interfaces (inside & outside) with an estimated bandwidth of 25Mbps download and matching 25Mbps upload.
! Calculate Transmit Ring Size (in number of packets) ! Note that delay can be changed to match your requirements ! 125 is a conversion factor, 1Mbps = 125 bytes per millisecond ! 25 (Mbps) * 125 / 1538 (bytes) * 20 (ms) = 40 (rounded down) priority-queue outside tx-ring-limit 40 priority-queue inside tx-ring-limit 40 ! Define class for VOIP traffic ! Match Differentiated Services (DiffServ Code Point) "Express Forward" class-map voip match dscp ef ! Give priority to VOIP packets policy-map outside-policy description Apply QoS class voip priority policy-map inside-policy description Apply QoS class voip priority ! Apply the QoS policies to interfaces to prioritize voice service-policy outside-policy interface outside service-policy inside-policy interface inside