1

I am trying to traffic shape on my 5505. I can do the usual policing but as always with policing, it goes up and down and doesn't result in the best results.

I get the message about ERROR: 'shape' can only be configured for class "class-default" , when trying to create my own class-map, though I can't figure out a way to tie the class-default map down by port.

Here's what I get when trying my own class and policy:

ASA(config)# class-map test
ASA(config-cmap)# match port tcp eq 80
ASA(config-cmap)# exit
ASA(config)# policy-map test
ASA(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  rename       Rename this policy-map
  <cr>
ASA(config-pmap)# class test
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services
ASA(config-pmap-c)# shape ?

mpf-policy-map-class mode commands/options:
  average  configure token bucket: CIR (bps) [Bc (bits)], send out Bc only per
           interval
ASA(config-pmap-c)# shape av
ASA(config-pmap-c)# shape average ?

mpf-policy-map-class mode commands/options:
  <64000-154400000>  Target Bit Rate (bits per second), the value needs to be
                     multiple of 8000
ASA(config-pmap-c)# shape average 64000
ERROR: 'shape' can only be configured for class "class-default"
ASA(config-pmap-c)#

Now, going off the class-default class, here's what I can do:

ASA(config)# policy-map tester
ASA(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  rename       Rename this policy-map
  <cr>
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services

As you can see, I have no options to limit by port, etc.

Any ideas how I can achieve this?

For completeness, here's sh ver:

ASA(config-pmap-c)# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"

ASA up 2 hours 7 mins

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

 0: Int: Internal-Data0/0    : address is e05f.b9ab.be21, irq 11
 1: Ext: Ethernet0/0         : address is e05f.b9ab.be19, irq 255
 2: Ext: Ethernet0/1         : address is e05f.b9ab.be1a, irq 255
 3: Ext: Ethernet0/2         : address is e05f.b9ab.be1b, irq 255
 4: Ext: Ethernet0/3         : address is e05f.b9ab.be1c, irq 255
<--- More --->

Thanks

fdf33
  • 177
  • 1
  • 4
  • 14

1 Answers1

1

The short answer is that as of the current release (ASA 8.4.2) it is not possible to perform traditional QoS shape on specific traffic. The ASA can only shape all traffic on a given interface to a specified rate.

Use the following relevant section in the ASA QoS Configuration Guide as a complete reference. You may find this interesting as well.

Community
  • 1
Weaver
  • 1,952
  • 12
  • 13