topic QOS Problem: ASA won't let me match dscp in policy in Network Security

QOS Problem: ASA won't let me match dscp in policy

Dean Romanelli — Tue, 12 Mar 2019 06:48:49 GMT

Hi All,

I have an ASA 5505 and I am trying to configure QOS so that SIP & Polycom traffic will have priority. I am trusting DSCP in my LAN, and I know DSCP trust needs to be configured everywhere or the markings get dropped. My config is fine up to the point where I try to match dscp ef in the class-map on the ASA. I get the following:

FW180-SH5505-A# config t
FW180-SH5505-A(config)# class-map voip_qos_out
FW180-SH5505-A(config-cmap)# match access-list voip_priority_out
FW180-SH5505-A(config-cmap)# match dscp ef
ERROR: Multiple match commands are not supported except for the 'match tunnel-group or default-inspect-traffic' command.

After some digging, this appears to be bug CSCeh87405.

I need to know if my QOS will still work if I am only specifying the ACL as the match condition under the class-map or if I absolutely NEED to have the match dscp ef command for my dscp markings from the LAN to be trusted. Thanks in advance.

Full Config Below:

object-group network 8x8
network-object 192.xx.xx.0 255.255.255.0
network-object 192.xx.xx.0 255.255.255.0
network-object 63.xxx.xx.0 255.255.255.0
network-object 8.x.xxx.0 255.255.255.0
network-object 8.xx.x.0 255.255.252.0

object-group service 8x8_VOIP_Ports tcp-udp
port-object range 5196 5199
port-object range 5060 5061
port-object range 2222 2269
port-object eq 5299
port-object eq 5443

access-list voip_priority_out extended permit udp 192.168.180.0 255.255.255.0 object-group 8x8 object-group 8x8_VOIP_Ports
access-list voip_priority_out extended permit tcp 192.168.180.0 255.255.255.0 object-group 8x8 object-group 8x8_VOIP_Ports

access-list voip_priority_in extended permit udp object-group 8x8 192.168.180.0 255.255.255.0 object-group 8x8_VOIP_Ports
access-list voip_priority_in extended permit tcp 192.168.180.0 255.255.255.0 object-group 8x8 object-group 8x8_VOIP_Ports

priority-queue outside

class-map voip_qos_out
match access-list voip_priority_out

class-map voip_qos_in
match access-list voip_priority_in

policy-map Voicepolicy
class voip_qos_in
class voip_qos_out
priority

service-policy Voicepolicy interface outside

Hi Dean,

Akshay Rastogi — Fri, 30 Oct 2015 15:31:35 GMT

Hi Dean,

You could perform QoS by specifying only ACL in the class-map. dscp with ef bit is mainly used when you are performing priority on VPN traffic as "Type of Service (ToS) bits in the original IP header are copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption. This allows the DSCP/DiffServ bits to be used for priority anywhere in the QoS policy."

Please refer the link below to have clear understanding of only ACL based QoS :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc18

Regards,

Akshay Rastogi

Thank you Akshay.

Dean Romanelli — Fri, 30 Oct 2015 16:11:41 GMT

Thank you Akshay.

So in this case since the traffic is not riding over a VPN tunnel, I don't need to match dscp ef on the ASA even if I am trusting dscp everywhere in the LAN right? Will the ASA still honor the DSCP markings it gets from my LAN switch?

Hi Dean,

Akshay Rastogi — Fri, 30 Oct 2015 16:38:27 GMT

Hi Dean,

Yes, i belive so. As ASA would not be looking at the ToS bit here so, it will still honor DSCP marking and would classify/ match the traffic on the basis of IP address and ports mentioned in the access-list.

Regards,

Akshay Rastogi

Thanks Akshay.

Dean Romanelli — Fri, 30 Oct 2015 18:50:40 GMT

Thanks Akshay.

Now what if I wanted QOS on traffic that will be going into a VPN tunnel? Would I just replace the "match access-list voip_priority_out" under the class-map with "match dscp ef?" If so, would that be enough for the ASA to know what to give priority to without an ACL to match the traffic against?

Hi Dean,

Akshay Rastogi — Fri, 30 Oct 2015 19:02:53 GMT

Hi Dean,

Correct. It identifies the tunnel with the help of tunnel destination configuration present in class-map with match dscp ef.

The link I provided earlier has all the possible scenarios with configuration examples(check the index). It is a very good document to understand the configuration part and what could be done in what situation.

You could even configure QoS with ACL for VPN as well without using DSCP. refer the link below :

Hope that helps!

Regards,

Akshay Rastogi

Thanks Again.

Dean Romanelli — Fri, 30 Oct 2015 19:13:44 GMT

Thanks Again.

So anytime I am assigning QOS to any traffic flows that go over a VPN tunnel, whether I am matching dscp ef or not I would need the match tunnel-group command under the class map?