topic Hi Dean, in Network Security

How to NOT bottleneck the inside interface of ASA when using Hierarchical Queuing for QOS

Dean Romanelli — Tue, 12 Mar 2019 06:58:23 GMT

Hi All,

I have the following on my ASA for VOIP QOS priority over a T-1 speed WAN:

class-map QOS-IN
match access-list qos_priority_in

class-map QOS_OUT
match access-list qos_priority_out

policy-map QOS-POLICY
class QOS-IN
priority
class QOS-OUT
priority

policy-map RATE-LIMIT:QOS-TRIGGER
class class-default
shape average 1536000
service-policy QOS-POLICY

service-policy RATE-LIMIT:QOS-TRIGGER interface outside

Question 1: In basic priority queuing, you specify "priority-queue outside." In the above type (Hierarchical), you do not. How can I ensure this policy will NOT also shape my inside interface to 1.5Mbps and will ONLY limit my outside port if I don't tell the ASA where the priority queue is in this method? I am assuming it is controlled by which interface you apply it to as in the last command above?

Question 2: The examples I've read only configure priority under the policy map for the outbound class map. However, I want the return traffic from my VOIP provider to also be prioritized to enter my LAN first. Due to that, I also set priority on the "QOS-IN" class under the policy map. Is that OK? Just want to ensure that including QOS-IN with priority under the policy-map that is being called by my shaping policy-map will not again cause my inside interface to bottleneck down to 1.5Mbps. Pretty sure it won't, since that flow is for outside-traffic-in and the policy is applied to the outside, but just want to be sure.

Hi Dean,

Akshay Rastogi — Wed, 02 Dec 2015 07:09:07 GMT

Hi Dean,

The last command mentioned 'service-policy' would take care of your policy and would apply only to Outside interface. It would not bottleneck you inside interface to 1.5mbps. This Answer your 1st Question.

When you apply a policy on an interface, it takes care of the traffic in 'in' and 'out' direction of that Interface. So this Answers you 2nd Question.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Thank you Akshay.

Dean Romanelli — Wed, 02 Dec 2015 16:47:50 GMT

Thank you Akshay.

So if the policy takes care of in and out, then I don't need to configure the QOS-IN class-map or call it in the policy-map or configure the ACL for the outside-in flow if the QOS-OUT class map, inside-out ACL & policy map applied to the outside will also prioritize the return traffic automatically right?

Hi Dean,

Akshay Rastogi — Thu, 03 Dec 2015 04:31:00 GMT

Hi Dean,

Yes, you are right. This outside policy will be applied to outbound and inbound traffic. You do not need to specifically configure QOS-IN. If the traffic matches in that oe access-list then that is enough to process.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Excellent. Thank you very

Dean Romanelli — Thu, 03 Dec 2015 15:21:19 GMT

Excellent. Thank you very much.