Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2413
Views
0
Helpful
5
Replies

Perserve QOS markings through ASA

DAVID
Level 3
Level 3

‎09-20-2017 09:11 AM - edited ‎02-21-2020 06:20 AM

I am testing and evaluating QOS from our remote locations to a server in our DC that is behind an ASA.  Using LiveAction I can easily see that traffic from the source is marked af21 to destination but traffic from the destination back to the source is BE.  As a test I setup a test server that is not behind the ASA and did the same test but to this test server.  I configured markings for both dscp af21 and af31 and each time Live Action showed both ingress and egress traffic successfully marked.  My question is by default when traffic enters the ASA for a host that is behind the ASA that that traffic is marked with a particular dcsp value does the ASA automatically strip off the value?  In order to preserve the dcsp markings does the ASA have to be configured to honor the markings to the destination to which the traffic is destined?

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎09-20-2017 02:18 PM

"

Classification on the Cisco ASA

While the ASA cannot mark packets for special treatment in the network, it does preserve existing markings, and it can classify traffic based on these QoS markings. Traffic classification on the Cisco ASA is accomplished with class-maps. This is consistent with how traffic classification is accomplished on Cisco’s routers and switches in the network"

 

Take a look on this article published here in the forum:

https://supportforums.cisco.com/t5/security-documents/asa-qos/ta-p/3115852

0 Helpful

DAVID
Level 3
Level 3
In response to Flavio Miranda

‎09-21-2017 05:01 AM

So I understand correctly, the ASA does not have the ability to strip off an dscp markings that pass through it to a destination that is behind the ASA?  We can see and verify that our af21 class is consistent when we access a test server that is in front of the ASA but when we try to test to a device that is behind the ASA the marking is stripped

0 Helpful

Flavio Miranda
VIP
VIP
In response to DAVID

‎09-21-2017 05:32 AM

I think you got it wrong.

"it does preserve existing markings" if prepared for that. Otherwise, will strip off.

 Actually any device that does not have qos configured will strip off any marking.

There's no way to keep marking in a default config as far as I know.

I recommend you to read the article, if you didn't already.

0 Helpful

DAVID
Level 3
Level 3
In response to Flavio Miranda

‎09-21-2017 05:51 AM

You actually confirmed what I suspected all along.  The ASA is going to have to be configured to match or preserve the markings that are destined for the host as the packet traverses the ASA.

0 Helpful

Flavio Miranda
VIP
VIP
In response to DAVID

‎09-21-2017 05:58 AM

Yeah, that´s what I understood as well. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card