03-28-2014 07:29 AM - edited 03-11-2019 09:00 PM
hi all,
i am trying to apply some QOS to prioritise VOIP traffic over a VPN to a headend PBX i have found numerous examples of this however they utilise the "shape average" command which after some research is not available on the next gen firewall ranges.
sources here
https://supportforums.cisco.com/discussion/11548991/cisco-asa-861-shape-command-invalid
the suggested work around is
"You can use priority queing on outside interface to set the traffic into different queues and prioritizing delay sensitive traffic like RTP."
my question is does anyone have an example of this configuration in practice to help me grasp the concept
thanks in advance.
03-30-2014 06:40 PM
Hello,
You are right multi processor ASAs do not support traffic shapping to the date. You are left with traffic policing where the configuration is a bit different.
Please use this as a guide and let me know what u need:
https://supportforums.cisco.com/document/7011/asa-qos
Regards,
Jcarvaja
03-31-2014 05:16 AM
hi Jcarvaja,
thanks for taking the time to respond to my query unfortunately i cannot use the "priority-queue outside" command the only option i have here is to use the management interface.
i believe this might be because i have an ether channel (port channel) configured from x4 interfaces of the ASA5515 to x4 interfaces on the switch stack to trunk multiple VLANS and it expects to see the nameif command configured on the physcial interface which is not relevant in this case.
when using ethernet channel is it possible to use priority queing ?
thanks in advance
-------
my config looks like this which faces the stack
!
interface GigabitEthernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 1 mode active
no nameif
no security-level
no ip address
!
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface Port-channel1.3
vlan 3
nameif inside
security-level 100
ip address 10.0.0.0 255.255.255.0
!
interface Port-channel1.111
vlan 111
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.X
!
04-01-2014 06:01 AM
good afternoon,
can anyone help point me in the right direction here
thanks in advance.
04-01-2014 06:34 AM
Hello Matthew,
There are 2 ways to configure Priority queuing at the ASA level.
From what I can tell you are trying to use Strict mode. Can you use Hierarchical method:
http://blog.ine.com/2008/09/16/qos-on-the-pixasa-%E2%80%93-part-3priority-queuing/
Let us know how it goes,
Jcarvaja
04-01-2014 06:54 AM
hi julio,
thanks again for responding
the "Hierarchical method" again uses the "shape average" command which is not available in the next gen firewalls which i am using specifically ASA5515.
i could perhaps use the "Standard Priority Queuing" method however as per by previous note there is no option to use "priority-queue outside" as the only interface i see as an option is the management interface i think this is as i am doing etherner channel from ASA to switch stack which expects the nameif commands to be applied to the physcial interfaces.
i can find no reference to using QOS on ASA when using etherchannel which is where the sticking point now is.
if i can figure out how to use QOS whilst using etherchannel i will be able to use the standard queuing method.
if anyone has an example of this it would be greatly appreciated.
04-01-2014 06:58 AM
That's why I asked you at the beginning to use policing instead of shapping.
Regards,
Jcarvaja
04-01-2014 07:12 AM
04-10-2014 04:53 AM
good afternoon,
having read the official ASA manual all examples given use the "priority-queue" command which when using ether channel is not possible
i see on amazon that the new revision of the ASA book is coming out shortly which should hopefully address QOS when using ether channel as i cannot find a valid example anywhere
has anyone activiely configured this in production using the next generation firewalls
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide