Thanks for the reply.

That's my understanding as well, but I'm a little unclear about how to implement the high priority QoS mapping. Since the PBX is cloud based, there isn't any way to do end to end QoS for the voice traffic. I've been reading about auto QoS on the switches and the pollycom phones they use are supposed to be compatible with both CDP and LLDP so the phones should be able to be auto provisioned on the correct VLAN. If I understand it correctly, that will take care of QoS up to the switches, but how then is that policy applied at the ASA's interface which is where the bottleneck would be. I have been reading the documentation and have been unable to come to a conclusion on how best to implement that.

Also, Ringcentral's documentation has nothing specifically about the ASA, but says that SIP ALG should be disabled. That would translate into turning off inspect SIP correct?

The default mappings should be fine and therefore all you need to do is trust the CoS markings which are coming from the phone. This will allow you to prioritse the traffic within your network, but you are correct, once it leaves the ASA it is at the mercy of your carrier network., any markings will be ignored.

Regarding the the SIP ALG setting, yes, remove the inspect sip command from the installed inspection policy on the ASA.

cheers,

Seb.

What you're telling me is helping to make sense of what I have been reading so thanks for that.

Forgive my ignorance, but what are the "default mappings?"

The default CoS marking for VOIP is a value of 5. Depending on the platform being configured these frames will be placed in a dedicated ingress/ egress queue with a higher priority than all other (lower value traffic) traffic.

You could configure auto qos voip cisco-phone on the access ports connected to the phones, this would automatically populate the config with suitable values.

cheers,

Seb.

Thanks again for the help. I actually have a phone coming tomorrow and have a similar setup here in my office. I will play with it and maybe post some configs or questions when I get it figured out.

I got the phone yesterday and set everything up according to my understanding and the help from this forum. Everything appears to work correctly. I was able to get the phone to auto provision on the correct voice vlan 40 and have tested some phone calls while at the same time trying to saturate my internet connection and the results were good. I noticed no call quality problems.

I'm still not sure I have implemented QoS correctly. Is there any way for me to test it or see if the ASA prioritizing the voice traffic? I posted my ASA and switch configs below. I removed most of my NAT statements, ACLs and other things from the ASA config for security , but hopefully left enough for you to get the idea of what I'm doing. The switch added a whole bunch of lines to the config after enabling QoS which I left in. I have a /29 block and am NATing the voice vlan to the same public IP as "vlan10" which is my data network. My computer is on vlan 10 which is the native vlan and is physically connected through the phone.

I disable inspect SIP on the ASA and disabled CDP on the switch in favor of LLDP. According to Polycom, the phone uses LLDP first and it appears to work. I'm letting the ASA do DHCP for the voice vlan but I read about other dhcp options that may need to be configured like option 160, but didn't do any of that. I got the impression that those options were to be used if CDP or LLDP were not available. Is that correct?

One more note... The phone and my computer are connected to G1/0/5 on the switch and the ASA is on G1/0/1. G1/0/23 is the trunk port for the wireless access point.

Any comments or suggestions would be much appreciated. Thanks.

The areas where you will see most benefit from QoS will be on your trunk links. Currently you will be marking traffic on ingress to your network, but you need to ensure it is controlled correctly as it moves to its destination. In the case of the VOIP traffic you want to ensure that it flows to the internet with high priority.

We will use the sae queue settings that are set on the access ports, so on every trunk link between switches configure:

!
int gi1/0/x
  srr-queue bandwidth share 10 10 60 20
  mls qos trust dscp
!

You will also need the ASA to correctly priorities VOIP traffic a treat is accordingly, take a look here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc18

Unfortunately the ASA cannot mark traffic, so the inbound VOIP packets cannot have their DSCP values changed. If you have a switch or a router between your ASA and ISP, then you could mark the incoming VOIP traffic accordingly based on an ACL (ie source IP matches your VOIP provider) and these tags will then persist and be treated correctly has they flow towards your handsets.

Cheers,

Seb.

Thanks for having a look at that.

All that info you gave me makes me think that I need a router between the ASA and the internet, hence it may be better to bypass the ASA for voice traffic all together...

What if the voice VLAN on the switch was configured the same way it was now, but instead of trunking it to the ASA, it was connected to an access port on a second inside interface on the router. If that were possible, then could the router prioritize the interface with the VOIP traffic over the interface with the data traffic?

I wouldn't start entertaining the idea of creating network paths around your firewall!

Can you share a network topology diagram of what you have including hardware platform details?

You could configure the ASA so that it is on-a-stick, ie, it's inside and outside interfaces are connected to the same switch. If that switch is multilayer, you could configure the required inbound VOIP QoS ACL mentioned above before passing it onto the ASA. This way you don't need to worry about finding the money for another piece of kit which would have a very limited function!

cheers,

Seb.

---

@Seb Rupik wrote:

I wouldn't start entertaining the idea of creating network paths around your firewall! 

 

---

Thanks for pointing that out. I guess I didn't really think about it.

As for hardware details, the configs above were copied from my production environment which consists of an ASA 5520; VID V06 running IOS 9.1(7) and a Catalyst C3750G-24T-S; VID V08 running IOS 12.2(55). The IP phone is a Polycom VVX-311.

I'm thinking about similar hardware for the client on the used/refurb market to save some money over new hardware, but new hardware is defiantly something to consider if it would be better.

I've attached a network diagram of the current setup. The clients setup would be similar except there would be a second switch and wireless AP for their second office connected via ethernet.

EDIT: It says I'm not authorized to make the request when I try to insert the diagram photo.

The 3750G would be sufficient for the ASA on a stick.

Create an 'outside' VLAN on the 3750G which is used to transport traffic from the ISP to the ASA outside interface. On the 3750 interface connected to the ISP router configure service-policy input with a corresponding policy-map and class-map referencing an ACL matching traffic to and from your VOIP server and setting the DSCP value to 46.

The ASA inside interface will also be connected back to the 3750. IF you do any routing on the 3750 it may be prudent to configure VRF-lite and place 'inside' SVIs into a new VRF.

cheers,

Seb.

Ok. I created a new outside vlan 5 on the 3750 and connected the ASA and ISP router to it per your advice.

Int g1/0/1 was already connected to the inside interface on the ASA so I added vlan 5 to the allowed VLAN command and set the native vlan to 5.

I set int g1/0/24 and g1/0/21 to access ports on vlan 5 and connected the ASA's outside interface and the ISP router to them.

All that is pretty straight forward, but after that I'm not sure what service-policy input with a corresponding policy-map and class-map referencing an ACL means or how to configure it. I'm still learning cisco and advanced networking. I use and have clients that use cisco hardware and am able to get things configured the way I need them, but this is something new.

I don't do any inter-vlan routing on the switch, but the ASA does allow higher security level interfaces to access the lower ones. Does that count as inter-vlan routing for this purpose?

That 3750 config doesn't sound right. Can you share the complete running config?