Re: ASA 5505 - QoS and CBWFQ

mackeyuk · ‎01-26-2011

Hello All,

I have an ASA 5505 firewall that I want to use to share an office internet connection fairly.

I need to create VLANs for office1 and office2. office1 and office2 are separate companies within the building so they should not be able to communicate with each other, each office will be on different subnets.

When office1 is using the internet they should be able to utilise 100% of the bandwidth available. However if office2 is sharing the connection the bandwidth should be spilt fairly 50/50.

I would also like to be able to prioritise bandwidth for certain types of traffic say SMTP for example.

Can anyone give me some examples of how to implement this? The information on QoS is mind boggling.

Many thanks,

Mac.

Collin Clark · ‎01-26-2011

A thing to note is that QoS on the ASA is not as feature rich as a router or switch. That being said here's a link that should help.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Hope it helps.

mackeyuk · ‎01-27-2011

Hi Colin,

Many thanks for the pointer, the article was a good read.

However I have tried using policing to limit the bandwidth of 1 host pc as a test and I cant seem to get it working.

I am using the 'crew' access list to match 192.168.100.3.

Here is my running config:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password bkdbRfYTlRx94nOD encrypted

names

!

interface Vlan1

description admin-network

nameif admin

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list admin extended permit ip host 192.168.100.2 any

access-list crew extended permit ip host 192.168.100.3 any

pager lines 24

logging asdm informational

mtu admin 1500

mtu outside 1500

mtu crew 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (admin) 1 0.0.0.0 0.0.0.0

nat (crew) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.100.0 255.255.255.0 admin

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.100.2-192.168.100.33 admin

dhcpd dns 208.67.222.222 208.67.220.220 interface admin

dhcpd enable admin

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map match-crew

match access-list crew

class-map inspection_default

match default-inspection-traffic

class-map match-admin

match access-list admin

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

policy-map qos

class match-crew

police output 128000

police input 128000

!

service-policy qos global

prompt hostname context

: end