Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
0
Helpful
3
Replies

EZ-VPN and QoS

brian.k.clarke
Level 5
Level 5

‎04-20-2011 12:57 PM

We're looking to deploy an EZ-VPN solution using Cisco ASA 5505s at remote locations tying back to a 5520 EZ-VPN server. I'm familiar with the EZ-VPN configuration, as well as deploying QoS for remote access VPNs.  I'm also aware of using QoS pre-classification on Cisco IOS firewalls to provide QoS over site-to-site VPNs (haven't found this same functionality on ASAs yet, strangely).  I've been through the ASA configuration guide VPN content, and haven't found anything.

What I need to confirm is if QoS (for voice/video traffic - DSCP settings) can also be deployed for site-to-site VPNs on ASAs, specifically EZ-VPN connections. If it's possible, some configuration guidelines/examples would be awesome.

Thank you

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-22-2011 08:31 AM

Hi,

ASA's QoS implmentation is much less robust than a routers.

You have possibility to match flows per-tunnel-group configured (match tunnel-group clause), and also perf DSCP valued (which should be copied from internal to external header)

The configuration guide specific to QoS is located here:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html

Let me know what you're trying to accomplish and I might be of more help, mind that I'm not big on QoS ;-)

Marcin

0 Helpful

brian.k.clarke
Level 5
Level 5
In response to Marcin Latosiewicz

‎04-22-2011 08:44 AM

I specifically need to know if I can prioritize voice (DSCP 46/ef, for example) traffic over an ASA VPN connection established with EZ-VPN.

I've been through the QoS guide and the ASA EZ-VPN material, but can't seem to find an absolute answer on this.

Thanks again for your help!

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to brian.k.clarke

‎04-22-2011 10:24 AM

Hello again,

DSCP/TOS values should be copied from inner header to outter header.

Check RFC 4301 section 5.1.2.2. (or 2401 section 5.1.2.1)

So there is no problem to match DSCP of inner packet.

Please remember that ASA supports ONE priority queue (per interface) - i.e. choose wisely what you're going to prioritize.

You can match on particular tunnel group as stated before.

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents