Re: Prioritize traffic based on destination IP?

smitty0375 · ‎09-26-2012

Hi all, we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can help us prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?

Thanks!

will · ‎09-26-2012

QoS is configurable with base license on both asa 5505/10, so nothing needed there. Caveat: QoS only works when you have a standard interface configured. IOW, no interface in an 802.1Q trunk can be QoS-ed. It needs to be a real physical interface at Layer 3. The ASA 5505 can do QoS on a Vlan, but I think it has to be dedicated to uniquely to one of the physical ports on the device. 5505 might have some more limitations. Another caveat: QoS cannot control traffic inbound to your ASA very well. Although policing does work okay on that. Here are a few examples that might work:

Priority Queue, assuming 90% reserved for the guaranteed stuff on a 1 Mbps circuit:

class-map CMAP_QOS_HIGH
match access-list ACL_QOS_HIGH ! high priority traffic

!

policy-map PMAP_QOS
class ACL_QOS_HIGH
police output 900000 100000 ! 900Kbps of 1Mbps circuit
class class-default ! all the rest of traffic
police output 100000 50000
!
service-policy PMAP_QOS interface OUTSIDE

Or You might try this, assuming high priority traffic gets all BW:

access-list ACL_QOS_HIGH

!

class-map CMAP_QOS_HIGH

match access-list ACL_QOS_HIGH

!

policy-map PMAP_QOS_HIGH

class CMAP_QOS_HIGH

priority

!

service-policy PMAP_QOS_HIGH interface OUTSIDE

smitty0375 · ‎09-27-2012

Thanks for a great answer. Let me outline the scenario just so I'm asking the correct question..

We have 20mb up/down internet. We use a hosted voip via 5/9 and if I'm not mistaken it's http traffic. We simply want to dedicate a portion of our bandwidth all the time to that service. So maybe 7mb.

will · ‎09-27-2012

Jerry, i would try something like in the second config example I mentioned. keep in mind, if ISP doesn't support marking packets, it may be hard to QoS inbound. if you assign the VOIP traffic high priority, it should go out interface first during congestion. Don't need to dedicate a certain amount of bandwidth in any way. Make sure in the design to keep the VOIP traffic, VPN traffic and User PAT (outbound NAT) traffic on separate IP's. That will help when defining the access-lists. This QoS stuff is kind of tricky and is bit confusing. I have setup a few configs according to the above examples and they _seem_ to work. I ran a policing queue on the edge router for traffic leaving to ASA, and ran a priority queue on the ASA. When i test big download from a major site, which could consume all bandwidth, it doesn't appear to clobber VOIP traffic. The same results apply, when I test a big upload to internet. The QoS stuff is tricky though, and i _didn't_ see what I expected when i use the show QoS commands to see traffic drops, etc. so YMMV!

Take a look at this link for ASA 7.X release, which may give you some ideas:

"QoS based on ACL with VPN Configuration" You can change ACL to include the outside interface IP as long as you have separated the NAT's, VPN, etc. like i mentioend earlier.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

Will