cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1981
Views
0
Helpful
6
Replies

ASA 5505 Preserving QOS

mhering8650
Level 1
Level 1

I have a strange problem,

Is there any way to make an ASA 5505 (IOS 7.2.3 12) preserve the DSCP tagging when packets pass through and get NATTEd..

Basically I have traffic that my voice cube is tagging as DSCP 46, but when it comes out of the ASA it's tagged with DSCP 0, how can I have it preserve this tag?

Thanks in advance

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Marc

From the ASA 7.2 configurationn guide -

"DSCP and DiffServ Preservation

•DSCP markings are preserved on all traffic passing through the security appliance.

•The security appliance does not locally mark/remark any classified traffic, but it honors the Expedited Forwarding (EF) DSCP bits of every packet to determine if it requires "priority" handling and will direct those packets to the LLQ.

•DiffServ marking is preserved on packets when they traverse the service provider backbone so that QoS can be applied in transit (QoS tunnel pre-classification)."

Are you looking at the packets as soon as they leave the ASA ?. If so then this is contrary to what should happen.

It may be an interaction with NAT or it could be a bug with your particular version.

Jon

I took captures before the inside interface and after the outside interface, before it hits the ASA Im seeing the DSCP correct, when it exits everything is set to 0, all I can do with DSCP is use it to make the PIX assign that traffic to the priority Queue.

I've researched bugs for my version but didn't find any, and TAC was pretty much useless when I called in :(

Only thing i can suggest as i don't have an ASA to test with is

1) Can you temporarily remove NAT on these packets just to rule that out.

2) Problem with the ASA is you can't mark the packets which is why they are meant to preserve the existing markings !!

Is there anyway you can remark on the next device from the ASA ?

Jon

Yeah, I am marking them downstream from the ASA, problem is that the IP keeps changing and it's a lot of work to keep up (Internal devices get the IP via DNS) IF I could preserve the DSCP it would make my life a lot easier :)

Marc

Apologies if it seems like i am just making stupid suggestions !

Could you not identify the traffic based on port numbers rather than IP addresses and then mark them with the right DSCP. That way you wouldn't have to keep changing your acls.

Jon

Marc

One other thought occurred. When you capture the traffic from the outside of the ASA it is not passing through a switch first is it because it could be the switch that is remarking.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: