Solved: Re: QoS for traffic

jkay18041 · ‎08-28-2019

We've recently setup a RDS environment and would like to do a basic QoS rule to prioritize rdp traffic, but I'm not sure the best way to do this. We have a 100Mpbs fiber connection (soon to be 250) and our setup is like this ISP->WAN router->WAN Switch->2 different ASAs.

We have an ASA for our main corp environment and then an ASA for our RDS environment. From what I've read it seems like the best way to do this would be to put the QoS on the WAN router. I should note that the RDP traffic goes over a site to site VPN from the RDS side ASA firewall to the site where the users are at. If need be making QoS for everything from that RDS ASA public IP would work as well. Basically I want to prioritize all traffic as such

Priority 1 Voice traffic from our Corp ASA

Priority 2 RDP Traffic from the RDS ASA

Is this something that would be simple to setup?

Thank you in advance

Joseph W. Doherty · ‎09-25-2019

"It appears I am only able to basically run this on the upload traffic not the download."

Yes, that's correct. Polices that manage queues can only be used for egress.

You can write a policy to manage ingress, but depending on how you want to manage your traffic, they are often very limited in their effectiveness. Ideally, ingress traffic is managed on the "other's side" egress.

Suggested revisions:

~~class-map match-all Default~~
~~match access-group name Default~~

policy-map Traffic_QoS
class VoIP
~~bandwidth~~ priority percent 1
class Corporate
bandwidth percent 8

fair-queue
class RDS
bandwidth percent 10

fair-queue
class class-Default

bandwidth remaining percent 100

fair-queue

~~ip access-list extended Default~~
~~permit ip any any~~

What's the actual available bandwidth on your egress interface g0/0?

View solution in original post

Giuseppe Larosa · ‎09-01-2019

Hello jkay18041,

>> We have an ASA for our main corp environment and then an ASA for our RDS environment. From what I've read it seems like the best way to do this would be to put the QoS on the WAN router.

>>I should note that the RDP traffic goes over a site to site VPN from the RDS side ASA firewall to the site where the users are at

The WAN router cannot look inside the VPN traffic and it cannot discriminate the RDP traffic from other traffic that is carried on the site to site VPN ( I guess an IPSEC LAN to LAN VPN).

Can we also assume that RDP = Microsoft remote desktop protocol ?

So Ideally , the ASA with the VPN connection should mark the IPSec packets with inside an RDP packet in a different way (different IP Prec or DSCP code in the external IP header).

However, the ASA may be able or not to perform this QoS tasks.

You should provide the ASA model and SW version posting a

show version

could be enough

You could do the same for the WAN router.

The idea should be to have the ASA to mark RDP packets inside IPSec in the external IP header so that the WAN router can discriminate them based on IP Precedence or DSCP and put them in a priority queue.

The same problems should be for the VOIP traffic coming from the other ASA if they are put in an IPSec VPN. If they are not in a VPN the WAN router can examine them and can put then in a priority queue without help from the corporate ASA.

Hope to help

Giuseppe

jkay18041 · ‎09-01-2019

Thank you for the input.

The VoIP traffic is not over the VPN and is only on our local network and
our Network switches mark the traffic. However the WAN switch is not setup
to prioritize the traffic.

The RDP sessions are Microsoft RDP.

I have ASA 5515-X for the RDS environment and a 5516-X for our corporate
network where the VoIP is. I'm running IOS 9.12

thank you again

Joseph W. Doherty · ‎09-01-2019

As Giuseppe notes, what you want to accomplish is for the encrypted packet's ToS reflect the kind of traffic it contains. If that can be accomplished, then it would be easy on the WAN router to prioritize the traffic as you desire. (Assuming the WAN router is the bandwidth bottleneck, that's the first place you want to have a QoS prioritization policy.)

In addition to what Giuseppe notes, some remote hosting software has subtypes within their protocol, so you can, for example, treat differently actual remote screen scraping from remote data copying or printing. You need something like NBAR to "see" such a subtype (which would need to be before the packet is encrypted). (NB: Don't recall Microsoft's RDP having this feature, Citrix had it, though.)

Also, if your WAN data rate is less then the interface rate (I assume the forth coming 250 Mbps will be on a gig interface), you'll want to "shape" for the logical rate, and prioritize, as desired, within the shaper's queues. Same applies to 100 Mbps if interface not running at 100 Mbps. (NB: if you do shape, you many need to shape about 15% slower to allow for L2 overhead. [I believe some Cisco router shapers only count L3.])

Lastly, you may consider only using LLQ for VoIP bearer traffic. RDP would probably be fine in an "ordinary" bandwidth class, but one with a very high bandwidth percentage allowance.

jkay18041 · ‎09-01-2019

Would I be better off doing the shaping on the WAN (that's the bottleneck) and then just doing QoS on all the VPN traffic as any VPN traffic would be priority #2 behind the VoIP.

Thanks for the help

Joseph W. Doherty · ‎09-02-2019

If you have VoIP and RDP and other traffic, you'll want to treat both VoIP and RDP "special".

jkay18041 · ‎09-11-2019

Let's say that I want to provide 10mbps guaranteed bandwidth for a certain IP, but still allow it to get more than 10Mbps if it needed it and was available.

Would something like this work to put on the transport router to the ISP

ip access-list extended ip-priority

permit ip host 65.45.65.34 (public IP that I want to have priority)

class-map match-all ip-priority-class

match access-group name ip-range

policy-map shape

class ip-priority-class

bandwidth 10204

class class-default

fair-queue (Would I need this command)

then on interface 0/0 (interface that connects to ISP)

interface gi0/0

service policy output ip-priority

Does this look correct? Any suggestions or changes?

Thank youi

Joseph W. Doherty · ‎09-12-2019

"Would something like this work to put on the transport router to the ISP"

I think it would, but I'm unsure as you didn't allocate bandwidth for class-default. To get the bandwidth guaranteed as a minimum, you need to allocate 100% of all the bandwidth in your policy map.

"fair-queue (Would I need this command)"

Depends on how you define "need".

If you don't define it, by default, class-default will have a single FIFO queue. FQ, in the versions of QoS since HQF, it shouldn't make any difference to the impact to your other class. In QoS prior to HQF, class-default FQ uses a variable amount of bandwidth, so your other class's bandwidth might not always obtain the specified minimum.

jkay18041 · ‎09-12-2019

So I guess I need to make sure I understand this right, when you define the bandwidth is that the max it can use or is that what it's guaranteed?

If I have a 100mbps connection can I guarantee 10Mbps but still use more if more is available?

To be honest I'm not sure I follow 100% how all of this works with Cisco commands.

jkay18041 · ‎09-12-2019

How would I do this on my router

I have a 100mbps connection

I would like the following

IP 6.4.2.1 to be guaranteed 1mbps (VoIP)

IP 6.4.2.2 to be guaranteed 10 mbps (RDS)

IP 6.4.2.3 to be guaranteed 10 mbps (Corp Office)

With the following above I still want each of those IP's to be able to get more bandwidth if it's available.

Sorry for the confusion and thank you for the help

Joseph W. Doherty · ‎09-13-2019

"With the following above I still want each of those IP's to be able to get more bandwidth if it's available."

For VoIP (bearer, especially), we normally use LLQ (to minimize any queuing latency and/or jitter) via the priority class, this imposes an implicit policer, but usually only if there's interface queuing. If you use an "ordinary" bandwidth statement, you might run into VoIP quality issues.

For what you've asked for, policy would look like:

policy-may Sample
class VoIP
bandwidth 1000000 !(or 1 percent - using percentage based statements makes it easier to use same policy on interfaces of other badnwidths)
class RDS
bandwidth 10000000 !(or 10 percent)
class CorpOffice
bandwidth 10000000 !(ditto prior class)
class class-default
bandwidth remaining percent 100 !to insure 100% of bandwidth allocated in policy map

In HQF QoS versions, you can use FQ in non-LLQ classes - I recommend it if you expect congestion in that class and with multiple flows.

I didn't show class-maps, but they would be configured to match your IPs. For VoIP and RDS, the class maps might also additionally match TCP/UDP ports and/or NBAR protocols (to insure correct traffic is being matched).

Joseph W. Doherty · ‎09-13-2019

"So I guess I need to make sure I understand this right, when you define the bandwidth is that the max it can use or is that what it's guaranteed?"

Depends on the actual command. The class bandwidth statement defines a minimum.

"If I have a 100mbps connection can I guarantee 10Mbps but still use more if more is available?"

Usually, yes.

jkay18041 · ‎09-13-2019

Thank you for the help.

yes I would like say the VoIP connection to be guaranteed 1 Mbps but still be able to get 2 Mbps if needed.

Joseph W. Doherty · ‎09-13-2019

If you use the bandwidth statement, and if excess bandwidth is available, the class will obtain it. I.e. the bandwidth statement sets a minimum not a maximum.

If you use LLQ (recommended for VoIP bearer), again, there's an implicit policer, so it may not obtain more than the class limit. I.e. the priority statement sets a congestion maximum.

jkay18041 · ‎09-15-2019

So I created this

class-map match-all VoIP

description Voice Traffic

class-map match-all RDS

description RDS Traffic

class-map match-all Corporate

description Corp Office

class-map match-all Class-Default

class-map match-all Priority

!

policy-map priority

!

policy-map Priority

class VoIP

bandwidth percent 1

class RDS

bandwidth percent 8

class Corporate

bandwidth percent 10

class class-default

How/where do I define my bandwidth of 100Mbps from my ISP? I'm assuming I'll need to define it somewhere so it knows what the 1% bandwidth percent is.

I'm also not sure where I define the IP address for each class-map

Thank you again for all your help on this.