Applying Rate Limiting - Cisco FirePOWER ASA 5500 series Configuration Manual

Applying Rate Limiting

TCP traffic with a port value of 23 can be classified as a Telnet traffic class. The class commands are
differentiated by their previously named and constructed class-map designations, and the associated
actions follow immediately after.
The security appliance evaluates class-maps in the order in which they were entered in the policy-map
configuration. It classifies a packet to the first class-map that matches the packet.
The order in which different types of actions in a policy-map are performed is independent of the order
Note
in which the actions appear in the command descriptions in this document.
The priority command provides low-latency queuing for delay-sensitive traffic, such as voice. This
command selects all packets that match the associated class (TG1-voice in the previous example) and
sends them to the low latency queue for priority processing.
Applying Rate Limiting
Every user's Bandwidth Limiting Traffic stream (BLT) can participate in maximum bandwidth limiting;
that is, strict policing, which rate-limits the individual user's default traffic to some maximum rate. This
prevents any one individual user's BLTs from overwhelming any other. LLQ traffic, however, is marked
and processed downstream in a priority queue. LLQ traffic is not rate-limited.
Policing is a way of ensuring that no traffic exceeds the maximum rate (bits/second) that you configure,
thus ensuring that no one traffic flow can take over the entire resource. You use the police command to
specify the maximum rate (that is, the rate limit for this traffic flow); this is a value in the range
8000-2000000000, specifying the maximum speed (bits per second) allowed.
You also specify what action, drop or transmit, to take for traffic that conforms to the limit and for traffic
that exceeds the limit.
You can specify the drop action, but it is not functional. The action is always to transmit, except when
Note
the rate is exceeded, and even then, the action is to throttle the traffic to the maximum allowable speed.
The police command also configures the largest single burst of traffic allowed. A burst value in the range
1000-512000000 specifies the maximum number of instantaneous bytes allowed in a sustained burst
before throttling to the conforming rate value.
Policing can apply in both the input and output directions.
Note
You cannot enable both priority and policing together.
If a service policy is applied or removed from an interface that has existing VPN client/LAN-to-LAN or
non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic
stream. To apply or remove the QoS policy for such connections, you must clear (that is, drop) the
connections and re-establish them.
When policing is specified in the default class map, class-default, the police values of class-default are
Note
applied to the aggregated LAN-to-LAN VPN flow if there is no police command defined for
tunnel-group of LAN-to-LAN VPN. In other words, the policing values of class-default are never applied
to the individual flow of a LAN-to-LAN VPN that exists before encryption.
Cisco Security Appliance Command Line Configuration Guide
24-6
Chapter 24 Applying QoS Policies
OL-10088-01