cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1638
Views
0
Helpful
4
Replies

ASA5505 - Qos Web/Video Conference/Meeting

Hello!

I have never do some QoS config at Cisco ASA. But I was asked to do a QoS config at a ASA5505. The customer complain is that when he access a video/web meeting site he had a lot of problems, like delay and a bad quality in general.

Infos:

Ports and specifications:

The MegaMeeting.com services utilize the Real Time Message Protocol (RTMP) over port 1935, as well as the Real Time Message Protocol (RTMPT) over port 80 (tunneling via http) and the Real Time Message Protocol Secured (RTMPTS) over port 443 (tunneling via https) to allow audio, video and text chat to securely be transmitted from computer to computer.

Site: http://cfi-network.megameeting.com/guest/#id=XXXXXX

Internet Type: Radio, Download: 9Mbps. Upload: 1.2Mbps to 9Mbps (Yes, very variable!)

License: This platform has an ASA 5505 Security Plus license.

The question is: How can I improve his web meeting uses?

I found a lot of QoS configurations but always focus in VoIP. But I need it on Web Meeting/conference.

1 Accepted Solution

Accepted Solutions

Hello Caio,

Exactly man

U got it

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 Replies 4

Based on some materials, I created the following script:

access-list web_conf extended permit tcp 10.6.0.0 255.255.0.0 any eq 1935

access-list web_conf extended permit udp 10.6.0.0 255.255.0.0 any eq 1935

access-list web_conf extended permit tcp 10.6.0.0 255.255.0.0 any eq 80

access-list web_conf extended permit udp 10.6.0.0 255.255.0.0 any eq 80

access-list web_conf extended permit tcp 10.6.0.0 255.255.0.0 any eq 443

access-list web_conf extended permit udp 10.6.0.0 255.255.0.0 any eq 443

access-list web_conf extended permit tcp any 10.6.0.0 255.255.0.0 eq 1935

access-list web_conf extended permit udp any 10.6.0.0 255.255.0.0 eq 1935

access-list web_conf extended permit tcp any 10.6.0.0 255.255.0.0 eq 80

access-list web_conf extended permit udp any 10.6.0.0 255.255.0.0 eq 80

access-list web_conf extended permit tcp any 10.6.0.0 255.255.0.0 eq 443

access-list web_conf extended permit udp any 10.6.0.0 255.255.0.0 eq 443

priority-queue inside

priority-queue outside

class-map webconf-inside-class

match access-list web_conf

class-map webconf-outside-class

match access-list web_conf

policy-map outside-policy

class webconf-outside-class

  priority

policy-map inside-policy

class webconf-inside-class

  priority

policy-map ins-policy

class class-default

  shape average 2000000 8000

  service-policy inside-policy

policy-map out-policy

class class-default

  shape average 2000000 8000

  service-policy outside-policy

service-policy ins-policy interface inside

service-policy out-policy interface outside

What do you think about it?

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Caio,

How u doing buddy.

My recommendations

1. It all starts with the right classificaiton of traffic

Make sure you match only the traffic you need.

On the configuration you show us you match for example all traffic leaving the internal network to internet via port TCP 80.

This will match all HTTP traffic, even the one to youtube and other non-work related sites

So match the traffic with Source IP, destination IP and Destination Port!

2. Enable QoS traffic Priority.

This will enable a preference queue on the ASA interfaces where the traffic you want (clasiffy before) will be placed so when congestion happens; the packets on this queue will take precedence.

3.Enable Traffic shapping:

Traffic priority will start to happen as long as the ASA feels that it's being overwhelmed on it's interfaces. we must accelerate this process to really take advantage.

If we configure this then as soon as the limit rate is reached priority wil succeed!

Now back to your configuration:

-Do the Traffic priority and traffic shapping only on the outside interface ;D

- Are u paying for 2 MBs from the ISP? If yes then u are good

-Change the class-maps as requested

Hey buddy, remember to Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio, Thank you. Now I need some adjusts:

According to your points:

1. Right, I changed the configuration including only the two hosts that need to access it.

access-list web_conf extended permit tcp host 10.6.25.23 any eq 1935

access-list web_conf extended permit tcp host 10.6.25.20 any eq 1935

access-list web_conf extended permit tcp any host 10.6.25.23 eq 1935

access-list web_conf extended permit tcp any host 10.6.25.20 eq 1935

access-list web_conf extended permit tcp host 10.6.25.23 any eq 80

access-list web_conf extended permit tcp host 10.6.25.20 any eq 80

access-list web_conf extended permit tcp any host 10.6.25.23 eq 80

access-list web_conf extended permit tcp any host 10.6.25.20 eq 80

access-list web_conf extended permit tcp host 10.6.25.23 any eq 443

access-list web_conf extended permit tcp host 10.6.25.20 any eq 443

access-list web_conf extended permit tcp any host 10.6.25.23 eq 443

access-list web_conf extended permit tcp any host 10.6.25.20 eq 443

2. So, Will It be like this?

class-map webconf-outside-class

match access-list web_conf

policy-map outside-policy

class webconf-outside-class

  priority

3. Could I keep this config?

policy-map out-policy

class class-default

  shape average 2000000 8000

  service-policy outside-policy

priority-queue outside

Hello Caio,

Exactly man

U got it

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: