Re: QoS for O365?

Andrew White · ‎01-28-2019

Hello,

We have a pair of ASA 5516x firewalls with Firepower connected to our 100Mbps internet line.

We have been migrating using into O365 recently and I've noticed our Internet pipe is maxing our first thing in the morning when users log in, looking at Netflow it is https traffic to Microsoft so it's the users OneDrive files and Outlook I think.

Is here a way I can give https or O365 a certain percentage of the 100Mbps line?

Thanks

Sheraz.Salim · ‎01-28-2019

you can configure the QOS on the ASA.

here is the link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

for SFR you can not confiugre the QOS as it is only supported in FTD with FMC.

please do not forget to rate.

Andrew White · ‎01-29-2019

Hi all,

See anything wrong with this. It's to limit the downloads to 20Mbps from SharePoint online. I'm not sure if FQDNs can be used in QoS?

CLI:

service-policy MSSP1-outside-policy interface outside

class-map outside-class
description O365 SharePoint Downloads
match access-list outside_mpc
access-list outside_mpc line 1 extended permit tcp host 13.107.136.9 172.x.x.0 255.255.254.0 eq https (hitcnt=0) 0xcf278a07

The x.x is just me hiding our LAN not that it matters.

As you can see zero hits so far:

So anything inbound from 13.107.136.9 to our LAN should be limited to 20Mbps?

Thanks

Sheraz.Salim · ‎01-29-2019

you configuration are not complete.

service-policy MSSP1-outside-policy interface outside

class-map outside-class
description O365 SharePoint Downloads
match access-list outside_mpc
access-list outside_mpc line 1 extended permit tcp host 13.107.136.9 172.x.x.0 255.255.254.0 eq https

you have the access-list defined and mapping into the class-map but you have not define the police rate or bandwidth parameters.

please do not forget to rate.

Andrew White · ‎01-29-2019

Sorry I missed that part of the CLI output but you can see it in the screenshot.

What show command can I use to output all this and show you?

Sheraz.Salim · ‎01-29-2019

I give you a template so you can change to what suit you as i am not ware of your network setup.

ASA

!

access-list ICMP permit ip any any

class-map ICMP

match access-list ICMP

!

policy-map OUT-POLICY

class ICMP

police input 32000

police output 32000

!

server-policy OUT-POLICY interface out

!

access-list OUTSIDE_IN permit icmp any any

access-group OUTSIDE_IN in interface OUT

!

show service-policy police

please do not forget to rate.

Andrew White · ‎01-29-2019

Thanks, what does 32000 equate to?

Sheraz.Salim · ‎01-29-2019

Hi sorry for getting back late.

I just chose the random number, 32000 means 32kbps in both directions

please do not forget to rate.

Sheraz.Salim · ‎01-29-2019

actually i had a thought of your requirement. and come up with this config.

!

policy map SH-POLICY
class class-default
shape average 2000000 20000
!
service-policy SH-POLICY interface OUT
!
access-list OUTSIDE_IN permit tcp MICROSOFT-IP INISDE-IP eq https
!
access-group OUTSIDE_IN in interface OUT
!
show service-policy shape

!

make sure you apply/test this configuration in change windows.

please do not forget to rate.