Solved: QOS for ASA

John Apricena · ‎04-18-2013

Hello All,

I have a question regarding QOS and possibly dedicated bandwidth. The environment is ISP goes into an ASA that uplinks to a 3560 and fiber uplinks to other 2960s throughout the building for internet. My question is for certain sections of the building if I segment the network can I gaurantee them a certain amount of bandwidth. For example, if 1 gigabit is coming into the building from the ISP and into the ASA, can I guarantee one room in the building no less than say 200 Mb of the full internet pipe at all times?

Please let me know your thoughts and thanks in advance!

Julio Carvajal · ‎04-23-2013

Dude,

I got to be honest with you,

When I did not undertood this, the link that really helped me was this:, Read that and it will answer all of your doubts

http://brian-kayser.blogspot.com/2010/10/doing-asa-quality-of-service-qos.html

Brian did a great job there

Hey man remember to rate all of the helpful posts, if you do not have any other question then mark it as answered

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

John Apricena · ‎04-22-2013

Is, there a way that I can do this, even if it's not through the ASA but through the local network? Any advice is very much so appreciated. Thank You!

Julio Carvajal · ‎04-22-2013

Hello John,

Yes, this can be done via traffic shapping or policing . Both of them can be achieved on the ASA if you want ( it can also be set on the other LAN devices)

Now here is the configuration

https://supportforums.cisco.com/docs/DOC-1230

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

abcdrohan · ‎04-23-2013

For argumen
t's sake lets say pipe coming into the building is 100Mbps


You want to make sure that one section of the builiding gets at least 20Mbpb (20%)

Lets say that the one section which is supposed to get 20% BW min is on subnet
192.168.100.0/24 and that that's the only section on that subnet

Create acl:

access-list ABC line 1 ext deny ip 192.168.100.0/24 to any--> you are telling dont consider this traffic for policing
access-list ABC line 2 ext permit ip any any

FW(config)#class-map all-traffic-not belonging-to-that-one-section-CMAP

FW(config-cmap)#match access-list ABC


FW(config)# policy-map global_policy
FW(config-pmap)# class all-traffic-not belonging-to-that-one-section-CMAP
FW(config-pmap-c)#police input 80000000 conform-action transmit exceed-action drop

That should do it

John Apricena · ‎04-23-2013

Thank you so much jcarvaja and abcdrohan! These configs are perfect. I was also wondering if you had any links to reference or know off of the top of your head how I can take that exact traffic, and push it to the front of the line using QOS. Like can I mkae a range of IP's have first crack at the internet's bandwidth to ensure that they get what they need from a bandwidth perspective. Like for instance 3 networks are high priority to stay online, while the others really aren't. What can I do to make sure that those first three networks always get to use the available bandiwdth first?

Thank again for everything!

Julio Carvajal · ‎04-23-2013

Dude,

I got to be honest with you,

When I did not undertood this, the link that really helped me was this:, Read that and it will answer all of your doubts

http://brian-kayser.blogspot.com/2010/10/doing-asa-quality-of-service-qos.html

Brian did a great job there

Hey man remember to rate all of the helpful posts, if you do not have any other question then mark it as answered

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

John Apricena · ‎04-23-2013

Perfect, thanks jcaraja! I rated all the posts and provided the correct answer as I always do. You guys are great thanks again!

Julio Carvajal · ‎04-23-2013

Hello John,

Our pleasure to be able to help you ,

Have a great day

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC