https://community.cisco.com/t5/network-security/asa-shaping-vs-policing/m-p/1175214#M860513 <HTML><HEAD></HEAD><BODY><P>I think you can configure "service-policy (class)" coomand on ASA for traffic shaping. Hierarchical priority queueing is used on interfaces on which you enable a traffic shaping queue. A subset of the shaped traffic can be prioritized. The standard priority queue is not used (the priority-queue command). </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1301526" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1301526</A></P></BODY></HTML> Thu, 30 Apr 2009 18:58:39 GMT 2009-04-30T18:58:39Z https://community.cisco.com/t5/network-security/asa-shaping-vs-policing/m-p/1175213#M860509 <P>Hi,</P><P></P><P>I'd like to apply individual shaping for different classes of traffic which are traversing an ASA.</P><P></P><P>The documentation of ASA (8.0) tells me that "Traffic shaping must be applied to all outgoing traffic on a physical interface or in the case of the ASA 5505, on a VLAN. You cannot configure traffic shaping for specific types of traffic."</P><P></P><P>So that means I can't divide the traffic into smaller subsets (for instance, IP-subnets) and shape them individually. I could do policing instead.</P><P></P><P>The problem I see here is that I have had bad experiences with policing in regards with performance of TCP-sessions. It's no surprise: If there is a threshhold over which every packet is just dropped, it triggers TCP to drop down and after a while to "build up" the used bandwidth, resulting in a sawtooth-pattern in used bandwidth. Shaping is much better in this regards, as it smoothens the used bandwidth perfectly to the set threshhold.</P><P></P><P>I could imagine that this problem is neglectible if there is a number of clients large enough falling into one class, as the problem distributes over more clients, but this is not always the case.</P><P></P><P>Can anybody please give some input here on how to tackle this problem, e.g. how to make policing work better or alternative solutions?</P><P></P><P>Thanks a lot,</P><P>Florian</P> Mon, 11 Mar 2019 15:23:14 GMT https://community.cisco.com/t5/network-security/asa-shaping-vs-policing/m-p/1175213#M860509 Florian Pressler 2019-03-11T15:23:14Z https://community.cisco.com/t5/network-security/asa-shaping-vs-policing/m-p/1175214#M860513 <HTML><HEAD></HEAD><BODY><P>I think you can configure "service-policy (class)" coomand on ASA for traffic shaping. Hierarchical priority queueing is used on interfaces on which you enable a traffic shaping queue. A subset of the shaped traffic can be prioritized. The standard priority queue is not used (the priority-queue command). </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1301526" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1301526</A></P></BODY></HTML> Thu, 30 Apr 2009 18:58:39 GMT https://community.cisco.com/t5/network-security/asa-shaping-vs-policing/m-p/1175214#M860513 2009-04-30T18:58:39Z