09-20-2017 09:11 AM - edited 02-21-2020 06:20 AM
I am testing and evaluating QOS from our remote locations to a server in our DC that is behind an ASA. Using LiveAction I can easily see that traffic from the source is marked af21 to destination but traffic from the destination back to the source is BE. As a test I setup a test server that is not behind the ASA and did the same test but to this test server. I configured markings for both dscp af21 and af31 and each time Live Action showed both ingress and egress traffic successfully marked. My question is by default when traffic enters the ASA for a host that is behind the ASA that that traffic is marked with a particular dcsp value does the ASA automatically strip off the value? In order to preserve the dcsp markings does the ASA have to be configured to honor the markings to the destination to which the traffic is destined?
09-20-2017 02:18 PM
"
While the ASA cannot mark packets for special treatment in the network, it does preserve existing markings, and it can classify traffic based on these QoS markings. Traffic classification on the Cisco ASA is accomplished with class-maps. This is consistent with how traffic classification is accomplished on Cisco’s routers and switches in the network"
Take a look on this article published here in the forum:
https://supportforums.cisco.com/t5/security-documents/asa-qos/ta-p/3115852
09-21-2017 05:01 AM
So I understand correctly, the ASA does not have the ability to strip off an dscp markings that pass through it to a destination that is behind the ASA? We can see and verify that our af21 class is consistent when we access a test server that is in front of the ASA but when we try to test to a device that is behind the ASA the marking is stripped
09-21-2017 05:32 AM
I think you got it wrong.
"it does preserve existing markings" if prepared for that. Otherwise, will strip off.
Actually any device that does not have qos configured will strip off any marking.
There's no way to keep marking in a default config as far as I know.
I recommend you to read the article, if you didn't already.
09-21-2017 05:51 AM
You actually confirmed what I suspected all along. The ASA is going to have to be configured to match or preserve the markings that are destined for the host as the packet traverses the ASA.
09-21-2017 05:58 AM
Yeah, that´s what I understood as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide