ASA 5505 with BTnet SIP - Policing and Priority Queing settings

Ian Walker — Tue, 12 Mar 2019 04:52:32 GMT

From my own research I've put together this config for an ASA 5505 (9.0) to prioritse SIP and police IP traffic for the BT SIP service over BTnet

All comments welcome. As I understand it, you prioritise outgoing SIP/RTP traffic on the "outside" interface and police ip traffic on the "inside" interface?

BTnet SIP service with the following topology

Part 1 of 2 :

Set up Priority Queing for outgoing SIP and RTP traffic

! Enable a priority queue on the outside interface
priority-queue outside

! Create rtp object-group

object-group service rtp udp

port-object range 49152 65535

! ACL for SIP and RTP From dmz

access-list VoIP-Traffic-OUT extended permit tcp 192.168.0.0 255.255.255.0 host 85.119.63.4 eq sip

access-list VoIP-Traffic-OUT extended permit udp 192.168.0.0 255.255.255.0 host 85.119.63.4 object-group rtp

! Class Map - Match the ACL
class-map Voice-OUT match access-list VoIP-Traffic-OUT exit

!create a class map to identify the traffic for which you want to perform priority queuing.
policy-map PRIORITY-POLICY class Voice-OUT priority

! Identify all traffic for traffic shaping; you can only use the class-default class map, which is defined as match any, because the security appliance requires all traffic to be matched for traffic shaping.

policy-map QOS-TRAFFIC-OUT

class class-default

shape average 10000000

!(10Mbps Upload)

service-policy PRIORITY-POLICY

!
! Apply the shaping policy to the outside interface
service-policy QOS-TRAFFIC-OUT interface outside

! Show Commands :

ASA#show service-policy priority

ASA#show service-policy shape

ASA#show service-policy policy

Part 2 of 2 :

Configure traffic policing for incoming and outgoing ip traffic to the Data LAN (Inside interface)

! Traffic Policing – incoming and outgoing – per interface

access-list DataLAN extended permit ip 172.23.127.0 255.255.255.0 any

access-list DataLAN extended permit ip any 172.23.127.0 255.255.255.0

class-map DataLAN

Description Data LAN Traffic

match access-list DataLAN

policy-map Police-LAN

class LAN

police output 20000000

police input 10000000

Service-policy Police-LAN interface inside

*in this case,

Output = “Download”

Input = “Upload”

Hi,I think the configuration

Vibhor Amrodia — Wed, 08 Oct 2014 08:36:42 GMT

Hi,

I think the configuration seems to be good.

The only thing which is incorrect is this:-

Output = "Upload"

Input = “Download”

Thanks and Regards,

Vibhor Amrodia

Hi VibhorAre you sure that's

Ian Walker — Wed, 08 Oct 2014 09:01:06 GMT

Hi Vibhor

Are you sure that's right?

On the "Inside" interface, surely 'Download' will be the output,?

http://youtu.be/Xb2A3Xekp7Q?t=2m48s

Kind regards

Ian.

Hi Ian,On the Inside

Vibhor Amrodia — Wed, 08 Oct 2014 09:14:42 GMT

Hi Ian,

On the Inside interface it would be the same that you pointed out. 🙂

My concern is that why are we trying to limit the Intra interface traffic as well for the policing ? As you have the destination as "any" in the Class map ACL.

I think you might think of denying the traffic from this ACL to the internal Interfaces (for Ex:- DMZ) and police the rest of the traffic.