topic Re: QoS on ASA 5505 in Network Security

QoS on ASA 5505

networker99 — Mon, 11 Mar 2019 21:00:38 GMT

I would like someone to answer a couple of QoS questions and verify what I am going to configure.

I need to prioritize voice traffic through the ASA

priority-queue outside

tx-ring-limit 200

queue-limit 2000

Do the above values look correct? and why is the priority queue applied to the outside interface and not the inside? (or both). Also is this the part that ensures that the regular traffic does not choke the voice traffic?

class-map voip-class

match dscp ef

policy-map outsidemap

class voip-class

priority

service-policy outsidemap interface outside

Will the global policy remain which this interface policy taking priority?

Thanks in advance!

QoS on ASA 5505

varrao — Tue, 19 Jul 2011 16:00:39 GMT

Hi,

I am not really sure of your voice traffic requirement, you want to configure voice traffic on the ASA???

The priority queue would be applied on both the ingress and egress interfaces.

in:

class-map voip-class

match dscp ef

you would need to match an access-list for interesting traffic to be identified to be prioritized, something like:

access-list voice_traffic permit ip host 1.1.1.1 host 2.2.2.2

class-map voip-class

match access-list voice-traffic

policy-map gobal_policy

class voip-class

priority

service-policy global_policy global

you can either apply it globally or on isnide and outside.

Here is s very goosd doc for QoS:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate

Hope this helps,

Thanks,

Varun

Re: QoS on ASA 5505

networker99 — Tue, 19 Jul 2011 16:05:11 GMT

why would I need to match an ACL? In my example I am matching on DSCP value?

Do I need this bit?

priority-queue outside

tx-ring-limit 200

queue-limit 2000

QoS on ASA 5505

varrao — Tue, 19 Jul 2011 16:19:49 GMT

Hi,

Yes you would need it, if your matcjing the traffic based on the dscp value, then the config that you have looks good.

Have a look at the config example in the link I provided you, it is the same as your requirement.

You can verify your QoS by:

show service-policy

this would tell whether the packets are falling into the QoS configured.

Thanks,

Varun

QoS on ASA 5505

networker99 — Tue, 19 Jul 2011 16:21:43 GMT

okay great so in summary my config is fine? but why do I only create a transmit ring for the outside interface? Do I not need to create one of teh inside as well?

QoS on ASA 5505

varrao — Tue, 19 Jul 2011 16:28:59 GMT

No not needed for the inside, for tx-ring:

The tx-ring-limit command allows you to configure the maximum number of packets (depth) allowed to be queued in the Ethernet transmit driver ring at any given time. This allows for fine-tuning the transmit queue to reduce latency and offer better performance through the transmit driver. This limit must be in the range 3 through 128 packets on the PIX platform, with a limit of 256 packets on the ASA platform.

The default queue-limit is the number of average, 256-byte packets that the specified interface can transmit in a 500 ms interval, with an upper limit of 2048 packets. A packet that stays more than 500 ms in a network node might trigger a timeout in the end-to-end application. Such a packet can be discarded in each network node.

The default tx-ring-limit is the number of maximum 1550-byte packets that the specified interface can transmit in a 10 ms interval. This guarantees that the hardware-based transmit ring imposes no more than 10 ms of extra latency for a high-priority packet.

Is that your requirement as well????

Thanks,

Varun

QoS on ASA 5505

networker99 — Tue, 19 Jul 2011 16:31:51 GMT

My requirement is just to give prioritization to voice packets traversing the ASA (based on DSCP value)

QoS on ASA 5505

varrao — Tue, 19 Jul 2011 16:43:46 GMT

What is going to be the ingress interface for it and what is going to be the egress interface for this voice-traffic (basically from where this traffic would be initiated)??

-Varun

QoS on ASA 5505

networker99 — Tue, 19 Jul 2011 16:46:26 GMT

Well since the traffic goes to an external SIP provider when outbound calls are made the inside interface will be ingress, and outside will be egress, but incoming calls will be the reverse.

QoS on ASA 5505

networker99 — Tue, 19 Jul 2011 17:03:11 GMT

Also do I need to police the regular traffic to stop it choking the voice traffic, or will the transmit ring configuration take care of this?

QoS on ASA 5505

varrao — Tue, 19 Jul 2011 17:07:26 GMT

Yes, the config looks good to me as per requirement, you can try it and verify whether it is working or not.

-Varun