Solved: Re: QoS for traffic - Page 3

jkay18041 · ‎08-28-2019

We've recently setup a RDS environment and would like to do a basic QoS rule to prioritize rdp traffic, but I'm not sure the best way to do this. We have a 100Mpbs fiber connection (soon to be 250) and our setup is like this ISP->WAN router->WAN Switch->2 different ASAs.

We have an ASA for our main corp environment and then an ASA for our RDS environment. From what I've read it seems like the best way to do this would be to put the QoS on the WAN router. I should note that the RDP traffic goes over a site to site VPN from the RDS side ASA firewall to the site where the users are at. If need be making QoS for everything from that RDS ASA public IP would work as well. Basically I want to prioritize all traffic as such

Priority 1 Voice traffic from our Corp ASA

Priority 2 RDP Traffic from the RDS ASA

Is this something that would be simple to setup?

Thank you in advance

Joseph W. Doherty · ‎09-18-2019

"
class-map match-all VoIP
description Voice Traffic
match access-group 10
"

Should be:

class-map match-all VoIP
description Voice Traffic
match access-group name VoIP

"Also on the ACL do you need any deny statements?"

That depends. Suppose most of the (many) hosts on a subnet were desired except a few. Rather than have a long list of host matching ACEs, with permits, you might exclude the few and then match the subnet, e.g.:

access-list extend Sample
deny ip host 10.1.1.5 any
permit ip 10.1.1.0 0.0.0.255 any

jkay18041 · ‎09-19-2019

I have been trying that command.

"match access-group VoIP" but it keeps telling me it's not a valid command.

If I type "match access-group ?" the options are <12-2699> and name. So you would assume it would work.

Joseph W. Doherty · ‎09-19-2019

You need the "name" keyword.

I.e.
match access-group name VoIP

jkay18041 · ‎09-19-2019

Ok, that worked. I feel silly now for not trying that.

I am assuming if this config looks correct I apply the access list to the g0/0 interface that goes to my ISP.

class-map match-all VoIP

description Voice Traffic

match access-group name VoIP

class-map match-all RDS

description RDS Traffic

match access-group name RDS

class-map match-all Corporate

description Corp Office

match access-group name Corporate

class-map match-all Class-Default

description Default

match access-group name Default

!

policy-map Traffic_QoS

class VoIP

bandwidth percent 1

class Corporate

bandwidth percent 10

class RDS

bandwidth percent 10

class class-default

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

ip access-list extended VoIP

permit ip host 45.45.45.1 any

ip access-list extended RDS

permit ip host 45.45.45.2 any

ip access-list extended Corporate

permit ip host 45.45.45.3 any

ip access-list extended Default

permit ip any any

Please let me know if you think this will work.

Thank you for ALL of your help with this.

Joseph W. Doherty · ‎09-19-2019

Yes try that on your interface to your ISP, although by default, class-default matches everything else not defined, so you shouldn't need an ACL or explicit class-map for it. I would still recommend an explicit class class-default in your policy-map, also defining a bandwidth allocation for it.

jkay18041 · ‎09-23-2019

So after getting this all setup it only allows me to put one ACL per interface.

Joseph W. Doherty · ‎09-23-2019

You can have one IP ingress and/or one IP egress ACL per interface. You can also have one ingress service policy and/or one egress service-policy per interface.

In you're using a service-policy (the normal for CBWFQ QoS), each class-map can reference one or more ACLs. I recall (?) later IOS version also allow an ACL to reference other ACLs.

What are you trying to do that one ACL per interface is an issue?

jkay18041 · ‎09-23-2019

I guess I'm not sure how to apply all this information to the interface. Sorry I've looked high and low online to find an example of this specific way of doing the QoS but I've not been able to find anything and I'm just lost to say the least.

Thank you

Joseph W. Doherty · ‎09-24-2019

In brief, you often apply an "out" service policy on an interface on which you want to manage congestion.

By default, interfaces usually just support one FIFO queue, so if you have different mixes of traffic, especially something "sensitive" like VoIP, and bulk traffic, the latter may impact the former sharing a single queue. If we can define multiple queues, with different priorities, we can mitigate one kind of traffic impacting another.

So, for example, to "protect" VoIP, we might have something like:

class-map match-any/all VoIP !for any it's match or match or match or . . ., for all it's match and match and match and . . .
match . . . !we somehow match our VoIP traffic, might be addresses, ports, protocols, and/or a combination

policy-map Sample
class VoIP
priority 33 percent !I might have syntax backwards, but this creates LLQ, always goes first
class class-default
bandwidth remaining 100 percent !I might have syntax backwards
fair-queue !flows are hashed into different flow queues, ideally each flow has its own flow queue

(BTW, FQ, in class-default alone, probably well handles 90%, or more, of QoS needs.)

interface ethernet #
service-policy output Sample

The above demonstrates the basics. Of course, a policy may have more classes and/or more command options. Policy complexity depends on what you're trying to accomplish.

jkay18041 · ‎09-25-2019

How does this look?

class-map match-all VoIP

description Voice Traffic

match access-group name VoIP

class-map match-all RDS

description RDS Traffic

match access-group name RDS

class-map match-all Corporate

description Corp Office

match access-group name Corporate

class-map match-all Default

match access-group name Default

!

policy-map Traffic_QoS

class VoIP

bandwidth percent 1

class Corporate

bandwidth percent 8

class RDS

bandwidth percent 10

class Default

!

interface GigabitEthernet0/0

ip address 1.64.21.65 255.255.255.192

service-policy output Traffic_QoS

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

ip access-list extended VoIP

permit ip host 1.211.21.71 any

ip access-list extended RDS

permit ip host 1.211.21.85 any

ip access-list extended Corporate

permit ip host 1.211.21.66 any

permit ip host 1.211.21.67 any

permit ip host 1.211.21.68 any

permit ip host 1.211.21.69 any

ip access-list extended Default

permit ip any any

It appears I am only able to basically run this on the upload traffic not the download.

Thanks again for all the time and help with this.

Joseph W. Doherty · ‎09-25-2019

"It appears I am only able to basically run this on the upload traffic not the download."

Yes, that's correct. Polices that manage queues can only be used for egress.

You can write a policy to manage ingress, but depending on how you want to manage your traffic, they are often very limited in their effectiveness. Ideally, ingress traffic is managed on the "other's side" egress.

Suggested revisions:

~~class-map match-all Default~~
~~match access-group name Default~~

policy-map Traffic_QoS
class VoIP
~~bandwidth~~ priority percent 1
class Corporate
bandwidth percent 8

fair-queue
class RDS
bandwidth percent 10

fair-queue
class class-Default

bandwidth remaining percent 100

fair-queue

~~ip access-list extended Default~~
~~permit ip any any~~

What's the actual available bandwidth on your egress interface g0/0?

jkay18041 · ‎09-25-2019

For some reason it won't allow me to do the Fair-queue, doesn't seem to be a command.

The g0/0 is 100x100Mb but soon will be 250x250.

Thanks

Joseph W. Doherty · ‎09-25-2019

This is on Packet Tracer? If so, it's not unusual that PT doesn't support some IOS features.

If interface is running at 100 Mbps, you okay. If and when you upgrade to 250, assuming interface will actually be running at gig, you'll need a parent shaper.

jkay18041 · ‎09-27-2019

How does this one look now.

class-map match-all VoIP
description Voice Traffic
match access-group name VoIP
class-map match-all RDS
description RDS Traffic
match access-group name RDS
class-map match-all Corporate
description Corp Office
match access-group name Corporate
!
policy-map Traffic_QoS
class VoIP
priority percent 1
class Corporate
bandwidth percent 8
fair-queue
class RDS
bandwidth percent 10
fair-queue
class Default
bandwidth remaining percent 100
fair-queue
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended VoIP
permit ip host 1.211.219.71 any
ip access-list extended RDS
permit ip host 1.211.219.85 any
ip access-list extended Corporate
permit ip host 1.211.21.66 any
permit ip host 1.211.21.67 any
permit ip host 1.211.21.68 any
permit ip host 1.211.21.69 any

Interface GigabitEthernet0/0
ip address 4.4.4.1
service-policy output Traffic_QoS

Joseph W. Doherty · ‎09-27-2019

Good!