08-20-2009
01:55 AM
- last edited on
02-21-2020
11:19 PM
by
cc_security_adm
Hi
We have site2site VPN with ASA 8.03 and I configured the QoS on ASA outside interface. But there is no traffic mapping the QoS, here is my QoS setting and show service-policy output. In the output, there is no traffic mapping the class-map ERP. Anyone knows if the QoS can work with site2site IPSec VPN tunnel or any ideas about this issue?
Thanks, Leo
----------------------------------
class-map ERP
match access-list ERP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map ERP
class ERP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map ALL-TRAFFIC-OUTSIDE
class class-default
shape average 3000000
service-policy ERP
!
service-policy global_policy global
service-policy ALL-TRAFFIC-OUTSIDE interface outside
-------------------------------------
AP801N0010-ASA# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 65499, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 83629, drop 0, reset-drop 0
Inspect: rsh, packet 16, drop 0, reset-drop 0
Inspect: rtsp, packet 15, drop 0, reset-drop 0
Inspect: skinny , packet 15, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 23656, drop 0, reset-drop 0
Inspect: sqlnet, packet 15, drop 0, reset-drop 0
Inspect: sunrpc, packet 15, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Interface outside:
Service-policy: ALL-TRAFFIC-OUTSIDE
Class-map: class-default
shape (average) cir 3000000, bc 12000, be 12000
(pkts output/bytes output) 3743871/2900711920
(total drops/no-buffer drops) 381/0
Service-policy: ERP
Class-map: ERP
priority
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: class-default
Default Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/381/0
(pkts output/bytes output) 3744009/2900909640
08-20-2009 08:35 AM
post the acl ERP
08-20-2009 01:52 PM
Here you are
access-list ERP extended permit ip host 192.168.17.4 any
access-list ERP extended permit ip host 192.168.9.2 any
access-list ERP extended permit ip host 192.168.17.170 any
access-list ERP extended permit ip host 192.168.17.171 any
access-list ERP extended permit ip host 192.168.17.172 any
access-list ERP extended permit ip host 192.168.17.173 any
access-list ERP extended permit ip host 192.168.17.174 any
08-21-2009 01:05 AM
What is your IP subnet on the inside interface?
08-21-2009 03:50 PM
Thanks for the reply, but when I changed the QoS configuration, I can see there are the traffic can hit the QoS policy. Following the my old and new configuration, anyone knows what's the difference between them? My connection is 3M BDSL circuit, my goal is to priority the ERP traffic, so which configuration is better for my situation?
Thanks. Leo
-----------------------------------------
old config:
class-map ERP
match access-list ERP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map ERP
class ERP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map ALL-TRAFFIC-OUTSIDE
class class-default
shape average 3000000
service-policy ERP
!
service-policy global_policy global
service-policy ALL-TRAFFIC-OUTSIDE interface outside
-----------------------------------------
new config:
class-map ERP
match access-list ERP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map ERP
class ERP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map ALL-TRAFFIC-OUTSIDE
class ERP
priority
class class-default
police output 3072000
!
service-policy global_policy global
service-policy ALL-TRAFFIC-OUTSIDE interface outside
08-22-2009 01:57 AM
You are policing to a certain amount - but you are not defining a priority bw for your important traffic.
What exactly are you trying to do or stop?
08-22-2009 02:23 PM
What I want to do is prioritize the ERP traffic in our 3M link, I don't care how much bandwidth it need, just want to give priority to this kind of traffic.
08-24-2009 12:44 AM
have a look at the below example:-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: