QoS Configuration Question

Answered Question
Jan 6th, 2009
User Badges:

Hi Team,


We have two sites called Site A & Site B connected via 2 Mbps Satellite Link. The current configuration of the QoS is as below:

class-map match-all NETWORK-CONTROL

match ip dscp cs6

class-map match-any VOICE-SIGNALLING

match ip dscp cs3

class-map match-all VOICE-BEARER

match ip dscp ef

!

!

policy-map WAN-EDGE

class VOICE-BEARER

priority percent 30

class VOICE-SIGNALLING

bandwidth percent 7

class NETWORK-CONTROL

bandwidth percent 3

class class-default

fair-queue

random-detect dscp-based


We have deployed Cisco ASA between the sites A & B and have an IPSEC Tunnel between the ASAs which mainly carry the Wireless Internet Traffic from Site B to Site A.


We would like to ensure that the Wireless Internet Traffic which goes through the Tunnel has the least priority,


Any recommendations with reference to this would be helpful.


Thanks and Regards

Sriharshaa Prabhakar

Senior Consultant - Cisco Unified Communications

Network & Telecoms Group

Mannai Corporation, QSC

Tel (Office) :+974-4558118

Tel (Mob) : +974-5447791

Fax : +974-4558558


Correct Answer by Giuseppe Larosa about 8 years 2 months ago

Hello Sriharshaa,

with your current configuration the IPSec packets carrying wireless Internet Traffic from Site B to Site A matches the default class.


Now, the default class can use up to 60/35 percent of bandwidth with your current configuration.

(up to 75% of the link BW if max-reserved-bandwidth applies to your router platform)


A possible suggestion could be that of creating a dedicated class with some percent for the ipsec traffic if you desire to distinguish it from the default class


so depending on your IPSec config you need to match AH or ESP protocols


! in the ACL you can use the actual ipsec

! peer addresses


access-list 111 permit ah any any

access-list 111 permit esp any any


class map match-any IPSEC

match address 111


policy-map WAN-EDGE


class IPSEC

bandwidth percent 10



Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Tue, 01/06/2009 - 01:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sriharshaa,

with your current configuration the IPSec packets carrying wireless Internet Traffic from Site B to Site A matches the default class.


Now, the default class can use up to 60/35 percent of bandwidth with your current configuration.

(up to 75% of the link BW if max-reserved-bandwidth applies to your router platform)


A possible suggestion could be that of creating a dedicated class with some percent for the ipsec traffic if you desire to distinguish it from the default class


so depending on your IPSec config you need to match AH or ESP protocols


! in the ACL you can use the actual ipsec

! peer addresses


access-list 111 permit ah any any

access-list 111 permit esp any any


class map match-any IPSEC

match address 111


policy-map WAN-EDGE


class IPSEC

bandwidth percent 10



Hope to help

Giuseppe


Joseph W. Doherty Tue, 01/06/2009 - 05:28
User Badges:
  • Super Bronze, 10000 points or more

Two additional notes:


Giuseppe's post uses an example of 10 percent for the IPSec traffic, but since you note you want this traffic to have "least priority", hopefully you understand could either set the percentage to 1 percent or use the minimum absolute bandwidth values (8 K?).


On many Cisco platforms, I believe usage of FQ in class-default might preclude other defined classes, except for priority bandwidth classes, from obtaining their minimum bandwidth specifications. If this becomes an issue, you might just change class-default to FIFO rather than FQ.

Actions

This Discussion