We've recently setup a RDS environment and would like to do a basic QoS rule to prioritize rdp traffic, but I'm not sure the best way to do this. We have a 100Mpbs fiber connection (soon to be 250) and our setup is like this ISP->WAN router->WAN Switch->2 different ASAs.
We have an ASA for our main corp environment and then an ASA for our RDS environment. From what I've read it seems like the best way to do this would be to put the QoS on the WAN router. I should note that the RDP traffic goes over a site to site VPN from the RDS side ASA firewall to the site where the users are at. If need be making QoS for everything from that RDS ASA public IP would work as well. Basically I want to prioritize all traffic as such
Priority 1 Voice traffic from our Corp ASA
Priority 2 RDP Traffic from the RDS ASA
Is this something that would be simple to setup?
Thank you in advance
Solved! Go to Solution.
"It appears I am only able to basically run this on the upload traffic not the download."
Yes, that's correct. Polices that manage queues can only be used for egress.
You can write a policy to manage ingress, but depending on how you want to manage your traffic, they are often very limited in their effectiveness. Ideally, ingress traffic is managed on the "other's side" egress.
class-map match-all Default match access-group name Default
bandwidth priority percent 1
bandwidth percent 8
bandwidth percent 10
bandwidth remaining percent 100
ip access-list extended Default permit ip any any
What's the actual available bandwidth on your egress interface g0/0?
>> We have an ASA for our main corp environment and then an ASA for our RDS environment. From what I've read it seems like the best way to do this would be to put the QoS on the WAN router.
>>I should note that the RDP traffic goes over a site to site VPN from the RDS side ASA firewall to the site where the users are at
The WAN router cannot look inside the VPN traffic and it cannot discriminate the RDP traffic from other traffic that is carried on the site to site VPN ( I guess an IPSEC LAN to LAN VPN).
Can we also assume that RDP = Microsoft remote desktop protocol ?
So Ideally , the ASA with the VPN connection should mark the IPSec packets with inside an RDP packet in a different way (different IP Prec or DSCP code in the external IP header).
However, the ASA may be able or not to perform this QoS tasks.
You should provide the ASA model and SW version posting a
could be enough
You could do the same for the WAN router.
The idea should be to have the ASA to mark RDP packets inside IPSec in the external IP header so that the WAN router can discriminate them based on IP Precedence or DSCP and put them in a priority queue.
The same problems should be for the VOIP traffic coming from the other ASA if they are put in an IPSec VPN. If they are not in a VPN the WAN router can examine them and can put then in a priority queue without help from the corporate ASA.
Hope to help
Would I be better off doing the shaping on the WAN (that's the bottleneck) and then just doing QoS on all the VPN traffic as any VPN traffic would be priority #2 behind the VoIP.
Thanks for the help
Let's say that I want to provide 10mbps guaranteed bandwidth for a certain IP, but still allow it to get more than 10Mbps if it needed it and was available.
Would something like this work to put on the transport router to the ISP
ip access-list extended ip-priority
permit ip host 126.96.36.199 (public IP that I want to have priority)
class-map match-all ip-priority-class
match access-group name ip-range
fair-queue (Would I need this command)
then on interface 0/0 (interface that connects to ISP)
service policy output ip-priority
Does this look correct? Any suggestions or changes?
"Would something like this work to put on the transport router to the ISP"
I think it would, but I'm unsure as you didn't allocate bandwidth for class-default. To get the bandwidth guaranteed as a minimum, you need to allocate 100% of all the bandwidth in your policy map.
"fair-queue (Would I need this command)"
Depends on how you define "need".
If you don't define it, by default, class-default will have a single FIFO queue. FQ, in the versions of QoS since HQF, it shouldn't make any difference to the impact to your other class. In QoS prior to HQF, class-default FQ uses a variable amount of bandwidth, so your other class's bandwidth might not always obtain the specified minimum.
So I guess I need to make sure I understand this right, when you define the bandwidth is that the max it can use or is that what it's guaranteed?
If I have a 100mbps connection can I guarantee 10Mbps but still use more if more is available?
To be honest I'm not sure I follow 100% how all of this works with Cisco commands.
How would I do this on my router
I have a 100mbps connection
I would like the following
IP 188.8.131.52 to be guaranteed 1mbps (VoIP)
IP 184.108.40.206 to be guaranteed 10 mbps (RDS)
IP 220.127.116.11 to be guaranteed 10 mbps (Corp Office)
With the following above I still want each of those IP's to be able to get more bandwidth if it's available.
Sorry for the confusion and thank you for the help
So I created this
class-map match-all VoIP
description Voice Traffic
class-map match-all RDS
description RDS Traffic
class-map match-all Corporate
description Corp Office
class-map match-all Class-Default
class-map match-all Priority
bandwidth percent 1
bandwidth percent 8
bandwidth percent 10
How/where do I define my bandwidth of 100Mbps from my ISP? I'm assuming I'll need to define it somewhere so it knows what the 1% bandwidth percent is.
I'm also not sure where I define the IP address for each class-map
Thank you again for all your help on this.