Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3000
Views
0
Helpful
6
Replies

Cisco ASA VPN QoS

Go to solution
vttendere
Level 1
Level 1

ā€Ž11-29-2009 10:40 AM - edited ā€Ž03-11-2019 09:43 AM

Hi

Does the ASA copy the ToS byte from the original packet into the newly created IP header of an encrypted packet (VPN)? I'd appreciate a pointer to a Cisco doc that has the details.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to vttendere

ā€Ž12-01-2009 06:46 AM

On the ASA the TOS bits in the original IP header are copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption.

It is done by default with no extra commands needed as on the routers.

Please check if your incoming packet have the DSCP bits set if you see that there are no DSCP on the outside.

PK

View solution in original post

0 Helpful
6 Replies 6

Go to solution
andrew.prince
Level 10
Level 10

ā€Ž11-30-2009 05:33 AM

Have  a look at the below config example:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

HTH>

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to andrew.prince

ā€Ž11-30-2009 03:11 PM

Along with the link that Andrew sent I would like to add that the ASA maintains and copies the ToS field

.

And provide one more link to help you do QoS on the ASA https://supportforums.cisco.com/docs/DOC-1230

I hope it helps.

PK

0 Helpful

Go to solution
vttendere
Level 1
Level 1
In response to andrew.prince

ā€Ž12-01-2009 12:10 AM

Hi

Thanks for your response. I had actually configured QoS on the ASA, however when I was sniffing traffic after the ASA I noticed that the traffic traversing the VPN (ESP packets) had DSCP DEFAULT markings, so I was a bit concerned about the preservation of the TOS information. I thought that maybe there is an extra command I need to put, I cant see this in the doc you sent me though.

Thanks guys

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to vttendere

ā€Ž12-01-2009 06:46 AM

On the ASA the TOS bits in the original IP header are copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption.

It is done by default with no extra commands needed as on the routers.

Please check if your incoming packet have the DSCP bits set if you see that there are no DSCP on the outside.

PK

0 Helpful

Go to solution
vttendere
Level 1
Level 1
In response to Panos Kampanakis

ā€Ž12-02-2009 02:56 AM

Hi

Indeed traffic coming into the ASA was not marked correctly.

Thanks a lot for your assistance.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to vttendere

ā€Ž12-02-2009 07:00 AM

I am glwe could  out.

Take care,

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card