topic Re: New Client, New Setup Help in Network Security

New Client, New Setup Help

Chris Mickle — Fri, 21 Feb 2020 16:40:08 GMT

Hello All,

I have a new client that has grown beyond what their current network can provide and wanted to run what I was thinking of implementing by everyone here for some feed back and questions.

What they have now is about 20 users in two offices down the hall from each other and separate cable internet service using the ISP's cable modem as their router and an off the shelf unmanaged switch in each office. They have ringcentral cloud hosted VoIP desk phones and soft clients. The computers are connected through the phones. They would like to have a guest wifi network.

Here's what I'm thinking for your consideration...

First and foremost, connect the two separate offices via an ethernet drop and get rid of one of the cable internet connections. Second, install an ASA and two L2 or L3 switches (3750G maybe) one in each office to connect the endpoints. Third, install access points in each office and have an internal and guest wifi network on different VLANs.

That's all pretty straightforward as I have several clients with this exact configuration, but what I'm not sure about is dealing with the VoIP phones. They currently have no issues with the phones and I don't want to introduce any with my proposed solution. I'm not sure weather I should set up a voice VLAN and bother with QoS for this environment or not.

Any insight would be much appreciated.

Re: New Client, New Setup Help

Seb Rupik — Wed, 16 Jan 2019 15:06:28 GMT

Hi there

Voice traffic should always be placed in a separate VLAN for the very purpose of being able to apply a high priority QoS mapping to it.

Cheers,

Seb.

Re: New Client, New Setup Help

Chris Mickle — Wed, 16 Jan 2019 15:26:53 GMT

Thanks for the reply.

That's my understanding as well, but I'm a little unclear about how to implement the high priority QoS mapping. Since the PBX is cloud based, there isn't any way to do end to end QoS for the voice traffic. I've been reading about auto QoS on the switches and the pollycom phones they use are supposed to be compatible with both CDP and LLDP so the phones should be able to be auto provisioned on the correct VLAN. If I understand it correctly, that will take care of QoS up to the switches, but how then is that policy applied at the ASA's interface which is where the bottleneck would be. I have been reading the documentation and have been unable to come to a conclusion on how best to implement that.

Also, Ringcentral's documentation has nothing specifically about the ASA, but says that SIP ALG should be disabled. That would translate into turning off inspect SIP correct?

Re: New Client, New Setup Help

Seb Rupik — Wed, 16 Jan 2019 15:53:25 GMT

The default mappings should be fine and therefore all you need to do is trust the CoS markings which are coming from the phone. This will allow you to prioritse the traffic within your network, but you are correct, once it leaves the ASA it is at the mercy of your carrier network., any markings will be ignored.

Regarding the the SIP ALG setting, yes, remove the inspect sip command from the installed inspection policy on the ASA.

cheers,

Seb.

Re: New Client, New Setup Help

Chris Mickle — Wed, 16 Jan 2019 16:04:23 GMT

What you're telling me is helping to make sense of what I have been reading so thanks for that.

Forgive my ignorance, but what are the "default mappings?"

Re: New Client, New Setup Help

Seb Rupik — Wed, 16 Jan 2019 20:17:43 GMT

The default CoS marking for VOIP is a value of 5. Depending on the platform being configured these frames will be placed in a dedicated ingress/ egress queue with a higher priority than all other (lower value traffic) traffic.

You could configure auto qos voip cisco-phone on the access ports connected to the phones, this would automatically populate the config with suitable values.

cheers,

Seb.

Re: New Client, New Setup Help

Chris Mickle — Wed, 16 Jan 2019 20:30:43 GMT

Thanks again for the help. I actually have a phone coming tomorrow and have a similar setup here in my office. I will play with it and maybe post some configs or questions when I get it figured out.

Re: New Client, New Setup Help

Chris Mickle — Fri, 18 Jan 2019 10:27:39 GMT

I got the phone yesterday and set everything up according to my understanding and the help from this forum. Everything appears to work correctly. I was able to get the phone to auto provision on the correct voice vlan 40 and have tested some phone calls while at the same time trying to saturate my internet connection and the results were good. I noticed no call quality problems.

I'm still not sure I have implemented QoS correctly. Is there any way for me to test it or see if the ASA prioritizing the voice traffic? I posted my ASA and switch configs below. I removed most of my NAT statements, ACLs and other things from the ASA config for security , but hopefully left enough for you to get the idea of what I'm doing. The switch added a whole bunch of lines to the config after enabling QoS which I left in. I have a /29 block and am NATing the voice vlan to the same public IP as "vlan10" which is my data network. My computer is on vlan 10 which is the native vlan and is physically connected through the phone.

