Quality of Service with Cisco ASA

Bin some years since I was working with Cisco ASA and QoS. I am into Cisco ASA performance optimising and tuning, it`s lots of fun to play around with different settings and get as much performance out of the ASA.

The ASA supports the following QoS features:

  • Priority queuing – To prioritize the packets that need prioritization like Voice over IP which is sensitive to latency. The ASA can only support Low Latency Queueing (LLQ).
  • Policing – To prevent traffic to consum all the network bandwidth by one user or one application. The policies restrict the bandwidth and can be applied to inbound and outbound traffic to an interface. The options are either drop or permit when the traffic exeed the limits.
  • Traffic shaping – Traffic that exceed the configured limits will be queued and sent when the traffic goes below the threshold. Traffic shaping will not drop packets that go over the threshold what is better for application which are sensitive to packet loss. Can be only applied to outgoing traffic on a physical interface and traffic shaping on ASA 5500-X models it is not supported.

Some information you need to keep in mind if you configure QoS on a Cisco ASA:

  • Supported in single context mode only. Does not support multiple context mode. Very sad because I prefer using virtual security contexts on ASAs.
  • QoS features can be only applied to physical interfaces (port-channel are not supported)
  • The ASA does not locally mark/remark any classified traffic.

See the following supported feature combinations per interface:

  • Standard priority queuing (for specific traffic) + Policing (for the rest of the traffic).
  • Traffic shaping (for all traffic on an interface) + Hierarchical priority queuing (for a subset of traffic).

In my case I have a Cisco ASA 5515-X and will do standard priority queuing and policing for the rest of the traffic.

Please always read the Cisco ASA Configuration Guide to ensure that your configuration is correct and supported!

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Quality of Service Configuration                         ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Class of Service	DSCP Marking (codepoint name)	    ::
:: Premium	        46 (EF)		                    ::
:: Business-1		26 (AF31)			    ::
:: Business-2		18 (AF21)		            ::
:: Standard		0				    ::
:: Management		34 (AF41)			    ::
:: Routing Protocol	48 (IP-Precedence 6)		    ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::   

class-map premium-qos-traffic
	match dscp 46
	exit

class-map business-1-qos-traffic
	match dscp 26
	exit

class-map business-2-qos-traffic
	match dscp 18
	exit		

policy-map transfer-uk-mpls_policy

	class premium-qos-traffic
		priority 
		exit

	class business-1-qos-traffic
		police output 8388500 conform-action transmit exceed-action transmit
		exit

	class business-2-qos-traffic
	 	police output 10485760 655360 conform-action transmit exceed-action drop
	 	exit

	class class-default
		police output 2097000 655360 conform-action transmit exceed-action drop
		exit

priority-queue transfer-uk-mpls
	exit

service-policy transfer-uk-mpls_policy interface transfer-uk-mpls