This example uses the hierarchical QoS Policy in order to shape all outbound traffic on the outside interface to
50 Mbps
like the shaping example but it also specifies that Voice packets with the Differentiated Services Code Point (DSCP) value “ef”, as well as Secure Shell (SSH) traffic, shall receive priority.
- Create the priority queue on the interface on which you want to enable the feature:
ciscoasa(config)#priority-queue outside1
ciscoasa(config-priority-queue)#queue-limit 2048 // max
ciscoasa(config-priority-queue)#tx-ring-limit 511 // max
ciscoasa(config)#priority-queue outside2
ciscoasa(config-priority-queue)#queue-limit 2048 // max
ciscoasa(config-priority-queue)#tx-ring-limit 511 // max
- Access-list
access-list hiprio_acl extended permit ip any host 10.123.16.38
access-list hiprio_acl extended permit ip host 10.123.16.38 any
access-list hiprio_acl extended permit ip any host 10.123.16.39
access-list hiprio_acl extended permit ip host 10.123.16.39 any
- A class to match DSCP ef:
ciscoasa(config)# class-map hiprio_class
ciscoasa(config-cmap)# match access-list hiprio_acl
ciscoasa(config-cmap)# exit
- A class to match port TCP/22 SSH traffic:
ciscoasa(config)# class-map SSH
ciscoasa(config-cmap)# match port tcp eq 22
ciscoasa(config-cmap)# exit
- A policy map to apply prioritization of Voice and SSH traffic:
ciscoasa(config)# policy-map outside_qos_policy
ciscoasa(config-pmap)# class hiprio_class
ciscoasa(config-pmap-c)# priority
# ciscoasa(config-pmap-c)# class SSH
# ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
- A policy map to apply shaping to all traffic and attach prioritized Voice and SSH traffic:
ciscoasa(config)# policy-map outside_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# shape average 50000000 //50Mbps
ciscoasa(config-pmap-c)# service-policy outside_qos_policy
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
- Finally attach the shaping policy to the interface on which to shape and prioritize outbound traffic:
ciscoasa(config)# service-policy outside_policy interface outside1
ciscoasa(config)# service-policy outside_policy interface outside2
QoS on the Cisco ASA Configuration Examples:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html
CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.13 :
https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/firewall/asa-913-firewall-config/conns-qos.html
ASA 5500部分实用技术一:
https://blog.csdn.net/weixin_33863087/article/details/93093925
ASA防火墙上实现QoS:
https://blog.51cto.com/u_511430/353065