08-28-2019 07:14 PM
We've recently setup a RDS environment and would like to do a basic QoS rule to prioritize rdp traffic, but I'm not sure the best way to do this. We have a 100Mpbs fiber connection (soon to be 250) and our setup is like this ISP->WAN router->WAN Switch->2 different ASAs.
We have an ASA for our main corp environment and then an ASA for our RDS environment. From what I've read it seems like the best way to do this would be to put the QoS on the WAN router. I should note that the RDP traffic goes over a site to site VPN from the RDS side ASA firewall to the site where the users are at. If need be making QoS for everything from that RDS ASA public IP would work as well. Basically I want to prioritize all traffic as such
Priority 1 Voice traffic from our Corp ASA
Priority 2 RDP Traffic from the RDS ASA
Is this something that would be simple to setup?
Thank you in advance
Solved! Go to Solution.
09-25-2019 09:18 AM - edited 09-25-2019 09:23 AM
"It appears I am only able to basically run this on the upload traffic not the download."
Yes, that's correct. Polices that manage queues can only be used for egress.
You can write a policy to manage ingress, but depending on how you want to manage your traffic, they are often very limited in their effectiveness. Ideally, ingress traffic is managed on the "other's side" egress.
Suggested revisions:class-map match-all Defaultmatch access-group name Default
policy-map Traffic_QoS
class VoIPbandwidth priority percent 1
class Corporate
bandwidth percent 8
fair-queue
class RDS
bandwidth percent 10
fair-queue
class class-Default
bandwidth remaining percent 100
fair-queueip access-list extended Defaultpermit ip any any
What's the actual available bandwidth on your egress interface g0/0?
09-01-2019 06:45 AM
Hello jkay18041,
>> We have an ASA for our main corp environment and then an ASA for our RDS environment. From what I've read it seems like the best way to do this would be to put the QoS on the WAN router.
>>I should note that the RDP traffic goes over a site to site VPN from the RDS side ASA firewall to the site where the users are at
The WAN router cannot look inside the VPN traffic and it cannot discriminate the RDP traffic from other traffic that is carried on the site to site VPN ( I guess an IPSEC LAN to LAN VPN).
Can we also assume that RDP = Microsoft remote desktop protocol ?
So Ideally , the ASA with the VPN connection should mark the IPSec packets with inside an RDP packet in a different way (different IP Prec or DSCP code in the external IP header).
However, the ASA may be able or not to perform this QoS tasks.
You should provide the ASA model and SW version posting a
show version
could be enough
You could do the same for the WAN router.
The idea should be to have the ASA to mark RDP packets inside IPSec in the external IP header so that the WAN router can discriminate them based on IP Precedence or DSCP and put them in a priority queue.
The same problems should be for the VOIP traffic coming from the other ASA if they are put in an IPSec VPN. If they are not in a VPN the WAN router can examine them and can put then in a priority queue without help from the corporate ASA.
Hope to help
Giuseppe
09-01-2019 06:45 PM
09-01-2019 08:18 AM
09-01-2019 06:52 PM
Would I be better off doing the shaping on the WAN (that's the bottleneck) and then just doing QoS on all the VPN traffic as any VPN traffic would be priority #2 behind the VoIP.
Thanks for the help
09-02-2019 10:25 AM
09-11-2019 06:51 PM
Let's say that I want to provide 10mbps guaranteed bandwidth for a certain IP, but still allow it to get more than 10Mbps if it needed it and was available.
Would something like this work to put on the transport router to the ISP
ip access-list extended ip-priority
permit ip host 65.45.65.34 (public IP that I want to have priority)
class-map match-all ip-priority-class
match access-group name ip-range
policy-map shape
class ip-priority-class
bandwidth 10204
class class-default
fair-queue (Would I need this command)
then on interface 0/0 (interface that connects to ISP)
interface gi0/0
service policy output ip-priority
Does this look correct? Any suggestions or changes?
Thank youi
09-12-2019 11:31 AM - edited 09-13-2019 09:51 AM
"Would something like this work to put on the transport router to the ISP"
I think it would, but I'm unsure as you didn't allocate bandwidth for class-default. To get the bandwidth guaranteed as a minimum, you need to allocate 100% of all the bandwidth in your policy map.
"fair-queue (Would I need this command)"
Depends on how you define "need".
If you don't define it, by default, class-default will have a single FIFO queue. FQ, in the versions of QoS since HQF, it shouldn't make any difference to the impact to your other class. In QoS prior to HQF, class-default FQ uses a variable amount of bandwidth, so your other class's bandwidth might not always obtain the specified minimum.
09-12-2019 02:52 PM
So I guess I need to make sure I understand this right, when you define the bandwidth is that the max it can use or is that what it's guaranteed?
If I have a 100mbps connection can I guarantee 10Mbps but still use more if more is available?
To be honest I'm not sure I follow 100% how all of this works with Cisco commands.
09-12-2019 06:52 PM
How would I do this on my router
I have a 100mbps connection
I would like the following
IP 6.4.2.1 to be guaranteed 1mbps (VoIP)
IP 6.4.2.2 to be guaranteed 10 mbps (RDS)
IP 6.4.2.3 to be guaranteed 10 mbps (Corp Office)
With the following above I still want each of those IP's to be able to get more bandwidth if it's available.
Sorry for the confusion and thank you for the help
09-13-2019 10:07 AM
09-13-2019 09:56 AM
09-13-2019 10:51 AM
Thank you for the help.
yes I would like say the VoIP connection to be guaranteed 1 Mbps but still be able to get 2 Mbps if needed.
09-13-2019 04:51 PM
09-15-2019 07:08 PM - edited 09-15-2019 07:23 PM
So I created this
class-map match-all VoIP
description Voice Traffic
class-map match-all RDS
description RDS Traffic
class-map match-all Corporate
description Corp Office
class-map match-all Class-Default
class-map match-all Priority
!
policy-map priority
!
policy-map Priority
class VoIP
bandwidth percent 1
class RDS
bandwidth percent 8
class Corporate
bandwidth percent 10
class class-default
How/where do I define my bandwidth of 100Mbps from my ISP? I'm assuming I'll need to define it somewhere so it knows what the 1% bandwidth percent is.
I'm also not sure where I define the IP address for each class-map
Thank you again for all your help on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide