Priority Queueing
With priority queuing, you are able to place a specific class of traffic in the Low Latency Queue (LLQ), which is processed before the standard queue.
Note: If you prioritize traffic under a shaping policy, you cannot use inner packet details. The firewall can only perform LLQ, unlike the routers that can provide more sophisticated queuing and QoS mechanisms (Weighted Fair Queueing (WFQ), Class-Based Weighted Fair Queueing (CBWFQ), and so on).
The hierarchical QoS policy provides a mechanism for users to specify the QoS policy in a hierarchical fashion. For example, if users want to shape traffic on an interface and furthermore within the shaped interface traffic, provide priority queueing for VoIP traffic, then users can specify a traffic shaping policy at the top and a priority queuing policy under the shape policy. The hierarchical QoS policy support is limited in scope. The only option allowed is:
Traffic shaping at the top level
Priority queueing at the next level
Note: If you prioritize traffic under a shaping policy, you cannot use inner packet details. The firewall can only perform LLQ, unlike the routers that can provide more sophisticated queuing and QoS mechanisms (WFQ,CBWFQ, and so on).
This example uses the hierarchical QoS Policy in order to shape all outbound traffic on the outside interface to 2 Mbps like the shaping example but it also specifies that Voice packets with the Differentiated Services Code Point (DSCP) value "ef", as well as Secure Shell (SSH) traffic, shall receive priority.
Create the priority queue on the interface on which you want to enable the feature:
ciscoasa(config)#priority-queue outsideciscoasa(config-priority-queue)#queue-limit
2048ciscoasa(config-priority-queue)#tx-ring-limit 256
A class to match DSCP ef:
ciscoasa(config)# class-map Voice
ciscoasa(config-cmap)# match dscp ef
ciscoasa(config-cmap)# exit
A class to match port TCP/22 SSH traffic:
ciscoasa(config)# class-map SSH
ciscoasa(config-cmap)# match port tcp eq 22
ciscoasa(config-cmap)# exit
A policy map to apply prioritization of Voice and SSH traffic:
ciscoasa(config)# policy-map p1_priority
ciscoasa(config-pmap)# class Voice
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# class SSH
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
A policy map to apply shaping to all traffic and attach prioritized Voice and SSH traffic:
ciscoasa(config)# policy-map p1_shape
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# shape average 2000000
ciscoasa(config-pmap-c)# service-policy p1_priority
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
Finally attach the shaping policy to the interface on which to shape and prioritize outbound traffic:
ciscoasa(config)# service-policy p1_shape interface outside