08-28-2019 07:14 PM
We've recently setup a RDS environment and would like to do a basic QoS rule to prioritize rdp traffic, but I'm not sure the best way to do this. We have a 100Mpbs fiber connection (soon to be 250) and our setup is like this ISP->WAN router->WAN Switch->2 different ASAs.
We have an ASA for our main corp environment and then an ASA for our RDS environment. From what I've read it seems like the best way to do this would be to put the QoS on the WAN router. I should note that the RDP traffic goes over a site to site VPN from the RDS side ASA firewall to the site where the users are at. If need be making QoS for everything from that RDS ASA public IP would work as well. Basically I want to prioritize all traffic as such
Priority 1 Voice traffic from our Corp ASA
Priority 2 RDP Traffic from the RDS ASA
Is this something that would be simple to setup?
Thank you in advance
Solved! Go to Solution.
09-18-2019 03:21 PM
09-19-2019 05:54 AM
I have been trying that command.
"match access-group VoIP" but it keeps telling me it's not a valid command.
If I type "match access-group ?" the options are <12-2699> and name. So you would assume it would work.
09-19-2019 08:32 AM - edited 09-19-2019 08:32 AM
You need the "name" keyword.
I.e.
match access-group name VoIP
09-19-2019 11:52 AM
Ok, that worked. I feel silly now for not trying that.
I am assuming if this config looks correct I apply the access list to the g0/0 interface that goes to my ISP.
class-map match-all VoIP
description Voice Traffic
match access-group name VoIP
class-map match-all RDS
description RDS Traffic
match access-group name RDS
class-map match-all Corporate
description Corp Office
match access-group name Corporate
class-map match-all Class-Default
description Default
match access-group name Default
!
policy-map Traffic_QoS
class VoIP
bandwidth percent 1
class Corporate
bandwidth percent 10
class RDS
bandwidth percent 10
class class-default
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended VoIP
permit ip host 45.45.45.1 any
ip access-list extended RDS
permit ip host 45.45.45.2 any
ip access-list extended Corporate
permit ip host 45.45.45.3 any
ip access-list extended Default
permit ip any any
Please let me know if you think this will work.
Thank you for ALL of your help with this.
09-19-2019 03:32 PM
09-23-2019 12:46 PM
So after getting this all setup it only allows me to put one ACL per interface.
09-23-2019 02:34 PM
09-23-2019 06:51 PM
I guess I'm not sure how to apply all this information to the interface. Sorry I've looked high and low online to find an example of this specific way of doing the QoS but I've not been able to find anything and I'm just lost to say the least.
Thank you
09-24-2019 09:59 AM - edited 09-24-2019 10:02 AM
In brief, you often apply an "out" service policy on an interface on which you want to manage congestion.
By default, interfaces usually just support one FIFO queue, so if you have different mixes of traffic, especially something "sensitive" like VoIP, and bulk traffic, the latter may impact the former sharing a single queue. If we can define multiple queues, with different priorities, we can mitigate one kind of traffic impacting another.
So, for example, to "protect" VoIP, we might have something like:
class-map match-any/all VoIP !for any it's match or match or match or . . ., for all it's match and match and match and . . .
match . . . !we somehow match our VoIP traffic, might be addresses, ports, protocols, and/or a combination
policy-map Sample
class VoIP
priority 33 percent !I might have syntax backwards, but this creates LLQ, always goes first
class class-default
bandwidth remaining 100 percent !I might have syntax backwards
fair-queue !flows are hashed into different flow queues, ideally each flow has its own flow queue
(BTW, FQ, in class-default alone, probably well handles 90%, or more, of QoS needs.)
interface ethernet #
service-policy output Sample
The above demonstrates the basics. Of course, a policy may have more classes and/or more command options. Policy complexity depends on what you're trying to accomplish.
09-25-2019 08:18 AM
How does this look?
class-map match-all VoIP
description Voice Traffic
match access-group name VoIP
class-map match-all RDS
description RDS Traffic
match access-group name RDS
class-map match-all Corporate
description Corp Office
match access-group name Corporate
class-map match-all Default
match access-group name Default
!
policy-map Traffic_QoS
class VoIP
bandwidth percent 1
class Corporate
bandwidth percent 8
class RDS
bandwidth percent 10
class Default
!
!
!
!
!
interface GigabitEthernet0/0
ip address 1.64.21.65 255.255.255.192
service-policy output Traffic_QoS
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended VoIP
permit ip host 1.211.21.71 any
ip access-list extended RDS
permit ip host 1.211.21.85 any
ip access-list extended Corporate
permit ip host 1.211.21.66 any
permit ip host 1.211.21.67 any
permit ip host 1.211.21.68 any
permit ip host 1.211.21.69 any
ip access-list extended Default
permit ip any any
It appears I am only able to basically run this on the upload traffic not the download.
Thanks again for all the time and help with this.
09-25-2019 09:18 AM - edited 09-25-2019 09:23 AM
"It appears I am only able to basically run this on the upload traffic not the download."
Yes, that's correct. Polices that manage queues can only be used for egress.
You can write a policy to manage ingress, but depending on how you want to manage your traffic, they are often very limited in their effectiveness. Ideally, ingress traffic is managed on the "other's side" egress.
Suggested revisions:class-map match-all Defaultmatch access-group name Default
policy-map Traffic_QoS
class VoIPbandwidth priority percent 1
class Corporate
bandwidth percent 8
fair-queue
class RDS
bandwidth percent 10
fair-queue
class class-Default
bandwidth remaining percent 100
fair-queueip access-list extended Defaultpermit ip any any
What's the actual available bandwidth on your egress interface g0/0?
09-25-2019 09:29 AM
For some reason it won't allow me to do the Fair-queue, doesn't seem to be a command.
The g0/0 is 100x100Mb but soon will be 250x250.
Thanks
09-25-2019 10:25 AM
09-27-2019 06:12 AM
How does this one look now.
class-map match-all VoIP
description Voice Traffic
match access-group name VoIP
class-map match-all RDS
description RDS Traffic
match access-group name RDS
class-map match-all Corporate
description Corp Office
match access-group name Corporate
!
policy-map Traffic_QoS
class VoIP
priority percent 1
class Corporate
bandwidth percent 8
fair-queue
class RDS
bandwidth percent 10
fair-queue
class Default
bandwidth remaining percent 100
fair-queue
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended VoIP
permit ip host 1.211.219.71 any
ip access-list extended RDS
permit ip host 1.211.219.85 any
ip access-list extended Corporate
permit ip host 1.211.21.66 any
permit ip host 1.211.21.67 any
permit ip host 1.211.21.68 any
permit ip host 1.211.21.69 any
Interface GigabitEthernet0/0
ip address 4.4.4.1
service-policy output Traffic_QoS
09-27-2019 08:55 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide