Cisco ASA Traffic Policing and Shaping

This example will apply to Cisco ASA 5506-X v9.6

There are 2 types of QoS: Policing and Shaping. Its important to know the difference between the two as to better determine which QoS technology to use for your network.

When using Policing, the packets that violate the policy will be dropped or remarked. If you are wanting to control Inbound and Outbound traffic to limit say, the bandwidth of a guest network, you would use Traffic Policing to limit the Inbound and Outbound speeds. In this example i will limit the speeds down to 5Mbps x 5Mbps.

When using Shaping, the packets that violate the policy will be placed in a queue until it is ready to transmit as to not drop packets. This way when the packets are transmitted, they conform to the policy and no packets are lost. Because of this, Traffic Shaping would be best used for sensitive traffic such as VOIP and Streaming.

NOTE: Traffic Shaping can not be controlled for Inbound traffic, only Outbound.

NOTE: Traffic shaping is only supported on ASA Versions 5505, 5510, 5520, 5540, and 5550. Multicore models (such as the 5500-X) do not support shaping. Therefore, this guide will show how to do it, but it cannot actually be applied to this model of ASA.

Need a Cisco ASA for studying? Buy one here - https://amzn.to/2JnBp6G

Configuring Traffic Policing

1. In order to control Inbound and Outbound, we have to set ACLs for both based on the subnet we want to control. We can define ACL's to conform to a certain protocol, entire Subnets or individual hosts.

NOTE: If you have multiple networks that you wish to control with the same speed, you could create an object-group and place all desired subnets in that group, then specify the group as source/destination in the access-list.

asa# enable
(In->Out)
asa(config)# access-list LIMIT_ACL permit ip 10.0.0.0 255.255.255.0 any
(Out->In)
asa(config)# access-list LIMIT_ACL permit ip any 10.0.0.0 255.255.255.0 

2. Next we create a class-map to map out our conditions for the upcoming policy-map. This class-map will be used to define the conditions in which the policy-map will apply to.

asa(config)# class-map ACL_MAP
asa(config-cmap)# match access-list LIMIT_ACL
asa(config-cmap)# exit

3. Next we create the policy-map where we will add our class-map as a condition and define what to do with traffic that violates the policy.

asa(config)# policy-map POLICY_LIMIT
asa(config-pmap)# class ACL_MAP
asa(config-pmap-c)# police output 5000000 conform-action transmit exceed-action drop
asa(config-pmap-c)# police input 5000000 conform-action transmit exceed-action drop
asa(config-pmap-c)#exit
asa(config-pmap)#exit

4. Lastly we will apply our policy-map to an interface. In our case we want to limit the internet speed/bandwidth going out to the WAN. Therefore, we can apply the policy-map to the outside interface or internal interface where that subnet is configured. If you wish to apply a policy-map to, for example another subnet within your network, then you would apply the policy-map to one of the inbound interfaces.

IMPORTANT: In this example, since I my policy-map will be limiting both Input and Output at the same speed it won't matter which interface gets the policy-map as it will have the same effect. However, if your Input is different than your Output then it will matter on which interface you assign it to. Example, if you want to limit Download speed to 100mbps and Upload to 10mbps on an internal interface then your police input will be 10000000 because your upload is is going UP into the internal interface. Then police output will be 100000000 because your download is going DOWN into the internal interface. Just imagine the direction of the traffic flow and configure according to that.

NOTE: Each interface can only support having one policy-map at a time. Because of this I like to practice creating a policy-map for each interface that way if i need to add multiple policies or classes to a single interface, i can do so by adding the last step to the interface's dedicated policy.

asa(config)# service-policy POLICY_LIMIT interface outside
or
asa(config)# service-policy POLICY_LIMIT interface inside

Below are the results of the policy on my Pixelbook.

Configuring Traffic Shaping

1. Recycling the same access-list's from before (minus the Out->In). We can create our policy-map and specify the speed we want to shape our traffic.

asa(config)# policy-map POLICY_SHAPE
asa(config-pmap)# class ACL_MAP
asa(config-pmap-c)# shape average 5000000
asa(config-pmap-c)# exit
asa(config-pmap)# exit

2. And once again we apply our policy-map to an interface.

asa(config)# service-policy POLICY_SHAPE interface outside
or
asa(config)# service-policy POLICY_SHAPE interface inside

There are much more precise and specific Traffic Shaping configurations that you can do for example FTP or VOIP.

Visit Cisco's full documentation here -> QoS on the Cisco ASA Configuration Examples 

Need a Cisco ASA for studying? Buy one here - https://amzn.to/2JnBp6G