1-13
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring QoS
  Configuring QoS
Example 1-2 Priority and Policing Example
In this example, the maximum rate for traffic of the tcp_traffic class is 56,000 bits/second and a 
maximum burst size of 10,500 bytes per second. For the TC1-BestEffort class, the maximum rate is 
200,000 bits/second, with a maximum burst of 37,500 bytes/second. Traffic in the TC1-voice class has 
no policed maximum speed or burst rate because it belongs to a priority class.
hostname(config)# access-list tcp_traffic permit tcp any any
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match access-list tcp_traffic
hostname(config)# class-map TG1-voice
hostname(config-cmap)# match tunnel-group tunnel-grp1
hostname(config-cmap)# match dscp ef
hostname(config-cmap)# class-map TG1-BestEffort
hostname(config-cmap)# match tunnel-group tunnel-grp1
hostname(config-cmap)# match flow ip destination-address
hostname(config)# policy-map qos
hostname(config-pmap)# class tcp_traffic
hostname(config-pmap-c)# police output 56000 10500
hostname(config-pmap-c)# class TG1-voice
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# class TG1-best-effort
hostname(config-pmap-c)# police output 200000 37500
hostname(config-pmap-c)# class class-default
hostname(config-pmap-c)# police output 1000000 37500
hostname(config-pmap-c)# service-policy qos global
Configuring a Service Rule for Traffic Shaping and Hierarchical Priority 
Queuing
You can configure traffic shaping for all traffic on an interface, and optionally hierarchical priority 
queuing for a subset of latency-sensitive traffic.
This section includes the following topics:
• (Optional) Configuring the Hierarchical Priority Queuing Policy, page 1-13
• Configuring the Service Rule, page 1-14
(Optional) Configuring the Hierarchical Priority Queuing Policy
You can optionally configure priority queuing for a subset of latency-sensitive traffic.
Guidelines
• One side-effect of priority queuing is packet re-ordering. For IPsec packets, out-of-order packets 
that are not within the anti-replay window generate warning syslog messages. These warnings are 
false alarms in the case of priority queuing. You can configure the IPsec anti-replay window size to 
avoid possible false alarms. See the crypto ipsec security-association replay command in the 
command reference.For hierarchical priority queuing, you do not need to create a priority queue on 
an interface.