Cisco ASA 5520 QoS Priority with Outbound Policing Policy

Posted on 2011-05-02
Last Modified: 2012-06-22
Recently I configured my ASA so that it matches my 100Mbit upload at a Gigabit Uplink and its working perfect (no longer dropping packets).

Now I need the above solution to work with priority queues, and not reserving bandwidth.

What I want is to be able to use my full 100MBit as I do now, but if certain traffic types are used, they get a priority, not always 100% but a certain percentage or a certain limit.

Example If im downloading via Newsgroup, Microsoft Download Manager, or plain browser and thats all, I want my full 100Mbit available, but if Im downloading and playing Wow, or NetFlix, or on the phone, I want to give a priority to the traffic, but not kill it off, also SIP Phones via SIP/H323 etc

Mind sending me an example of the service policy Id use, couple example?
Question by:TestMonkey
    LVL 18

    Expert Comment

    AFAIK, you can't do the classification and prioritization in the ASA.  The ASA can honor DSCP information sent from other devices and pass that through properly, but unless your ISP is marking traffic, or unless you put a router in front of the firewall to classify and mark traffic, I'm not sure you can accomplish what it sounds to me like you're looking for.
    LVL 18

    Accepted Solution

    I stand (somewhat) corrected.  You can use ACLs to identify traffic and apply to a class-map, but whether there are enough differences in the traffic you want to identify to allow you to separate out different classes, I don't know.  Also, the ASA only supports priority queueing, policing and shaping.  Based on what you describe, you could identify SIP traffic and place that in the priority queue.  For other traffic, though, you may have a harder time identifying the traffic, especially if it's really just HTTP.  For example, I haven't investigated Netflix traffic to see if it runs over an identifiable port or if it's just HTTP.

    You can look at the config guide at

    Also there are some tech notes that may help such as


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video discusses moving either the default database or any database to a new volume.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now