Solved: QoS Configuration Question

Sriharshaa Prabhakar · ‎01-06-2009

Hi Team,

We have two sites called Site A & Site B connected via 2 Mbps Satellite Link. The current configuration of the QoS is as below:

class-map match-all NETWORK-CONTROL

match ip dscp cs6

class-map match-any VOICE-SIGNALLING

match ip dscp cs3

class-map match-all VOICE-BEARER

match ip dscp ef

!

policy-map WAN-EDGE

class VOICE-BEARER

priority percent 30

class VOICE-SIGNALLING

bandwidth percent 7

class NETWORK-CONTROL

bandwidth percent 3

class class-default

fair-queue

random-detect dscp-based

We have deployed Cisco ASA between the sites A & B and have an IPSEC Tunnel between the ASAs which mainly carry the Wireless Internet Traffic from Site B to Site A.

We would like to ensure that the Wireless Internet Traffic which goes through the Tunnel has the least priority,

Any recommendations with reference to this would be helpful.

Thanks and Regards

Sriharshaa Prabhakar

Senior Consultant - Cisco Unified Communications

Network & Telecoms Group

Mannai Corporation, QSC

Tel (Office) :+974-4558118

Tel (Mob) : +974-5447791

Fax : +974-4558558

Giuseppe Larosa · ‎01-06-2009

Hello Sriharshaa,

with your current configuration the IPSec packets carrying wireless Internet Traffic from Site B to Site A matches the default class.

Now, the default class can use up to 60/35 percent of bandwidth with your current configuration.

(up to 75% of the link BW if max-reserved-bandwidth applies to your router platform)

A possible suggestion could be that of creating a dedicated class with some percent for the ipsec traffic if you desire to distinguish it from the default class

so depending on your IPSec config you need to match AH or ESP protocols

! in the ACL you can use the actual ipsec

! peer addresses

access-list 111 permit ah any any

access-list 111 permit esp any any

class map match-any IPSEC

match address 111

policy-map WAN-EDGE

class IPSEC

bandwidth percent 10

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎01-06-2009

Hello Sriharshaa,

with your current configuration the IPSec packets carrying wireless Internet Traffic from Site B to Site A matches the default class.

Now, the default class can use up to 60/35 percent of bandwidth with your current configuration.

(up to 75% of the link BW if max-reserved-bandwidth applies to your router platform)

A possible suggestion could be that of creating a dedicated class with some percent for the ipsec traffic if you desire to distinguish it from the default class

so depending on your IPSec config you need to match AH or ESP protocols

! in the ACL you can use the actual ipsec

! peer addresses

access-list 111 permit ah any any

access-list 111 permit esp any any

class map match-any IPSEC

match address 111

policy-map WAN-EDGE

class IPSEC

bandwidth percent 10

Hope to help

Giuseppe

Joseph W. Doherty · ‎01-06-2009

Two additional notes:

Giuseppe's post uses an example of 10 percent for the IPSec traffic, but since you note you want this traffic to have "least priority", hopefully you understand could either set the percentage to 1 percent or use the minimum absolute bandwidth values (8 K?).

On many Cisco platforms, I believe usage of FQ in class-default might preclude other defined classes, except for priority bandwidth classes, from obtaining their minimum bandwidth specifications. If this becomes an issue, you might just change class-default to FIFO rather than FQ.