I disable inspect SIP on the ASA and disabled CDP on the switch in favor of LLDP. According to Polycom, the phone uses LLDP first and it appears to work. I'm letting the ASA do DHCP for the voice vlan but I read about other dhcp options that may need to be configured like option 160, but didn't do any of that. I got the impression that those options were to be used if CDP or LLDP were not available. Is that correct?

One more note... The phone and my computer are connected to G1/0/5 on the switch and the ASA is on G1/0/1. G1/0/23 is the trunk port for the wireless access point.

Any comments or suggestions would be much appreciated. Thanks.

ASA Version 9.1(7)4
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq vlan10
xlate per-session deny udp any4 any6 eq vlan10
xlate per-session deny udp any6 any4 eq vlan10
xlate per-session deny udp any6 any6 eq vlan10
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.10
vlan 10
nameif vlan10
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/1.20
vlan 20
nameif vlan20
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1.30
vlan 30
nameif vlan30
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1.40
vlan 40
nameif voice
security-level 40
ip address 192.168.3.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS

same-security-traffic permit intra-interface

object network voice_internet
subnet 192.168.3.0 255.255.255.0

pager lines 24
logging enable
logging asdm informational

mtu voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

object network voice_internet
nat (voice,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 1.1.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy

dhcpd dns 8.8.8.8
!
dhcpd address 192.168.3.10-192.168.3.100 voice
dhcpd enable voice
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context

_________________________________________________________________________________

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!

no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring

switch 1 provision ws-c3750g-24t
system mtu routing 1500
vtp mode transparent
!
!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name vlan10
!
vlan 20
name vlan20
!
vlan 30
name vlan30
!
vlan 40
name voice
!
lldp run
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 10
!
interface GigabitEthernet1/0/4
switchport access vlan 10
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
switchport voice vlan 40
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 30
!
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.0.8 255.255.255.0
!
ip default-gateway 192.168.0.1
ip classless
ip http server
ip http secure-server
!
!
no cdp run
no cdp tlv location
no cdp tlv app
!
!
!
line con 0
line vty 0 4
login local
length 0
transport input telnet ssh
line vty 5 15
login

Re: New Client, New Setup Help

Seb Rupik — Wed, 23 Jan 2019 10:49:21 GMT

The areas where you will see most benefit from QoS will be on your trunk links. Currently you will be marking traffic on ingress to your network, but you need to ensure it is controlled correctly as it moves to its destination. In the case of the VOIP traffic you want to ensure that it flows to the internet with high priority.

We will use the sae queue settings that are set on the access ports, so on every trunk link between switches configure:

!
int gi1/0/x
  srr-queue bandwidth share 10 10 60 20
  mls qos trust dscp
!

You will also need the ASA to correctly priorities VOIP traffic a treat is accordingly, take a look here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc18

Unfortunately the ASA cannot mark traffic, so the inbound VOIP packets cannot have their DSCP values changed. If you have a switch or a router between your ASA and ISP, then you could mark the incoming VOIP traffic accordingly based on an ACL (ie source IP matches your VOIP provider) and these tags will then persist and be treated correctly has they flow towards your handsets.

Cheers,

Seb.

Re: New Client, New Setup Help

Chris Mickle — Wed, 23 Jan 2019 11:25:35 GMT

Thanks for having a look at that.

All that info you gave me makes me think that I need a router between the ASA and the internet, hence it may be better to bypass the ASA for voice traffic all together...

What if the voice VLAN on the switch was configured the same way it was now, but instead of trunking it to the ASA, it was connected to an access port on a second inside interface on the router. If that were possible, then could the router prioritize the interface with the VOIP traffic over the interface with the data traffic?

Re: New Client, New Setup Help

Seb Rupik — Wed, 23 Jan 2019 11:45:31 GMT

I wouldn't start entertaining the idea of creating network paths around your firewall!

Can you share a network topology diagram of what you have including hardware platform details?

You could configure the ASA so that it is on-a-stick, ie, it's inside and outside interfaces are connected to the same switch. If that switch is multilayer, you could configure the required inbound VOIP QoS ACL mentioned above before passing it onto the ASA. This way you don't need to worry about finding the money for another piece of kit which would have a very limited function!

cheers,

Seb.

Re: New Client, New Setup Help

Chris Mickle — Wed, 23 Jan 2019 13:15:06 GMT

@Seb Rupik wrote:
I wouldn't start entertaining the idea of creating network paths around your firewall!

Thanks for pointing that out. I guess I didn't really think about it.

As for hardware details, the configs above were copied from my production environment which consists of an ASA 5520; VID V06 running IOS 9.1(7) and a Catalyst C3750G-24T-S; VID V08 running IOS 12.2(55). The IP phone is a Polycom VVX-311.

I'm thinking about similar hardware for the client on the used/refurb market to save some money over new hardware, but new hardware is defiantly something to consider if it would be better.

I've attached a network diagram of the current setup. The clients setup would be similar except there would be a second switch and wireless AP for their second office connected via ethernet.

EDIT: It says I'm not authorized to make the request when I try to insert the diagram photo.

Re: New Client, New Setup Help

Seb Rupik — Wed, 23 Jan 2019 13:42:14 GMT

The 3750G would be sufficient for the ASA on a stick.

Create an 'outside' VLAN on the 3750G which is used to transport traffic from the ISP to the ASA outside interface. On the 3750 interface connected to the ISP router configure service-policy input with a corresponding policy-map and class-map referencing an ACL matching traffic to and from your VOIP server and setting the DSCP value to 46.

The ASA inside interface will also be connected back to the 3750. IF you do any routing on the 3750 it may be prudent to configure VRF-lite and place 'inside' SVIs into a new VRF.

cheers,

Seb.

Re: New Client, New Setup Help

Chris Mickle — Thu, 24 Jan 2019 09:42:25 GMT

Ok. I created a new outside vlan 5 on the 3750 and connected the ASA and ISP router to it per your advice.

Int g1/0/1 was already connected to the inside interface on the ASA so I added vlan 5 to the allowed VLAN command and set the native vlan to 5.

I set int g1/0/24 and g1/0/21 to access ports on vlan 5 and connected the ASA's outside interface and the ISP router to them.

All that is pretty straight forward, but after that I'm not sure what service-policy input with a corresponding policy-map and class-map referencing an ACL means or how to configure it. I'm still learning cisco and advanced networking. I use and have clients that use cisco hardware and am able to get things configured the way I need them, but this is something new.

I don't do any inter-vlan routing on the switch, but the ASA does allow higher security level interfaces to access the lower ones. Does that count as inter-vlan routing for this purpose?

Re: New Client, New Setup Help

Seb Rupik — Thu, 24 Jan 2019 09:44:55 GMT

That 3750 config doesn't sound right. Can you share the complete running config?

Re: New Client, New Setup Help

Chris Mickle — Thu, 24 Jan 2019 10:01:49 GMT

It probably doesn't sound right because I stupidly thought that I needed to configure the switch port connected to the ASA's inside interface with the outside vlan at first. I realized the mistake after the fact and now have just g1/0/23 and 1/0/24 as access ports on the outside vlan 5.

Here is the running config though...

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SW1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
switch 1 provision ws-c3750g-24t
system mtu routing 1500
vtp mode transparent
!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 5
name outside
!
vlan 10
name domain
!
vlan 20
name guest
!
vlan 30
name ftp
!
vlan 40
name voice
!
vlan 99
name blackhole
lldp run
!
!
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 10
!
interface GigabitEthernet1/0/4
switchport access vlan 10
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
switchport voice vlan 40
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
!
interface GigabitEthernet1/0/7
switchport access vlan 99
!
interface GigabitEthernet1/0/8
switchport access vlan 99
!
interface GigabitEthernet1/0/9
switchport access vlan 99
!
interface GigabitEthernet1/0/10
switchport access vlan 10
!
interface GigabitEthernet1/0/11
switchport access vlan 99
!
interface GigabitEthernet1/0/12
switchport access vlan 99
!
interface GigabitEthernet1/0/13
switchport access vlan 99
!
interface GigabitEthernet1/0/14
switchport access vlan 99
!
interface GigabitEthernet1/0/15
switchport access vlan 99
!
interface GigabitEthernet1/0/16
switchport access vlan 99
!
interface GigabitEthernet1/0/17
switchport access vlan 99
!
interface GigabitEthernet1/0/18
switchport access vlan 99
!
interface GigabitEthernet1/0/19
switchport access vlan 99
!
interface GigabitEthernet1/0/20
switchport access vlan 99
!
interface GigabitEthernet1/0/21
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface GigabitEthernet1/0/22
switchport access vlan 30
!
interface GigabitEthernet1/0/23
switchport access vlan 5
!
interface GigabitEthernet1/0/24
switchport access vlan 5
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.0.8 255.255.255.0
!
ip default-gateway 192.168.0.1
ip classless
ip http server
ip http secure-server
!
!
no cdp run
no cdp tlv location
no cdp tlv app
!
!
!
line con 0
line vty 0 4
login local
length 0
transport input telnet ssh
line vty 5 15
login
!
ntp clock-period 36028833
ntp server 97.107.129.217
end

Re: New Client, New Setup Help

Seb Rupik — Thu, 24 Jan 2019 20:40:22 GMT

Evening Chris,
See below for the QoS config on the switch connected to the ISP router (check I've got the right ISP switchport).
You will also need to determine the public IP of your VOIP provider and update the VOICE_TRAFFIC ACL as required.
We are only interested in picking up the incoming VOIP traffic, everything else will be caught in the 'class-default' class map.

!
int gi1/0/23
desc ISP_LINK
service-policy input VOIP_MARK
!
ip access-list extended VOICE_TRAFFIC
permit ip host <your_VOIP_provider_public_ip> any
!
class-map CM_VOIP
match access-group name VOICE_TRAFFIC
exit
!
policy-map VOIP_MARK
class CM_VOIP
set dscp ef
exit
!

Also make sure you have the following configured on every trunk port (at both ends of the link) between your switches:

!
int gi1/0/x
  srr-queue bandwidth share 10 10 60 20
  mls qos trust dscp
!

...and lastly, please mark helpful posts 😉

cheers,
Seb.

Re: New Client, New Setup Help

Chris Mickle — Thu, 24 Jan 2019 21:31:22 GMT

Thanks for all your help on this so far.

So it seems that were using the L3 switch as a router to handle QoS and leaving the ASA blissfully ignorant of the whole thing. Is that about the size of it?

I do have one follow-up question on the access list. I'm not sure of VoIP provider's IP address that I need to include in the ACL. The closest thing I can find on that is a networking document they put together, but it doesn't have any specifi IPs. Under section 7 ringcentral supernets, it lists the supernets they use for communications, but that's it. Do I need to add them all to the ACL and if so, what is the syntax to add an entire subnet?

https://success.ringcentral.com/articles/en_US/RC_Knowledge_Article/9233#4.6

Re: New Client, New Setup Help

Seb Rupik — Thu, 24 Jan 2019 22:09:25 GMT

The ASA is aware of the markings and can prioritise the traffic as you desire (check the link in a previous post), it just can't adjust the markings.

Just keep in mind that unless you are experiencing congestion on your links the QoS controls have no effect.

OK we have two options either mark all traffic from your providers public subnet as EF :

!
ip access-list extended VOICE_TRAFFIC
  permit ip <public_VOIP_subnet_id> <netmask> any
!

...or we specifically mark traffic on known VOIP ports specified as used by the deskphone in your link:

!
ip access-list extended VOICE_TRAFFIC
  permit udp any any range 20000 39999
  permit udp any any range 40000 49999
  permit udp any any eq 5090
  permit tcp any any eq 5090
  permit tcp any any eq 5096
!

...but depending on the features you are using, the tables in the linked webpage go on and on!

I would suggest you monitor the connection table (sh conn) on the ASA and determine what IPs and ports the phones are using, and tweak the VOICE_TRAFFIC ACL to suit.

cheers,
Seb.

Re: New Client, New Setup Help

Seb Rupik — Thu, 24 Jan 2019 22:14:38 GMT

Sorry, missed the supernet bit. Here's the ACL:

!
ip access-list extended VOICE_TRAFFIC
  permit ip 80.81.128.0 255.255.240.0 any
  permit ip 103.44.68.0 255.255.252.0 any
  permit ip 104.245.56.0 255.255.248.0 any
  permit ip 185.23.248.0 255.255.252.0 any
  permit ip 192.209.24.0 255.255.248.0 any
  permit ip 199.68.212.0 255.255.252.0 any
  permit ip 199.255.120.0 255.255.252.0 any
 permit ip 208.87.40.0 255.255.252.0 any
!

...I'd use that.

cheers,

Seb.