Chapter 24
Applying QoS Policies
The following example builds on the configuration developed in the previous section. As in the previous
example, there are two named class-maps: tcp_traffic and TG1-voice. Adding a third class-map:
hostname(config)# class-map TG1-best-effort
hostname(config-cmap)# match tunnel-group Tunnel-Group-1
hostname(config-cmap)# match flow ip destination-address
provides a basis for defining a tunneled and non-tunneled QoS policy, as follows, which creates a simple
QoS policy for tunneled and non-tunneled traffic, assigning packets of the class TG1-voice to the low
latency queue and setting rate limits on the tcp_traffic and TG1-best-effort traffic flows.
"Best effort" does not guarantee reliable packet delivery, in that it does not use a sophisticated
Note
acknowledgement system. It does, however, make a "best effort" to deliver packets to the destination.
In this example, the maximum rate for traffic of the tcp_traffic class is 56,000 bits/second and a
maximum burst size of 10,500 bytes per second. For the TC1-BestEffort class, the maximum rate is
200,000 bits/second, with a maximum burst of 37,500 bytes/second. Traffic in the TC1-voice class has
no policed maximum speed or burst rate because it belongs to a priority class:
hostname(config)# policy-map qos
hostname(config-pmap)# class tcp_traffic
hostname(config-pmap-c)# police output 56000 10500
hostname(config-pmap-c)# class TG1-voice
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# class TG1-best-effort
hostname(config-pmap-c)# police output 200000 37500
hostname(config-pmap-c)# class class-default
hostname(config-pmap-c)# police output 1000000 37500
You can have up to 256 policy-maps, and up to 256 classes in a policy map. The maximum number of
Note
classes in all policy maps together is 256. For any class-map, you can have only one match statement
associated with it, with the exception of a tunnel class. For a tunnel class, an additional match
tunnel-group statement is allowed.
The class class-default always exists. It does not need to be declared.
Note
Activating the Service Policy
The service-policy command activates a policy-map command globally on all interfaces or on a targeted
interface. An interface can be a virtual (vlan) interface or a physical interface. Only one global
policy-map is allowed. If you specify the keyword interface and an interface name, the policy-map
applies only to that interface. An interface policy-map overrides a global policy-map, and only one
policy-map is allowed per interface. In general, a service-policy command can be applied to any
interface that can be defined by the nameif command.
Using the policy-map example in the previous section, the following service-policy command activates
the policy-map "qos," defined in the previous section, for traffic on the outside interface:
hostname(config)# service-policy qos interface outside
OL-10088-01
Cisco Security Appliance Command Line Configuration Guide
Activating the Service Policy
24-7